2026-03-07
By Orbiq TeamZero Trust Architecture: What It Is, Core Principles, and How to Implement It
A practical guide to Zero Trust architecture — what it is, how it differs from perimeter-based security, core principles like least privilege and micro-segmentation, implementation frameworks, and how B2B companies can adopt Zero Trust to meet compliance requirements.
Zero Trust
Network Security
Identity and Access Management
Micro-Segmentation
Cybersecurity Architecture
Zero Trust Architecture: What It Is, Core Principles, and How to Implement It
Zero Trust is a cybersecurity model built on the principle of "never trust, always verify." It eliminates the assumption that users, devices, or services inside a network should be implicitly trusted. Instead, every access request is verified, authorised, and encrypted regardless of where it originates.
For B2B companies, Zero Trust is increasingly relevant not just as a security best practice but as a compliance requirement. NIS2, DORA, and ISO 27001 all mandate access control and authentication measures that align directly with Zero Trust principles. Enterprise buyers now routinely ask about Zero Trust adoption in security assessments and questionnaires.
This guide covers what Zero Trust is, its core principles, key implementation components, and how it maps to compliance frameworks.
Zero Trust vs Traditional Perimeter Security
The Problem with Perimeter Security
The traditional "castle-and-moat" model assumes that everything inside the network perimeter is trusted. This assumption fails because:
- Cloud adoption — Data and applications live outside the traditional perimeter
- Remote work — Users access resources from anywhere, not just the office
- Supply chain complexity — Third-party vendors need access to internal systems
- Insider threats — Compromised credentials or malicious insiders can move laterally once inside
- Sophisticated attacks — Advanced persistent threats bypass perimeter defences
How Zero Trust Differs
| Aspect | Perimeter Security | Zero Trust |
|---|---|---|
| Trust model | Trust once verified at boundary | Never trust, always verify |
| Access scope | Broad network access after authentication | Granular, resource-level access |
| Network assumption | Internal network is safe | Assume breach everywhere |
| Primary controls | Firewalls, VPNs | Identity, micro-segmentation, continuous verification |
| Lateral movement | Largely unrestricted internally | Restricted through segmentation |
| Monitoring | Perimeter-focused | All traffic, all the time |
| Data location | On-premises focused | Cloud, on-premises, hybrid |
Core Principles of Zero Trust
1. Verify Explicitly
Authenticate and authorise every access request based on all available data points:
- User identity and role
- Device health and compliance status
- Location and network
- Application being accessed
- Data classification and sensitivity
- Time of access and behavioural patterns
- Risk score based on analytics
2. Use Least Privilege Access
Grant the minimum access needed for the task at hand:
- Just-in-time access (JIT) — Grant access only when needed, revoke when complete
- Just-enough-access (JEA) — Limit permissions to exactly what is required
- Risk-based adaptive policies — Adjust access dynamically based on real-time risk assessment
- Privilege escalation controls — Require additional verification for elevated access
3. Assume Breach
Design systems assuming the adversary is already inside:
- Micro-segmentation — Isolate resources to limit lateral movement
- End-to-end encryption — Encrypt all data in transit, even on internal networks
- Blast radius minimisation — Contain the impact of any single compromised component
- Continuous monitoring — Detect anomalies and respond in real time
Key Components of Zero Trust Architecture
Identity and Access Management (IAM)
| Component | Purpose |
|---|---|
| Multi-factor authentication (MFA) | Verify identity beyond passwords |
| Single sign-on (SSO) | Centralise authentication with strong protocols (SAML, OIDC) |
| Identity governance | Manage identity lifecycle, access reviews, certification campaigns |
| Privileged access management (PAM) | Secure and monitor administrative access |
| Conditional access policies | Enforce context-aware access decisions |
Device Trust
| Component | Purpose |
|---|---|
| Endpoint detection and response (EDR) | Monitor and respond to endpoint threats |
| Mobile device management (MDM) | Enforce security policies on mobile devices |
| Device health attestation | Verify device compliance before granting access |
| Certificate-based authentication | Authenticate devices using PKI certificates |
Network Segmentation
| Component | Purpose |
|---|---|
| Micro-segmentation | Isolate workloads with granular policies |
| Software-defined perimeters (SDP) | Create dynamic perimeters around individual resources |
| Network access control (NAC) | Enforce policy-based network access |
| DNS security | Prevent data exfiltration and C2 communications |
Data Security
| Component | Purpose |
|---|---|
| Encryption at rest and in transit | Protect data everywhere |
| Data loss prevention (DLP) | Prevent unauthorised data exfiltration |
| Data classification | Categorise data by sensitivity to apply appropriate controls |
| Rights management | Control what users can do with data (view, edit, share, download) |
Visibility and Analytics
| Component | Purpose |
|---|---|
| SIEM | Aggregate and correlate security events across the environment |
| UEBA | Detect anomalous behaviour indicating compromise |
| Network detection and response (NDR) | Monitor network traffic for threats |
| Security posture management | Continuously assess and improve security configuration |
Zero Trust Reference Frameworks
NIST SP 800-207
The primary reference architecture for Zero Trust, defining three core logical components:
- Policy Engine (PE) — Makes the ultimate decision to grant, deny, or revoke access based on enterprise policy and input from external sources
- Policy Administrator (PA) — Executes the PE's decision by establishing or shutting down the communication path between subject and resource
- Policy Enforcement Point (PEP) — Enables, monitors, and terminates connections between subjects and enterprise resources
CISA Zero Trust Maturity Model
The US Cybersecurity and Infrastructure Security Agency (CISA) defines maturity across five pillars:
| Pillar | Description |
|---|---|
| Identity | Authentication, identity stores, risk assessment |
| Devices | Asset management, compliance, threat protection |
| Networks | Segmentation, traffic management, encryption |
| Applications and Workloads | Application access, threat protection, security testing |
| Data | Inventory, access control, encryption, categorisation |
Each pillar progresses through maturity stages: Traditional → Advanced → Optimal.
Zero Trust and Compliance
Mapping to Regulatory Requirements
| Requirement | Framework | Zero Trust Alignment |
|---|---|---|
| Access control policies | NIS2 Art. 21, ISO 27001 A.5.15 | Least privilege, conditional access |
| Multi-factor authentication | NIS2 Art. 21(2)(j), DORA Art. 9 | Core ZT principle — verify explicitly |
| Network security | ISO 27001 A.8.20-A.8.22 | Micro-segmentation, SDP |
| Encryption | NIS2 Art. 21(2)(h), ISO 27001 A.8.24 | End-to-end encryption (assume breach) |
| Monitoring | DORA Art. 10, SOC 2 CC7 | Continuous monitoring and analytics |
| Incident detection | NIS2 Art. 21(2)(b), DORA Art. 17 | SIEM, UEBA, real-time alerting |
| Identity management | ISO 27001 A.5.16, SOC 2 CC6 | IAM, identity governance, PAM |
Benefits for Compliance
Adopting Zero Trust provides:
- Unified security model — A single architecture that addresses multiple framework requirements
- Audit evidence — Continuous monitoring and logging generate comprehensive audit trails
- Demonstrable controls — Granular policies are easier to document and verify than implicit trust
- Buyer confidence — Enterprise buyers increasingly expect Zero Trust adoption from SaaS vendors
- Risk reduction — Smaller blast radius and continuous verification reduce the likelihood and impact of breaches
Implementing Zero Trust: Practical Steps
Step 1: Identify Protect Surfaces
Define your most critical assets (DAAS):
- Data — Customer data, financial records, intellectual property
- Applications — Core business applications, APIs
- Assets — Servers, endpoints, IoT devices
- Services — DNS, DHCP, Active Directory
Step 2: Map Transaction Flows
Understand how data moves through your environment:
- Document data flows between users, devices, applications, and services
- Identify dependencies and communication patterns
- Map out which users and services need access to which resources
Step 3: Design Micro-Perimeters
Build controls around each protect surface:
- Deploy policy enforcement points as close to the resource as possible
- Implement micro-segmentation using cloud-native security groups, host-based firewalls, or SDN
- Configure conditional access policies based on identity, device, and context
Step 4: Create Zero Trust Policies
Define access policies using the Kipling Method:
- Who — Which identity can access the resource
- What — Which application or data is being accessed
- When — Time-based access restrictions
- Where — Location and network conditions
- Why — Business justification for access
- How — Which device and authentication method
Step 5: Monitor and Iterate
Continuously improve:
- Monitor all traffic and access events
- Analyse logs for anomalies and policy violations
- Refine policies based on observed patterns
- Expand Zero Trust coverage to additional protect surfaces
How Orbiq Supports Zero Trust Adoption
- Trust Center: Publish your Zero Trust posture — access control policies, authentication requirements, and network segmentation evidence for buyer self-service
- Continuous Monitoring: Track Zero Trust maturity across identity, device, network, application, and data pillars
- Evidence Management: Centralize Zero Trust documentation, policy configurations, and monitoring evidence mapped to compliance frameworks
- AI-Powered Questionnaires: Auto-respond to Zero Trust-related security questionnaire questions from enterprise buyers
Further Reading
- Information Security Policy — Building the policy foundation that underpins Zero Trust implementation
- NIS2 Compliance — How Zero Trust principles map to NIS2 access control requirements
- SOC 2 Compliance — Demonstrating Zero Trust controls for SOC 2 Trust Service Criteria
- Penetration Testing — Testing Zero Trust controls through adversary simulation
This guide is maintained by the Orbiq team. Last updated: March 2026.