πŸ”— Link copied!
TechWithMamatva
Decoding AI · Cyber · Beyond
Cybersecurity Endpoint Security Enterprise Security Zero Trust ZTNA Sunday, March 8, 2026 · TechWithMamatva
✍ Written By — Mamatva Jethwa

Zero Trust Architecture: What It Is, Why It Matters, and How to Build It

Zero Trust Architecture  ·  Complete Guide 

Zero Trust Architecture:
What It Is, Why It Matters, and How to Build It

"Never trust, always verify" - how three words are rewriting enterprise security architecture from the ground up.

For decades, enterprise security was built on a simple assumption: build a strong wall around the network, and trust everything inside it. Firewalls were deployed, VPNs were configured, and security teams considered their job done once the perimeter was locked.

That model is no longer sufficient. And the organizations still relying on it are the ones making headlines - for the wrong reasons.

This post covers everything: what came before Zero Trust, why it failed, what Zero Trust actually means, its core principles, a technical implementation guide for security engineers, and the mistakes most organizations make.

Part 1: The World Before Zero Trust

The Castle-and-Moat Model

The dominant security model from the 1990s through the mid-2010s was the Perimeter Security (or "Castle-and-Moat") model. The logic was straightforward:

🏰 The Castle-and-Moat Philosophy

Build a strong wall (firewall, VPN, DMZ) around your network. Everything outside is untrusted. Everything inside is trusted. Guard the gate and you're secure.

In practice: corporate offices connected by MPLS, on-premise data centers, desktops that never left the building, and a hard network boundary that security teams fully controlled. In that world, the model held up reasonably well.

Then everything changed.

1990s - Early 2000s
Firewall + Antivirus Era
Signature-based antivirus and network firewalls were the full security stack. Threats were known, slow-moving, and file-based. Perimeter defence worked because the perimeter was small and clearly defined.
2005 - 2012
VPN + IDS/IPS Era
Remote work begins growing. VPNs extend the perimeter to remote workers. IDS and IPS are added at the edge. But the core assumption remains: once a user authenticates into the network, they are trusted.
2013 - 2019
Cloud Disruption
SaaS applications pull data outside the perimeter. Shadow IT explodes. Enterprises begin using dozens, then hundreds of SaaS applications.[6] The wall has holes - and they keep getting bigger.
2020 - Present
The Perimeter Collapses
Remote work becomes permanent. Employees work from home networks on personal devices, accessing cloud apps from anywhere. The typical enterprise attack surface expands significantly.[1]

Why the Old Model Failed - 5 Fatal Flaws

FlawWhat Went WrongReal Impact
Implicit Trust Inside the network = trusted by default Lateral movement - attackers inside could roam freely
Binary Access Either full network access or none One breached account = access to everything
Static Authentication Verify once at login, then trusted all session Stolen session tokens = unchallenged full access
Perimeter Dependency All controls lived at the network edge Remote work and cloud broke the edge entirely
Flat Networks No micro-segmentation - one flat network One compromised endpoint = entire network at risk

These flaws are not theoretical. According to multiple studied, a large proportion of breaches involve a human element - social engineering, misuse, or errors. And a significant share are caused by internal actors - people who were already inside and already trusted by the perimeter model.

Part 2: What Is Zero Trust - Origin & Core Principles

In 2010, analyst John Kindervag at Forrester Research published a landmark paper: "No More Chewy Centers: Introducing the Zero Trust Model of Information Security."[7] His argument was direct - most organizations trust a lot but verify very little. The solution: remove implicit trust entirely.

In 2020, NIST published SP 800-207: Zero Trust Architecture[2] - the definitive framework, now the global standard.

"Never Trust. Always Verify."

No user, device, or application - whether inside or outside the corporate network - should be trusted by default. Every access request must be authenticated, authorized, and continuously validated, regardless of origin.

NIST SP 800-207 defines Zero Trust around seven core tenets:

πŸ–₯️
1. All data sources and computing services are considered resources

Every device - including personal devices connecting to enterprise resources - is a resource to be governed, regardless of ownership.

🚫
2. All communication is secured regardless of network location

Network location - internal or external - does not confer trust. All traffic is encrypted and verified, including traffic between internal systems.

πŸ”’
3. Access to resources is granted on a per-session basis

Trust is evaluated freshly for each access request, not inherited from a previous session. Access rights are as minimal as needed to complete the task.

πŸͺͺ
4. Access is determined by dynamic policy

Policy decisions use all observable attributes - user identity, device health, location, time, behavioural signals - and can change dynamically during a session.

πŸ“Š
5. Integrity and security posture of all devices is monitored

Device health is continuously assessed. A device that becomes non-compliant mid-session can have its access revoked automatically.

πŸ”„
6. Authentication and authorisation are dynamic and strictly enforced

Continuous re-evaluation - not one-time verification. Anomalous behaviour triggers step-up authentication or session termination.

πŸ“
7. Collect as much information as possible to improve security posture

All access requests, authentication events, and network flows are logged and fed into security analytics. Visibility is the foundation of enforcement.

Part 3: Zero Trust vs Traditional Security

AreaTraditional PerimeterZero Trust
Core Model Trust but verify at the gate Never trust, always verify
Network Trust Internal = trusted No network is trusted
User Session Authenticated once Continuously re-validated
Access Scope Broad network access Least privilege, per-resource
Remote Access VPN - slow, network-wide ZTNA - app-specific, fast
Breach Containment Flat network - unrestricted spread Micro-segmentation limits blast radius
Cloud & SaaS Outside perimeter - blind spot Identity-aware access everywhere

Part 4: Why It Matters Now

Organisations that have implemented mature Zero Trust architectures consistently show significantly lower breach costs and faster recovery times compared to those still relying on traditional perimeter models. Research from IBM, Gartner, and NIST all point to the same conclusion - Zero Trust measurably reduces the impact of security incidents.[2],[5],[9]

The majority of global enterprises have now started a Zero Trust initiative in some form. However, very few have implemented it fully across the organisation. Partial implementation is still valuable - the key is that the journey is intentional and structured.

Part 5: Technical Implementation Guide for Security Admins & Engineers

This section is for the people doing the actual configuration work - security administrators, engineers, and SOC analysts responsible for building and enforcing Zero Trust controls in their environment.

Step 1 - Asset Discovery: Build Your Inventory Before Anything Else

You cannot enforce policy on assets you don't know exist. Before deploying any Zero Trust control, run a full discovery sweep.

  • Deploy an agent-based or agentless endpoint discovery tool (e.g., SCCM, Lansweeper, your EDR console) to enumerate all managed endpoints - workstations, servers, laptops.
  • Use network scanning (e.g., Nmap, your SIEM's network discovery module) to surface unmanaged devices, IoT, printers, and BYOD on your segments.
  • Pull a full export from your Active Directory / Azure AD for all user accounts and service accounts. Flag stale accounts with no recent login activity.
  • Document every application and its authentication method - local auth, LDAP, SAML, API keys.
  • Output: A living asset register - endpoint count, OS breakdown, patch compliance status, account inventory. This becomes your Zero Trust baseline.
Step 2 - Identity Hardening: MFA, Privileged Access, and Directory Clean-Up

Identity is the enforcement point of Zero Trust. Configure these controls before touching network segmentation.

  • MFA rollout: Enable MFA in your IdP (Azure AD / Okta / Google Workspace) starting with admin accounts, then VPN/remote access users, then all users. Use Conditional Access policies - require MFA when login is from new device, new geography, or high-risk IP.
  • Privileged accounts: Enrol all admin and service accounts into your PAM solution (CyberArk, BeyondTrust, or native AD tiering). Enforce just-in-time (JIT) elevation - no standing admin access. Log every privileged session.
  • AD clean-up: Disable or delete stale accounts. Remove users from groups they no longer need. Review and tighten service account permissions - most are over-privileged.
  • Password policy: Enforce minimum 14-char passphrases. Enable Azure AD Password Protection or equivalent to block known-compromised passwords via Have I Been Pwned (HIBP) integration.
  • Conditional Access baseline policies: Block legacy authentication protocols (NTLM, Basic Auth). Require compliant device for access to sensitive apps.
Step 3 - Endpoint Compliance: Define and Enforce Device Health Baseline

A device that doesn't meet your security baseline should not get full access to resources. Configure your EPP/UEM to enforce this automatically.

  • Define your baseline: Minimum OS patch level, AV/EDR agent installed and active, disk encryption enabled (BitLocker/FileVault), firewall on, no known critical vulnerabilities.
  • Compliance policy in UEM (Intune/JAMF/SCCM): Create a compliance policy that checks each baseline item. Non-compliant devices are flagged automatically.
  • Conditional Access integration: In Azure AD/Intune - set Conditional Access to require "device marked as compliant" for access to all enterprise apps. Non-compliant devices are blocked or sent to a remediation VLAN with limited internet-only access.
  • XDR/EDR health check: In your XDR/EDR console, configure automatic isolation of endpoints with active threats - endpoint should not be able to access internal resources while a threat investigation is open.
  • BYOD: For personal devices, enforce MAM (Mobile Application Management) - wipe enterprise data from apps without full device wipe. Never grant BYOD the same trust level as a managed corporate device.
Step 4 - Replace VPN with ZTNA

VPN grants network-level access. ZTNA grants application-level access. The difference is enormous in practice.

  • Application segmentation: Identify every internal application remote users need. Map them to ZTNA policies - each application gets its own access rule. Users access the app, not the network behind it.
  • ZTNA deployment options: Agent-based installs a lightweight client on endpoints. Agent-less (browser-based) works for managed browsers without an agent. Start with agent-based for managed devices.
  • Policy configuration: For each application, define: who (user group / role), from where (device compliance required, Geo-restrictions if needed), when (business hours only for sensitive systems), and how (MFA required, session timeout). Deny all by default - only explicitly permitted combinations are allowed.
  • Migration plan: Run ZTNA alongside VPN during transition. Move one application group at a time. Validate access before decommissioning VPN for that group. Never cut VPN for everyone at once.
  • Test split-tunneling: Ensure only enterprise-destined traffic routes through ZTNA broker. Personal browsing should not traverse the enterprise path - reduces load and latency.
Step 5 - Network Micro-Segmentation

Micro-segmentation limits lateral movement. Even if an endpoint is compromised, the attacker cannot freely traverse the network.

  • Map your traffic flows first: Use your firewall logs, NDR tool, or SIEM to understand what actually communicates with what. Segmentation without traffic mapping creates outages.
  • Define segments by sensitivity: Finance, HR, engineering, customer data, servers, IoT - each gets its own VLAN/zone with its own firewall policy. Start with your most critical data segments.
  • Firewall rules - default deny: Between segments, configure default-deny rules. Only explicitly required flows are permitted. Document the business justification for every inter-segment rule.
  • Lateral movement detection: Enable alerts in your SIEM for unexpected inter-VLAN traffic - e.g., a workstation in the sales VLAN making SMB connections to the finance VLAN. That's a red flag to investigate immediately.
  • Server segmentation: Place critical servers (AD, file servers, database servers) in a dedicated management VLAN. Access only allowed from specific admin workstations or jump hosts. No end-user workstations should have direct access to domain controllers.
Step 6 - Continuous Monitoring: SIEM, UEBA, and Alerting

Zero Trust without visibility is incomplete. Every access request, authentication, and network flow must be logged and analysed.

  • Log sources to onboard first: Active Directory authentication logs, VPN/ZTNA access logs, XDR/EDR telemetry, firewall logs, DNS logs, and cloud access logs (Azure AD Sign-in / AWS CloudTrail).
  • UEBA baseline: Let your SIEM/UEBA tool learn normal user behavior over several weeks before tuning alerts. Then enable anomaly detection - unusual login times, new device, impossible travel, bulk file access.
  • Key alert rules to configure:
    • Login from new country / impossible travel (same user, two distant locations within a short time window)
    • Admin account login outside business hours
    • Bulk file download or copy to USB/cloud storage
    • Multiple failed MFA attempts followed by success
    • Service account logging in interactively (should never happen)
    • Lateral movement: workstation accessing other workstations via SMB/RDP
  • Automated response: Configure SOAR playbooks to auto-respond to high-confidence alerts - disable a compromised account, isolate an endpoint flagged by EDR, force MFA re-authentication on suspicious session. Automate the first 15 minutes of response.
  • Review cadence: Weekly tuning session - review false positives, suppress noisy rules, sharpen detection. Quarterly - full policy review. Zero Trust posture degrades without active maintenance.

Part 6: Zero Trust Best Practices

Start with Identity, Not Network

Network segmentation is complex and slow. Identity and MFA deliver immediate, measurable security value in weeks. Always sequence identity hardening before network controls.

Define a Protect Surface, Not an Attack Surface

The attack surface is infinite. Zero Trust flips this - define what you need to protect (critical data, sensitive apps, key infrastructure) and build policy around those specific assets. This approach, advocated by Kindervag,[7] keeps scope manageable.

Close the Loop Between EDR and Identity

A device flagged by EDR as compromised should automatically trigger access revocation in your IdP. Configure this integration explicitly.

Extend Zero Trust to Third Parties

Contractors, vendors, and partners are common breach entry points. Issue separate, time-limited access credentials for third parties. Apply least-privilege and device compliance requirements to vendor access just as you would for employees.

Measure Everything - Define KPIs Upfront

Zero Trust without measurement is just spending. Track: MFA adoption %, non-compliant device count, inter-segment policy violations, mean time to detect (MTTD), mean time to respond (MTTR), and privileged account exposure. Review quarterly.

Part 7: Common Zero Trust Mistakes to Avoid

❌ Treating Zero Trust as a Single Product Purchase

No single vendor delivers Zero Trust out of the box. It requires integrating identity, endpoint, network, and data controls. Only 8% of organizations have implemented Zero Trust enterprise-wide.[1] The rest are partial - and that's fine, as long as the journey is intentional.

❌ Big-Bang Deployment

Attempting to implement everything simultaneously causes user friction, operational disruption, and project failure. Phase your rollout by asset sensitivity - most critical data first, broadest user population last.

❌ Ignoring User Experience

Design for usability - adaptive MFA (only prompt when risk is elevated), SSO to reduce repeated logins, and password managers to reduce friction without sacrificing security.

❌ Forgetting Service Accounts and Non-Human Identities

Service accounts, API keys, and automation credentials are often overlooked. They're also frequently over-privileged and rarely rotated. Include all non-human identities in your Zero Trust governance - they're a common attacker target.

❌ No Policy Review Cycle

Access rights drift over time as people change roles and projects. A Zero Trust policy that is set once and never reviewed is not Zero Trust in practice. Quarterly reviews are the minimum - use your SIEM data to identify accounts with access they no longer use.

Final Thoughts

Zero Trust is not a trend - it's the inevitable evolution of security in a world where the perimeter no longer exists. The organizations building genuinely resilient security postures are the ones that have accepted this and are executing systematically: identity first, device health second, network segmentation third, and continuous monitoring throughout.

The journey starts with one question: If an attacker is already inside your network right now, what could they reach? Your answer tells you exactly where to start.

Found this useful? Share it with your team.

- Mamatva Jethwa | TechWithMamatva

MJ
Mamatva Jethwa Cybersecurity & IT professional with experience in endpoint protection, data loss prevention, Zero Trust architecture, and SOC operations.
Connect on LinkedIn →

References & Sources

  1. Olawale Olayinka et al., "Zero Trust at Scale: Security Architecture for Distributed Enterprises," World Journal of Advanced Research and Reviews, Vol. 26(2), 2025. https://doi.org/10.30574/wjarr.2025.26.2.1939
  2. NIST Special Publication 800-207: Zero Trust Architecture, Scott Rose et al., National Institute of Standards and Technology, August 2020. https://csrc.nist.gov/publications/detail/sp/800-207/final
  3. Verizon Data Breach Investigations Report 2024. https://www.verizon.com/business/resources/reports/dbir/
  4. Verizon Data Breach Investigations Report 2023 - Internal Actor findings. https://www.verizon.com/business/resources/reports/dbir/
  5. IBM Cost of a Data Breach Report 2024. https://www.ibm.com/reports/data-breach
  6. Productiv SaaS Intelligence Report 2024 - Enterprise SaaS usage data. https://productiv.com/resources/
  7. John Kindervag, "No More Chewy Centers: Introducing the Zero Trust Model of Information Security," Forrester Research, September 2010. https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
  8. Google BeyondCorp: A New Approach to Enterprise Security, USENIX ;login:, 2014. https://research.google/pubs/beyondcorp-a-new-approach-to-enterprise-security/
  9. Gartner Zero Trust Adoption Survey, 2024 - cited in: "How John Kindervag Got the Last Laugh on Zero Trust," IT Brew, September 2025. https://www.itbrew.com/stories/2025/09/25/how-john-kindervag-got-the-last-laugh-on-zero-trust
  10. CISA Zero Trust Maturity Model, Cybersecurity and Infrastructure Security Agency, 2023. https://www.cisa.gov/zero-trust-maturity-model
  11. NSA Advancing Zero Trust Maturity Throughout the Data Pillar, April 2024. https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF
  12. MarketsandMarkets, Zero Trust Security Market Report, 2024–2029. https://www.marketsandmarkets.com/Market-Reports/zero-trust-security-market-2782835.html
← Newer Posts
Read Blog