Pillar A: CybersecurityA3

Zero Trust Architecture

Zero trust principles, micro-segmentation, NIST SP 800-207, ZTNA, continuous verification, BeyondCorp.

Part of Pillar A: Cybersecurity · Cybersecurity groups the disciplines that share methods, tools, and threat models with Zero Trust Architecture.

What is Zero Trust Architecture?

Zero Trust Architecture (ZTA) is a security model built on the principle that no user, device, or network segment should be inherently trusted. Every access request must be continuously verified, regardless of whether it originates inside or outside the traditional network perimeter. The mantra 'never trust, always verify' replaces the legacy castle-and-moat approach that assumed everything inside the firewall was safe.

NIST Special Publication 800-207 provides the definitive framework for Zero Trust Architecture, defining core tenets including least-privilege access, micro-segmentation, continuous authentication, and the assumption that the network is always hostile. Google's BeyondCorp initiative demonstrated that Zero Trust could work at massive scale, eliminating VPN dependencies and enabling secure access from any location without a traditional network perimeter.

Implementing Zero Trust is a journey, not a single product deployment. It requires integrating identity providers, device posture assessment, micro-segmentation, policy engines, and continuous monitoring into a coherent architecture. Zero Trust Network Access (ZTNA) replaces VPNs by providing application-level access based on identity and context. The Software-Defined Perimeter (SDP) model makes application infrastructure invisible to unauthorized users, dramatically reducing the attack surface.

Why it matters

The traditional perimeter is dead. Remote work, cloud adoption, and supply chain complexity mean organizations can no longer assume internal networks are safe. Zero Trust is the architectural response to this reality.

Zero Trust is the architectural philosophy that ties together network security, identity management, and endpoint security into a unified access model. It provides the strategic framework that modern security programs are built around.

Layer 2

Control Access & Trust

Decide who or what can do what, enforce it cryptographically, constrain AI behaviour.

Other domains in this layer

A6Identity & Access Management A15Cryptography C8AI Safety & Alignment C11Agentic AI Security

See how this layer connects to the rest of the domain map →

Key topics

NIST SP 800-207 Zero Trust Architecture

Zero Trust Network Access (ZTNA)

Micro-segmentation and policy enforcement

Google BeyondCorp model

Software-Defined Perimeter (SDP)

Policy Decision Point / Policy Enforcement Point (PDP/PEP)

Continuous authentication and authorization

Device posture assessment and trust scoring

Identity-centric security architecture

Zero Trust maturity models (CISA, Forrester)

Standards and frameworks

NIST SP 800-207 (Zero Trust Architecture)NIST

CISA Zero Trust Maturity Model v2.0CISA

DoD Zero Trust Reference ArchitectureU.S. Department of Defense

Curated resources

Authoritative sources we ground Zero Trust Architecture questions in — frameworks, research, guides, and tools.

Forresterresearch

Forrester — Zero Trust Extended Ecosystem

Forrester originated the Zero Trust concept (John Kindervag, 2010). Their extended model includes workloads, data, networks, devices, people, visibility/analytics, automation/orchestration.

Googleguide

Google BeyondCorp Papers

The original enterprise ZTA implementation case study. Six published papers covering architecture, migration, and lessons learned. Vendor-specific but pioneered the practical approach to zero trust.

NSA / CISAframework

NSA/CISA Top 10 Cybersecurity Misconfigurations

Based on real red/blue team assessments. Includes default configurations, improper privilege separation, lack of network segmentation. Excellent for practical scenario questions.

NISTframework

NIST SP 800-207 — Zero Trust Architecture

Definitive guide to zero trust architecture. Defines ZTA concepts, deployment models, and implementation approaches for enterprise environments.

CISAframework

CISA Zero Trust Maturity Model

Framework for transitioning to zero trust architecture across five pillars: identity, devices, networks, applications, and data.

View all resources for A3→

Certifications that signal this domain

Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.

Core coverage

CCIE SecExpert·CiscoOfficial page →

Cisco Certified Implementation Expert - Security

CISSPExpert·ISC2Official page →

Certified Information Systems Security Professional

Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.

CISSP-ISSAPExpert·ISC2Official page →

CISSP Information Systems Security Architecture Professional

Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.

CREST CRTSAProfessional·CRESTOfficial page →

CREST Registered Technical Security Architect

CSA CZTProfessional·Cloud Security AllianceOfficial page →

Certified Zero Trust (CCZT)

Vendor-neutral Zero Trust architecture and governance — NIST SP 800-207, ZTA pillars, and program implementation.

CyberArk DefenderAssociate·CyberArkOfficial page →

CyberArk Defender — PAM (CDE-PAM)

Day-to-day administration of CyberArk PAM — the dominant enterprise privileged-access platform.

CyberArk GuardianExpert·CyberArkOfficial page →

CyberArk Guardian — PAM

Top-tier CyberArk practitioner — leads complex PAM programs and contributes back to the community.

CyberArk SentryProfessional·CyberArkOfficial page →

CyberArk Sentry — PAM

Designs and deploys CyberArk PAM at enterprise scale — vault architecture, HA/DR, and complex onboarding.

FCSS SASEProfessional·FortinetOfficial page →

Fortinet Certified Solution Specialist - Secure Access Service Edge

FCSS ZTAProfessional·FortinetOfficial page →

Fortinet Certified Solution Specialist - Zero Trust Access

GDSAProfessional·GIACOfficial page →

GIAC Defensible Security Architecture

ISSAPExpert·ISC2Official page →

Information Systems Security Architecture Professional

ISC2 specialization for security architecture. Requires an active CISSP. Focus on GRC, Security Architecture Modeling, Infrastructure Security, and IAM architecture. For senior security architects in enterprise environments.

Okta Certified ProfessionalAssociate·OktaOfficial page →

Okta-specific identity deployment (SSO, MFA, lifecycle).

SC-100Professional·MicrosoftOfficial page →

Microsoft Cybersecurity Architect

The Microsoft Certified: Cybersecurity Architect Expert (SC-100) is Microsoft's highest security certification and targets experienced professionals who design security architectures for hybrid and cloud-native environments based on the Microsoft platform. It requires at least one associate-level security certification (e.g., AZ-500, SC-200, or SC-300) and builds on that knowledge. The certification addresses zero-trust architectures, compliance requirements, identity governance, and infrastructure protection from a strategic perspective. For organizations heavily invested in Microsoft 365 and Azure, SC-100 is valuable proof of expertise; outside the Microsoft ecosystem, its relevance is more limited. The exam will be updated in April 2026.

SC-300Associate·MicrosoftOfficial page →

Microsoft Certified: Identity and Access Administrator Associate

Entra ID deployment, conditional access, privileged access, identity governance.