Skip to main content
Home
OverviewAbout ThoughtwaveThoughtwave GroupOur TeamPartnerships & CertificationsTrust & CertificationsCareers
OverviewAI & Generative AIData Analytics & EngineeringCybersecurity SolutionsIT Managed ServicesApplication ModernizationDigital Enterprise ApplicationsIT Workforce Solutions
Accelerators
Integrations
OverviewHealthcare & PharmaBanking & FinanceRetail & LogisticsGovernment
OverviewSwarmHRPathway AIKittieGenie AIBillsGenie AIPropertyGenie AI
OverviewAnswersInsightsComparisonsCase StudiesWhite PapersCorporate UpdatesFrom the C-SuiteAuthors
Get Started

What is zero trust architecture?

TL;DR

Zero trust architecture is a security model that treats every user, device, and request as untrusted until verified, regardless of whether the request originates inside or outside the corporate network. Instead of a hard perimeter with a soft interior, zero trust enforces identity-aware, context-aware authorization at every resource. The reference framework is NIST SP 800-207, which defines seven tenets including per-session access decisions, dynamic policy, and comprehensive monitoring.

The short version

  • Zero trust treats every request as untrusted until verified, regardless of origin.
  • NIST SP 800-207 is the canonical reference and defines the policy engine / policy enforcement split.
  • Identity is the foundation; without strong identity and device posture, the rest collapses.

The longer explanation

Where the model comes from

The term "zero trust" was coined by a Forrester analyst in 2010. The concept became a federal mandate in 2021 when the U.S. Executive Order on Cybersecurity directed agencies to adopt zero-trust architectures, and NIST SP 800-207 became the working reference. Most large private enterprises have since incorporated zero trust into their target-state security architecture.

The seven tenets from NIST 800-207

NIST defines zero trust with seven tenets. The practical read on each:

  1. All data sources and computing services are resources. Treat APIs, microservices, storage buckets, and data streams the same way you treat application servers.
  2. All communication is secured regardless of network location. TLS everywhere, including east-west traffic.
  3. Access is granted per-session. Authorization is not a once-at-login decision; it is evaluated for each request or short-lived session.
  4. Access is determined by a dynamic policy. Static ACLs are not enough. Policy consumes identity, device posture, time, location, and signal quality.
  5. Integrity and security posture of assets is monitored. You cannot grant access to a compromised device.
  6. All authentication and authorization is dynamic and strictly enforced before access is allowed. No bypass paths.
  7. As much information as possible is collected about assets, network infrastructure, and communications to improve security posture. Zero trust is an analytics program as much as an access program.

The logical architecture

Under the hood, NIST separates two components: a policy decision point (PDP), which evaluates policy and returns a decision, and a policy enforcement point (PEP), which sits in front of the resource and enforces that decision. Most vendor offerings map to one or both of these. When you evaluate tools, ask which role they play and what they require from the identity and device-posture layers underneath.

Enterprise use cases

  • Remote access for a hybrid workforce. Move from VPN-to-network to identity-aware proxy on high-value applications.
  • Third-party and contractor access. Scope access to specific applications and data, time-bound, with device posture enforced.
  • Cloud and SaaS consolidation. A single policy plane across IaaS, PaaS, and SaaS instead of per-vendor access rules.
  • OT/IT boundary hardening. Apply the model at the gateway between enterprise IT and operational technology in industrials and utilities.

How Thoughtwave approaches this

Our cybersecurity practice runs zero-trust programs in three stages: assessment against the NIST tenets, a sequenced roadmap that starts with identity and device posture, and application-by-application migration behind an access broker. We pair security engineers with a compliance lead because regulated environments layer HIPAA, PCI-DSS, SOC 2, or FedRAMP requirements on top of the core controls.

For deeper context, see our Cybersecurity Solutions service and our work with Banking & Finance and Government clients.

Frequently asked questions

What is NIST SP 800-207?
NIST SP 800-207, published in August 2020, is the U.S. federal reference document for zero trust architecture. It defines the model in terms of tenets (every request is authorized per session, access is least-privileged, policy is dynamic), logical components (policy engine, policy administrator, policy enforcement point), and deployment approaches. It is the closest thing to a vendor-neutral standard for zero trust.
How is zero trust different from a traditional firewall-based perimeter?
A traditional perimeter treats the network interior as trusted: once inside, a user or device gets broad access. Zero trust treats the interior as hostile by default. Every request, even from inside, is evaluated against identity, device posture, and context before the target resource responds. The security control moves from the network edge to the resource itself.
Do we need to replace our VPN?
You will likely retire most VPN use, not all of it at once. The typical path is to move high-value application access to a zero-trust access broker first (browser-based or agent-based), leave the VPN for long-tail legacy cases, and decommission the VPN as applications migrate. Teams that try a single-shot cutover usually fail on edge cases.
What should an enterprise build first when starting zero trust?
Identity is the foundation. If identity, MFA, device posture, and a single directory of truth are not in place, every downstream zero-trust control is weakened. The typical sequence is: strengthen identity and MFA, add device posture and conditional access, move high-value applications behind an access broker, then layer segmentation and analytics.
How long does a zero trust program take?
A mature zero-trust posture is a multi-year program for most mid-size and larger enterprises. Concrete wins along the way (MFA coverage, conditional access on top apps, retiring a legacy VPN) can ship in quarters. The mistake is treating it as a single project with an end date instead of a program with an arc.

Related resources

Related Services

Industries

Case Study

Microsoft Fabric Data Modernization

Next Step

Book a consultation
RT
Ramesh Thumu

Founder & President, Thoughtwave Software

Reviewed by Thoughtwave Editorial

Last updated April 22, 2026