Engineering·10 min read·June 17, 2026

🚫 Zero Trust Architecture: Principles, Pillars, and OT Challenges

A comprehensive overview of Zero Trust Architecture per NIST SP 800-207, covering identity, device, network, and application pillars, MFA methods, microsegmentation, ZTNA vs VPN, OT legacy device constraints, and cloud ZTA implementations.

The Zero Trust Principle: Never Trust, Always Verify

The traditional perimeter security model assumed that everything inside the corporate firewall was trusted. Once an attacker gained access to the internal network — via phishing, VPN credential theft, or physical access — they could move laterally with minimal friction. Zero Trust Architecture (ZTA) rejects this assumption entirely. The foundational principle, articulated by John Kindervag at Forrester in 2010 and codified by NIST in Special Publication 800-207 (2020), is: no user, device, or network location is inherently trusted. Every access request must be authenticated, authorized, and continuously validated regardless of source.

NIST SP 800-207 defines ZTA around three core tenets: (1) All data sources and computing services are resources, regardless of location. (2) All communication is secured regardless of network location — being on the corporate LAN grants no implicit trust. (3) Access to individual enterprise resources is granted on a per-session basis, determined by dynamic policy that evaluates identity, device health, resource sensitivity, and behavioral signals in real time.

The Five Pillars of Zero Trust

The DoD Zero Trust Strategy (2022) and CISA Zero Trust Maturity Model organize ZTA into five pillars:

Identity: Every user, service account, and non-human identity (API key, certificate) is the primary security perimeter. Identity providers (IdPs) — Microsoft Entra ID (Azure AD), Okta, Ping Identity — authenticate users via SAML 2.0 or OIDC/OAuth 2.0 federated assertions. Identity governance enforces just-in-time (JIT) access and periodic access reviews to prevent privilege accumulation.
Device: Only managed, compliant devices can access sensitive resources. Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) agents provide posture signals — is the device encrypted, is the OS current, is the EDR healthy? Microsoft Intune and CrowdStrike Falcon integrate with Entra ID Conditional Access to block access from unmanaged or non-compliant devices.
Network: Microsegmentation replaces the flat internal network. Application-layer access controls (rather than IP-based controls) mean a compromised endpoint can only reach resources its role requires, not the entire network segment.
Application: Applications enforce their own authorization after receiving an authenticated identity token. OAuth 2.0 scopes limit what a token can access. API gateways enforce rate limiting and input validation.
Data: Data classification drives access policy. Sensitive data (PII, intellectual property, process setpoints) is labeled and governed by DLP controls that prevent unauthorized exfiltration regardless of the user's network location.

Multi-Factor Authentication Methods

MFA is the single highest-impact control in a ZTA identity pillar. Methods ranked by phishing resistance: FIDO2/WebAuthn hardware security keys (YubiKey, Google Titan) bind authentication to the specific domain and device, making them immune to real-time phishing — the gold standard for privileged access. Certificate-based authentication (CBA) via smartcards (PIV/CAC) provides similar guarantees and is the DoD standard. Authenticator apps (TOTP) — Microsoft Authenticator, Google Authenticator — generate time-based one-time passwords that are phishing-resistant only if the user does not enter the code into a phishing site; push notification approvals are vulnerable to MFA fatigue attacks (as demonstrated in the 2022 Uber breach). SMS OTP is the weakest MFA factor — SIM swapping attacks can intercept SMS codes and should be avoided for privileged access.

ZTNA vs VPN: Why VPN Is the Old Perimeter

Traditional VPN gives remote users a Layer 3 tunnel into the corporate network, effectively placing them on the same network segment as internal servers. A compromised VPN client or stolen VPN credentials grants the attacker broad internal network access. Zero Trust Network Access (ZTNA) — implemented by Zscaler Private Access, Palo Alto Prisma Access, Cloudflare Access, and Microsoft Entra Private Access — never places the remote user on the internal network. Instead, after identity and device posture verification, the ZTNA broker brokers a connection only to the specific application the user is authorized to access, and only for the duration of the session. From the user's perspective, they connect to an application. From the network perspective, no internal IP address is ever exposed to the internet. This eliminates the lateral movement risk of VPN while providing equivalent application access.

Privileged Access Workstations and PAW Architecture

Privileged Access Workstations (PAWs) are hardened, dedicated devices used exclusively for administrative tasks. A PAW is a physically separate device (or VM) that: has no email client or web browser (to eliminate phishing attack surface), is blocked from internet access except required administrative endpoints, runs only signed administrative tools (Active Directory Users and Computers, Azure Portal, Ansible), and is enrolled in a dedicated highly-restricted Intune policy. Administrators use their regular workstation for email and daily tasks and switch to the PAW only when performing privileged operations — creating accounts, modifying firewall rules, accessing SCADA systems. Microsoft's PAW documentation recommends a tiered model: Tier 0 PAWs for Active Directory and identity infrastructure, Tier 1 PAWs for server administration, Tier 2 PAWs for workstation administration.

Zero Trust for OT: Constraints and Practical Approaches

Applying ZTA to OT environments is fundamentally constrained by legacy device realities. A 1998-vintage DCS controller running VxWorks has no identity, cannot authenticate to an IdP, cannot have an MDM agent, and will break if its network behavior changes. ZTA for OT must therefore focus on the wrappers around these devices rather than the devices themselves: ZTNA for vendor remote access (vendors authenticate via ZTNA before their sessions are proxied to OT assets), identity governance for OT AD accounts and shared accounts, device certificates for engineering workstations that access OT systems, and network-layer micro-segmentation that enforces least-connectivity for legacy PLCs. ICS-specific ZTNA solutions — Claroty SRA, Xage Security, and Dispel — provide OT-aware session brokering with protocol awareness and session recording. The DoD ZTA Maturity Model defines five maturity levels (Traditional → Advanced → Optimal) across each pillar, providing a roadmap for progressive ZTA adoption that is realistic for mixed IT/OT environments.

Topics covered

zero trustZTANIST 800-207ZTNAmicrosegmentationMFAidentity providerprivileged access workstationOT zero trustCISSP

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps