Zero Trust Architecture (ZTA) — codified in NIST SP 800-207 — operates on the principle of "never trust, always verify": no implicit trust is granted based on network location (inside the perimeter). Every access request must be authenticated (who are you?), authorised (are you allowed?), and validated continuously (is your device compliant? Is this behaviour anomalous?). Key components include Identity-Aware Proxy (IAP), microsegmentation, device posture assessment, and least-privilege dynamic access.

Key Points

  • Google BeyondCorp (2014) was the first production zero-trust implementation: internal services require a valid user certificate + device certificate + IAP policy check, with no VPN required.
  • Identity-Aware Proxy (Google IAP, Cloudflare Access, Pomerium): sits in front of internal applications, validating identity provider (OIDC/SAML) tokens before proxying requests to the upstream — no VPN, no bastion host.
  • Microsegmentation: divide the network into fine-grained segments (per-workload, per-application) using software-defined policies (NSX-T, Illumio, AWS Security Groups at instance level) — a breach in one segment cannot laterally move.
  • Continuous verification: re-validate user + device posture periodically during long sessions (every 15 min); if device compliance status changes (MDM reports unpatched OS), revoke session immediately.
  • Device trust: zero-trust requires device posture signals — MDM enrollment (Jamf, Intune), OS patch level, disk encryption status, presence of EDR agent — all evaluated by the Policy Engine before granting access.
  • NIST ZTA logical components: Policy Engine (decision maker), Policy Administrator (session token issuer), Policy Enforcement Point (traffic gatekeeper) — all three must be present for a true ZTA implementation.
  • Zero trust for microservices: Istio mTLS + AuthorizationPolicy provides workload identity (SPIFFE/SPIRE X.509 SVIDs), mutual authentication, and L7 policy without trusting the underlying network.
  • Zero trust does not eliminate perimeter security — WAF, DDoS, and network-level firewalls remain valuable; ZTA adds identity-centric controls inside the perimeter as a defence-in-depth layer.

Real-World Example

Cloudflare migrated 1,700+ employees from a VPN-based model to Cloudflare Access (their own ZTA product) in 2020, reducing the attack surface of their corporate network from "anyone on VPN" to per-application, per-user, per-device policy enforcement.