Zero Trust - Modernes Sicherheitsarchitekturprinzip
Zero Trust is a security paradigm based on the principle of "never trust, always verify": No user, device, or network segment is implicitly trusted—every access request is explicitly verified.
Table of Contents (6 sections)
Zero Trust (literally: no trust) is a security architecture paradigm introduced in 2010 by John Kindervag at Forrester Research. The core idea is that the traditional model, in which everything within the corporate network is automatically trusted, is fundamentally flawed in a world of cloud services, remote work, and Advanced Persistent Threats (APT).
The principle is: "Never trust, always verify."
The Problem with the Traditional Perimeter Model
Classic network security works like a castle with a moat: heavily secured on the outside (firewall, IDS), but once inside, everyone trusts each other. This castle-and-moat model has three critical weaknesses:
- Insider Threats: Employees, contractors, or compromised accounts have largely free rein once they breach the perimeter
- Lateral Movement: Once an attacker gains initial access, they can move freely within the flat network
- Cloud and remote work have dissolved the perimeter: Data resides in AWS, users work from home, and SaaS applications run outside the corporate network
The Five Pillars of Zero Trust (according to NIST SP 800-207)
1. Identity
Identity is the new perimeter. Every access to resources requires strong authentication:
- Multi-Factor Authentication (MFA) as a minimum requirement
- Conditional Access: Access depends on device status, location, time, and risk level
- Privileged Access Management (PAM): Administrative access is time-limited and logged
- Identity Governance: Regular recertification of access rights
2. Devices
Only known, managed, and compliant devices are granted access:
- Mobile Device Management (MDM) / Unified Endpoint Management (UEM)
- Device compliance checks before access is granted (patch status, antivirus, disk encryption)
- Certificate-based device authentication
- Isolation of non-compliant devices in a quarantine VLAN
3. Network
Microsegmentation replaces the flat network:
- Microsegmentation: Workloads and applications are divided into isolated segments. East-west traffic (internal) is filtered just as strictly as north-south traffic (external)
- Software-Defined Perimeter (SDP): Resources are visible only to authorized users
- Encryption of all connections: TLS 1.3 for all data transfers, including internal ones
4. Applications
Applications are no longer implicitly trusted simply because they reside on the intranet:
- Application-based access control instead of network-based
- API gateways for all application APIs with authentication and authorization
- Zero-Trust Network Access (ZTNA) as a VPN replacement: Users receive direct, encrypted access only to the specific applications they need
- Continuous Application Security Testing (SAST, DAST)
5. Data
Data-centric security:
- Data classification: Who really needs which data?
- Data Loss Prevention (DLP): Prevention of unauthorized data transfers
- Encryption at rest and in transit for all sensitive data
- Information Rights Management (IRM): Documents are protected even outside the organization
Zero Trust Implementation According to the CISA Maturity Model
The CISA Zero Trust Maturity Model (2023) describes three maturity levels:
| Maturity Level | Description |
|---|---|
| Traditional | Static security controls, manual processes, minimal automation |
| Advanced | Attribute-based access control, integration of identity and network solutions, partially automated |
| Optimal | Dynamic policies, full automation, AI-powered anomaly detection |
Common Mistakes in Zero Trust Implementation
"Buying Zero Trust as a Product"
Zero Trust is not a single technology, but a philosophy and architectural principle. No vendor can fully deliver "Zero Trust"—it requires a strategic transformation spanning months and years.
Too Broad a Scope from the Start
Recommended approach: Start with the highest-risk areas—typically privileged access and critical applications. Then expand gradually.
Lack of Change Management Support
Zero Trust fundamentally changes how employees work. Without training and communication, it leads to friction and workarounds (shadow IT).
Ignoring legacy systems
Not all systems are Zero Trust-ready. Legacy applications without API authentication or with hard-coded network connections require compensatory measures or replacement.
Zero Trust in practice: Technology building blocks
| Area | Technologies |
|---|---|
| Identity & Access | Azure AD / Entra ID, Okta, Ping Identity, CyberArk |
| Endpoint | Microsoft Intune, VMware Workspace ONE, CrowdStrike |
| Network | Zscaler, Palo Alto Prisma, Cisco Umbrella |
| Workload | AWS IAM, Kubernetes Network Policies, Service Mesh |
| Data | Microsoft Purview, Varonis, Forcepoint DLP |
| Visibility | SIEM, SOAR, UEBA (User Entity Behavior Analytics) |
Zero Trust and Regulatory Requirements
Zero Trust directly supports compliance with:
- NIS2: Network segmentation, MFA, and access management are explicitly required
- ISO 27001: Annex A controls for access control, cryptography, and network security
- GDPR: Data Protection by Design, access logging, data minimization
- DORA (financial sector): ICT risk management, incident reporting, third-party risk
Further information: AWARE7 Security Architecture Consulting
Sources & References
- [1] NIST SP 800-207 - Zero Trust Architecture - National Institute of Standards and Technology
- [2] Forrester Research - The Definition of Modern Zero Trust - Forrester Research
- [3] BSI - Zero Trust Architekturen - Bundesamt für Sicherheit in der Informationstechnik
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.
11 Publikationen
- Understanding Regional Filter Lists: Efficacy and Impact (2025)
- Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem (2025)
- A Platform for Physiological and Behavioral Security (2025)
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
- Sharing is Caring: Towards Analyzing Attack Surfaces on Shared Hosting Providers (2024)
- On the Similarity of Web Measurements Under Different Experimental Setups (2023)
- People, Processes, Technology — The Cybersecurity Triad (2023)
- Social Media Scraper im Einsatz (2021)
- Digital Risk Management (DRM) (2020)
- New Work — Die Herausforderungen eines modernen ISMS (2024)
