Reference LibraryZero Trust Architecture
ArchitectureDomain 1: Security & Risk Management

Zero Trust Architecture

Exam Relevance:

Zero Trust replaces the implicit 'trust inside the perimeter' model with 'never trust, always verify.' Every access request is authenticated, authorised, and continuously validated. The perimeter is dead; identity is the new perimeter.

Why It Matters for CISSP

Zero Trust is the dominant modern security architecture model and increasingly tested on the CISSP. You need to understand its core principles, how it contrasts with perimeter-based security, and what technologies implement it.

Core Principles

1. Verify Explicitly: Always authenticate and authorise based on all available data points — identity, location, device health, data classification, anomalies. 2. Use Least Privileged Access: Limit user access with just-in-time (JIT) and just-enough-access (JEA). 3. Assume Breach: Minimise blast radius, segment access, encrypt end-to-end, use analytics to drive threat detection.

Perimeter vs. Zero Trust

Traditional model: Castle-and-moat. Hard outside, trusted inside. Once inside the network, lateral movement is easy.

Zero Trust: No implicit trust based on network location. A request from inside the office is treated the same as one from a coffee shop.

Key Technologies

ZTNA (Zero Trust Network Access): Replace VPN with per-application access.

Microsegmentation: Divide the network into small zones. East-west traffic between segments requires authentication — prevents lateral movement.

Continuous Monitoring: Session trust is not static. Device posture and behaviour anomalies can revoke access mid-session.

NIST SP 800-207

NIST's Zero Trust Architecture publication (SP 800-207) defines seven tenets of Zero Trust and three deployment models: enhanced identity governance, micro-segmentation, and network infrastructure/software-defined perimeter.

Perimeter security vs. Zero Trust

DimensionPerimeter ModelZero Trust Model
Trust basisNetwork locationIdentity + context + device
Inside networkTrusted by defaultUntrusted — verify every request
VPNFull network accessZTNA: per-app access only
Lateral movementEasy once insideBlocked by microsegmentation
Access modelStatic, role-basedDynamic, risk-adaptive, least-privilege

Related Concepts

PkiOsi ModelRisk Formula