🛡️ Zero Trust Guide - Zero Trust Architecture
Six sections on Zero Trust in International Practice: Basic Principles (NIST SP 800-207), Architecture Components (PEP, PDP), CISA five pillars, maturity levels, gradual transition model and relation to the requirements of Article 21 of the NIS2. Examples are fictional, intended for teaching.
Seven basic principles
NIST SP 800-207 §2.1 - do not trust, always check
All resources
All data sources and calculation services are considered as resources - servers, databases, API, SaaS, BYOD devices, IoT.
Protected communication
All communication is provided (TLS, mTLS) regardless of the location of the network - LAN is not more reliable than the Internet.
Session-based access
Access to each resource is granted to a separate session - authentication/authorization before the session is opened, not permanent.
Dynamic policy
The decision shall take into account the identity, condition of the device, location, time window, abnormal signals - not only user name/parolie.
Continuous monitoring
The organisation shall continuously measure the integrity and security status of its own and associated resources (CDM, EDR, posture).
Strict enforcement
Authentication and authorization are dynamic and strictly coercive before granting access - every time again.
Telemetry collection
The organisation shall collect data on active status, network infrastructure and communication to improve security status.
Application
Seven principles are the definition of Zero Trust - every architecture that does not respect them is not 'real' Zero Trust, but only marketing term.
Reference
NIST SP 800-207 §2.1 (2020) - "Tenets of Zero Trust" · Identity as the new perimeter.
Safety Note
Zero Trust is not a product to buy. It is a strategy: it requires a coherent operation of identity, devices, networks and data control over years.
Logical components
PEP / EDP - how policy becomes a decision
Application
PEP is a gate that stops at every demand. The PDP is a decision centre that responds to 'yes/no/undercoat' according to policy and context.
Reference
NIST SP 800-207 §3 - "Logical Components of ZTA' · CDM = Continued Diagnostics & Mitigation.
Safety Note
PDP is a single point of file. It must be highly accessible, with back-up nodes and offline'break-glass 'procedure.
CISA Zero Trust Matfulness Model v2
Five pillars with cross-sectional foundations
Application
Five pillars are the basis of technology. All five send a signal to the PDP so that the decision is based on the full context and not just one (e.g. password).
Reference
CISA Zero Trust Integrity Model v2 (2023) · DoD Zero Trust Reference Architecture (2022) - a similar approach with seven pillars.
Lacmus test
If one of the pillars doesn't signal the PDP - it's not Zero Trust yet, but a fragment of 'identity ZT' or 'network ZT'.
Four levels of maturity
Traditional → Initial → Advanced → Optimal
Application
The reasoning matrix helps to objectively assess where the organisation is located and to set priorities for the next 12-24 months. The assessment shall be carried out for each pillar separately.
Reference
CISA ZTMM v2 (2023) · M-22-09 (OMB for ZT memoranda) · DoD Zero Trust Strategy (2022).
Safety Note
You must not jump from Traditional to Optimal - every step requires process adjustments, team training and budget. A realistic road map is 3-5 years.
Phase-in
From the perimeter to Zero Trust - a realistic road map
Application
The map helps to plan the budget and team load. First steps (MFA inventory) bring direct safety benefits already in the first year - do not wait for 'full' Zero Trust.
Reference
NIST SP 800-207 §7 - "Migrating to a Zero Trust Architecture" · M-22-09 (OMB deadlines for US federal authorities).
Step one
Start with asset and identity inventory. Without it, the other steps remain on an unknown basis - they cannot protect what they do not know.
Eligibility Framework
Technical implementation of Article 21 of the Zero Trust as NIS2
Application
Zero Trust is not directly required by NIS2, but its components correspond exactly to the scope of Article 21 risk management measures - the same architecture can justify compliance without separate NIS2 specific tools.
Reference
Directive (EU) 2022/2555 Article 21 · transposition of the NKDL · Commission Implementing Regulation (EU) 2024/2690 (technical requirements for digital service providers).
Safety Note
Compliance is not safety. Zero Trust with formal NIS2 requirements may contain shortcomings - the mapping is used as a structure, not as a check-the-box list.