Skip to main content
Ctrl+K
  •  Index

Implementing a Zero Trust Architecture Project documentation

  • NIST SP 1800-35 Publication
  • Main Project Page
  • Implementing a Zero Trust Architecture: Full Document
  • Executive Summary
  • Introduction to the Guide
  • Project Overview
  • Architecture and Builds
    • Builds Implemented
    • Build Architecture Details
      • Enterprise 1 Build 1 (E1B1) - EIG Crawl - Okta Identity Cloud and Ivanti Access ZSO as PEs
      • Enterprise 2 Build 1 (E2B1) - EIG Crawl - Ping Identity Ping Federate as PE
      • Enterprise 3 Build 1 (E3B1) - EIG Crawl - Azure AD Conditional Access (later renamed Entra Conditional Access) as PE
      • Enterprise 1 Build 2 (E1B2) - EIG Run - Zscaler ZPA Central Authority (CA) as PE
      • Enterprise 3 Build 2 (E3B2) - EIG Run - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Forescout eyeControl, and Forescout eyeExtend as PEs
      • Enterprise 1 Build 3 (E1B3) - SDP - Zscaler ZPA CA as PE
      • Enterprise 2 Build 3 (E2B3) — Microsegmentation - Cisco ISE, Cisco Secure Workload, and Ping Identity Ping Federate as PEs
      • Enterprise 3 Build 3 (E3B3) - SDP and Microsegmentation - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs
      • Enterprise 4 Build 3 (E4B3) - EIG Run - IBM Security Verify as PE
      • Enterprise 1 Build 4 (E1B4) - SDP - Appgate SDP Controller as PE
      • Enterprise 2 Build 4 (E2B4) - SDP and SASE - Symantec Cloud Secure Web Gateway, Symantec ZTNA, and Symantec Cloud Access Security Broker as PEs
      • Enterprise 3 Build 4 (E3B4) - SDP - F5 BIG-IP, F5 NGINX Plus, Forescout eyeControl, and Forescout eyeExtend as PEs
      • Enterprise 4 Build 4 (E4B4) - SDP, Microsegmentation, and EIG - VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs
      • Enterprise 1 Build 5 (E1B5) - SASE and Microsegmentation - PAN NGFW and PAN Prisma Access as PEs
      • Enterprise 2 Build 5 (E2B5) - SDP and SASE - Lookout SSE and Okta Identity Cloud as PEs
      • Enterprise 3 Build 5 (E3B5) - SDP and SASE - Microsoft Entra Conditional Access (formerly called Azure AD Conditional Access) and Microsoft Security Service Edge as PEs
      • Enterprise 1 Build 6 (E1B6) - SDP and Microsegmentation - Ivanti Neurons for Zero Trust Access as PE
  • Build Implementation Instructions
    • Enterprise 1 Build 1 (E1B1) - EIG Crawl - Okta Identity Cloud and Ivanti Access ZSO as PEs Product Guides
    • Enterprise 2 Build 1 (E2B1) - EIG Crawl - Ping Identity Ping Federate as PE Product Guides
    • Enterprise 3 Build 1 (E3B1) - EIG Crawl - Azure AD Conditional Access (later renamed Entra Conditional Access) as PE Product Guides
    • Enterprise 1 Build 2 (E1B2) - EIG Run - Zscaler ZPA Central Authority (CA) as PE Product Guides
    • Enterprise 3 Build 2 (E3B2) - EIG Run - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
    • Enterprise 1 Build 3 (E1B3) - SDP - Zscaler ZPA CA as PE Product Guides
    • Enterprise 2 Build 3 (E2B3) - Microsegmentation - Cisco ISE, Cisco Secure Workload, and Ping Identity Ping Federate as PEs Product Guides
    • Enterprise 3 Build 3 (E3B3) - SDP and Microsegmentation - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
    • Enterprise 4 Build 3 (E4B3) - EIG Run - IBM Security Verify as PE Product Guides
    • Enterprise 1 Build 4 (E1B4) - SDP - Appgate SDP Controller as PE Product Guides
    • Enterprise 2 Build 4 (E2B4) - SDP and SASE - Symantec Cloud Secure Web Gateway, Symantec ZTNA, and Symantec Cloud Access Security Broker as PEs Product Guides
    • Enterprise 3 Build 4 (E3B4) - SDP - F5 BIG-IP, F5 NGINX Plus, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
    • Enterprise 4 Build 4 (E4B4) - SDP, Microsegmentation, and EIG - VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs Product Guides
    • Enterprise 1 Build 5 (E1B5) - SASE and Microsegmentation - PAN NGFW and PAN Prisma Access as PEs Product Guides
    • Enterprise 2 Build 5 (E2B5) - SDP and SASE - Lookout SSE and Okta Identity Cloud as PEs Product Guides
    • Enterprise 3 Build 5 (E3B5) - SDP and SASE - Microsoft Entra Conditional Access (formerly Azure AD Conditional Access) and Microsoft Security Service Edge as PEs Product Guides
    • Enterprise 1 Build 6 (E1B6) - SDP and Microsegmentation - Ivanti Neurons for Zero Trust Access as PEs Product Guides
    • Hardening Information
  • General Findings
  • Functional Demonstrations
    • Demonstration Terminology
    • Use Case A: Discovery and Identification of IDs, Assets, and Data Flows
    • Use Case B: Enterprise-ID Access
    • Use Case C: Collaboration: Federated-ID Access
    • Use Case D: Other-ID Access
    • Use Case E: Guest: No-ID Access
    • Use Case F: Confidence Level
    • Use Case G: Service-Service Interactions
    • Use Case H: Data Level Security Scenarios
    • Functional Demonstration Result Summaries
    • Functional Demonstration Results
      • EIG Crawl Phase Demonstration Results
      • EIG Run Phase Demonstration Results
      • SDP, Microsegmentation, and SASE Phase Demonstration Results
  • Risk and Compliance Management
    • Risks Addressed by the ZTA Reference Architecture
    • ZTA Security Mapping Context and Terminology
    • Mappings
  • Zero Trust Journey Takeaways
  • Glossary
  • Acronyms

Index

M | P | R | S | T | V | Z

M

  • Managed Devices

P

  • Policy
  • Policy Administrator (PA)
  • Policy Decision Point (PDP)
  • Policy Enforcement Point (PEP)
  • Policy Engine (PE)
  • Policy Information Point (PIP)

R

  • Risk

S

  • Security Control

T

  • Threat

V

  • Vulnerability

Z

  • Zero Trust
  • Zero Trust Architecture (ZTA)

By NIST

Disclaimer: Certain commercial equipment, instruments, or materials are identified in this documentation to foster understanding. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose.