Zero Trust Architecture
"Never trust, always verify." No more trust zone — every connection is treated as if it came from the internet, even when it does.
Problem
The "castle-and-moat" model (perimeter firewall → trusted internal network) collapses in the cloud / SaaS / external partner world. An attacker who gains internal access (employee phishing, compromised container, supply chain) moves freely. Major breaches (Target 2013, OPM 2015, SolarWinds 2020) all exploited a porous perimeter.
Forces
- The network perimeter has disappeared (cloud, BYOD, partners, SaaS).
- Insider (or insider-compromise) attackers are increasingly common.
- End-to-end encryption is now cheap (mTLS, JWT, OIDC).
- The cost of granular policy ("who can do what") is now sustainable thanks to modern IDPs.
- NIST SP 800-207 (August 2020) formalises principles for US federal agencies; OMB M-22-09 (2022) makes it mandatory.
Solution
Every access goes through a Policy Enforcement Point (PEP) that consults a Policy Decision Point (PDP) on each request. The decision is based on identity (user + device + workload), the requested resource attribute, and context (time, geolocation, risk level). The connection is always encrypted (mTLS, TLS 1.3). Identity is strong (MFA, device-bound certificates). Authorisation is minimal and instantly revocable. Network micro-segmentation reinforces this on the infrastructure side.
Seven NIST pillars
- All data sources and services are resources.
- All communications are secured, regardless of network location.
- Access granted per session, with least privilege.
- Access determined by dynamic policy (identity, device posture, behaviour).
- Posture monitoring and integrity measurement of all assets.
- Dynamic authentication and authorisation before each access.
- Granular log collection to feed policy improvement.
EDI implementation
An EDI hub exposes AS2/AS4/SFTP endpoints to hundreds of partners. Under Zero Trust: (a) mTLS on every endpoint, with per-partner certificates (90-day rotation); (b) per-partner access policies — Walmart can only send INVOICs, Stellantis only DESADVs; (c) monitoring of unusual patterns (10x volume, abnormal hours) with automatic quarantine; (d) ZTNA for admin access (BeyondCorp / Cloudflare Access / Tailscale) — no more VPN-perimeter. Consequence: a compromised partner certificate only grants access to that partner's own flows.
Anti-patterns
- "Zero Trust" as marketing label while keeping a single perimeter firewall — security theatre.
- Static policies with no context (time, geolocation, risk score) — too-coarse granularity.
- Centralised non-replicated PEP — SPOF.
- Logs without retention or analysis — feedback loop broken.
- All-or-nothing adoption — leaving exploitable "legacy non-ZT" pockets.
Related patterns
- Defense in Depth — Zero Trust is a modern instance of the principle.
- Least Privilege — pillar 3 of NIST SP 800-207.
- Mutual TLS — cryptographic brick of Zero Trust.
- Service Mesh — infrastructure-side enabler.
Sources
- NIST SP 800-207 — Zero Trust Architecture, August 2020. NIST SP 800-207 PDF
- Google BeyondCorp — A New Approach to Enterprise Security. research.google/pubs/pub43231/
- Kindervag J. — No More Chewy Centers: Introducing The Zero Trust Model of Information Security, Forrester 2010.
- OMB M-22-09 — Federal Zero Trust Architecture Strategy, January 2022.