Zero Trust Architecture (ZTA) Design and Implementation, A Comprehensive Review
DOI:
https://doi.org/10.54536/ajise.v5i1.5905Keywords:
ABAC, BeyondCorp, Data-Centric Security, Identity and Access Management, Micro-Segmentation, PDP/PEP, RBAC, SASE, Zero Trust Architecture, ZTNAAbstract
Zero Trust Architecture (ZTA) has emerged as a transformative security model, evolving from perimeter-based defense systems to a more resilient, identity-centric approach in response to the growing complexity of modern cybersecurity threats. This review explores the design and implementation of ZTA, focusing on its core principles, including identity verification, least-privilege access, and continuous monitoring. With a particular emphasis on cloud-first, hybrid work environments, ZTA replaces implicit trust with real-time, context-aware access decisions, ensuring stronger security postures across distributed networks. The paper synthesizes key frameworks, such as NIST SP 800-207 and CISA’s Zero Trust Maturity Model, to provide a comprehensive understanding of ZTA’s components and their real-world applications. It also examines the challenges and risks associated with legacy systems, integration complexities, and tool interoperability, while offering strategies for overcoming these barriers. Through case studies from sectors like finance, healthcare, and government, the paper demonstrates the successful application of ZTA, highlighting measurable improvements in security and user experience. The review concludes by addressing future trends, such as the integration of AI/ML in policy decisions and the convergence of ZTA with SASE, ensuring Zero Trust remains adaptable to emerging cybersecurity needs.
Downloads
References
Adams, M. (2025, May 15). How the Microsoft Secure Future Initiative brings Zero Trust to life [Blog post]. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2025/05/15/how-the-microsoft-secure-future-initiative-brings-zero-trust-to-life/
Amazon Web Services. (2023). Embracing Zero Trust: A strategy for secure and agile business transformation [White paper]. AWS Prescriptive Guidance. https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-zero-trust-architecture/introduction.html
Amazon Web Services. (2025). Zero Trust on AWS. https://aws.amazon.com/security/zero-trust/
Bokan, B. (2024). Zero Trust for federal enterprise [Conference presentation]. Federal Cybersecurity and Privacy Professionals Forum. https://csrc.nist.gov/csrc/media/Presentations/2024/cisa-and-zero-trust-for-federal-enterprise/images-media/CISA_and_Zero_Trust_for_Fed-Bokan_1115am.pdf
CISA. (2023). Secure-by-design. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/resources-tools/resources/secure-by-design
CISA. (2024a, March 12). CISA publishes SCuBA hybrid identity solutions guidance. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hybrid-identity-solutions-guidance
CISA. (2024b). Space systems security and resilience landscape: Zero Trust in the space environment. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/sites/default/files/2024-06/Space%20Systems%20Security%20and%20Resilience%20Landscape%20-%20Zero%20Trust%20in%20the%20Space%20Environment%20%28508%29.pdf
Cisco. (2024). Zero Trust network access (ZTNA) demystified [White paper]. Cisco Systems. https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2079.pdf
Cloudflare. (2022). Top 10 productivity improvements: The business impact of Zero Trust [White paper]. Cloudflare. https://www.cloudflare.com/static/5116783b5c6dabad22889d5f014f0da5/Zero_Trust_Business_Impact_-_Top_10_Productivity_Improvements__rev__2022_Q4_.pdf
Cloud Security Alliance. (2023). Advancing Zero Trust maturity throughout the device pillar. CSA. https://cloudsecurityalliance.org/resources/advancing-zero-trust-maturity-throughout-the-device-pillar
CyberEdge (for Palo Alto). (2021). A step toward Zero Trust for the cloud [White paper]. CyberEdge Group. https://cyberedgegroup.com/wp-content/uploads/2021/02/PaloAltogBookZeroTrust.pdf
Cybersecurity and Infrastructure Security Agency. (2021). Trusted Internet connections (TIC) 3.0: Security capabilities catalog. CISA. https://www.cisa.gov/sites/default/files/publications/CISA%20TIC%203.0%20Security%20Capabilities%20Catalog%20v2.0_0.pdf
Dakić, V., Morić, Z., Kapulica, A., & Regvart, D. (2025). Analysis of Azure Zero Trust architecture implementation for mid-size organizations. Journal of Cybersecurity and Privacy, 5(1), 2. https://doi.org/10.3390/jcp5010002
Doherty, D. H., & McKenney, B. (2021). Zero Trust architectures: Are we there yet? MITRE. https://www.mitre.org/news-insights/publication/zero-trust-architectures-are-we-there-yet
ENISA. (2021). ENISA threat landscape 2021. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021
Ericom Software. (2023). What’s the Zero Trust-SASE connection? Ericom. https://www.ericom.com/whats-the-zero-trust-sase-connection/
Federal Trade Commission, Office of Inspector General. (2023). Audit of the FTC progress on the implementation of Zero Trust architecture (redacted). FTC. https://oig.ftc.gov/reports/audit/audit-ftc-progress-implementation-zero-trust-architecture-redacted
Google Cloud. (2021). Secure access to SaaS applications with BeyondCorp Enterprise [White paper]. Google Cloud. https://services.google.com/fh/files/misc/secure_access_to_saas_apps_with_bce.pdf
Grasset, J.-Y., Jumelet, A., Ndouga, F., Roques, M., Aubert, G., Simon, B., Bordier, G., Giblain, I., Gardette, M., Lacour, E., Guégan, J.-M., Flichy, M., Curel, R., & O’Hara, L. (2021). How to initiate your Zero Trust transformation project? Capgemini.
Hernandez, S. (2024). Federal Zero Trust data security guide. CISO Council & CDO Council. https://www.cio.gov/federal-zero-trust-data-security-guide/
Homeland Security. (2025). Zero Trust architecture implementation: Fiscal year 2024 report to Congress. U.S. Department of Homeland Security. https://www.dhs.gov/sites/default/files/2025-04/2025_0129_cisa_zero_trust_architecture_implementation.pdf
ISMS Online. (2020). ISO 27002: The code of practice for information security controls. ISMS Online. https://www.isms.online/iso-27002/
International Organization for Standardization. (2022). ISO/IEC 27001:2022 information security management systems. ISO. https://www.iso.org/standard/27001
Mavroudis, V. (2024). Zero Trust network access (ZTNA). arXiv preprint. https://arxiv.org/abs/2410.20611
Microsoft. (2021). Evolving Zero Trust: How real-world deployments and attacks are shaping the future of Zero Trust strategies. Microsoft. https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Evolving-Zero-Trust-Microsoft-Position-Paper.pdf
Microsoft. (2024). Zero Trust security. Microsoft. https://www.microsoft.com/en-us/security/business/zero-trust
Microsoft. (2025). Microsoft Secure Future Initiative: Bringing Zero Trust to life. Microsoft. https://www.microsoft.com/en-us/security/blog/2025/05/15/how-the-microsoft-secure-future-initiative-brings-zero-trust-to-life/
National Cyber Security Centre. (2021). Zero Trust architecture design principles. NCSC (UK). https://www.ncsc.gov.uk/collection/zero-trust-architecture
Netskope. (2024). 5 key considerations for selecting a Zero Trust network access solution. Netskope. https://www.netskope.com/resources/ebooks/5-key-considerations-for-selecting-a-zero-trust-network-access-solution
NIST. (2020). Security and privacy controls for information systems and organizations (NIST SP 800-53 Rev. 5). National Institute of Standards and Technology. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
NIST. (2021). Executive Order 14028: Improving the nation’s cybersecurity. National Institute of Standards and Technology. https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
NIST. (2023). Implementing a Zero Trust architecture (Vol. E, Risk and compliance management) (NIST SP 1800-35 Draft). National Institute of Standards and Technology. https://csrc.nist.gov/pubs/sp/1800/35/2prd-(1)
NIST. (2024a). Implementing a Zero Trust architecture (NIST SP 1800-35 Initial Public Draft). National Institute of Standards and Technology. https://csrc.nist.gov/pubs/sp/1800/35/ipd
NIST. (2024b). Implementing a Zero Trust architecture. National Cybersecurity Center of Excellence. https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
NSA. (2021). NSA issues guidance on Zero Trust security model. National Security Agency. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2515176/nsa-issues-guidance-on-zero-trust-security-model/
NSA. (2024a). NSA releases guidance on Zero Trust maturity throughout the application and workload pillar. National Security Agency. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3784301/nsa-releases-guidance-on-zero-trust-maturity-throughout-the-application-and-wor/
NSA. (2024b). NSA releases maturity guidance for the Zero Trust network and environment pillar. National Security Agency. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3695223/nsa-releases-maturity-guidance-for-the-zero-trust-network-and-environment-pillar/
Office of the U.S. Government Accountability. (2024). Cybersecurity: Implementation of executive order requirements is essential to address key actions. U.S. GAO. https://www.gao.gov/products/gao-24-106343
Okta. (2023). State of Zero Trust [Report]. Okta. https://www.okta.com/reports/state-of-zero-trust/
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust architecture (NIST SP 800-207). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-207
Ross, R. (2024). Enhanced security requirements for protecting controlled unclassified information (NIST SP 800-172 Rev. 3). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-172r3.ipd
Sabetto, R. (2022). MITRE cloud strategy. MITRE. https://www.mitre.org/news-insights/publication/mitre-cloud-strategy
Sood, N., Parlapalli, R., Sharma, P., & Kashyap, R. (2024). Application of Zero Trust model in preventing medical errors. Frontiers in Health Services, 4. https://doi.org/10.3389/frhs.2024.1453804
SSH Communications Security. (2021). A finance and stock trading company passing audits with Zero Trust PAM [Case study]. SSH. https://www.ssh.com/hubfs/2021%20Case%20studies/ssh_case_study_a_finance_stock_trading_company_passing_audits_with_zero_trust_PAM.pdf
ManageEngine. (2022). How to mitigate insider threats by integrating UEBA with Zero Trust. ManageEngine. https://www.manageengine.com/log-management/ebooks/integrating-ueba-with-zero-trust-to-secure-business.html
U.S. Department of Homeland Security. (2023). CISA Zero Trust maturity model v2. Cloud Security Alliance. https://cloudsecurityalliance.org/resources/cisa-zero-trust-maturity-model-v2
Washington, D., & Sharek, R. (2023). Readiness review on Zero Trust implementation [Redacted report]. U.S. Securities and Exchange Commission. https://www.sec.gov/files/fnl-mgmt-ltr-readiness-rvw-secs-prog-twd-implmntng-zero-trust-cyber-prncpls.pdf
Yeoh, W., Liu, M., Shore, M., & Jiang, F. (2023). Zero Trust cybersecurity: Critical success factors and a maturity assessment framework. Computers & Security, 133, 103412. https://doi.org/10.1016/j.cose.2023.103412
Young, S. (2022). Memorandum for the heads of executive departments and agencies (M-22-09). The White House. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
ZT PfMO. (2022). Department of Defense Zero Trust strategy and reference architecture v2.0 [Pre-decisional draft]. U.S. Department of Defense. https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Zain Muhammad
This work is licensed under a Creative Commons Attribution 4.0 International License.
