Zero Trust Architecture
Design Principles for a Transformation towards a Perimeter-less Enterprise Architecture
T.P.J. Steenbrink (TU Delft - Technology, Policy and Management)
Marijn Marijn – Mentor (TU Delft - Information and Communication Technology)
R.S. van Wegberg – Graduation committee member (TU Delft - Organisation & Governance)
Sander van den Bosch – Coach (Deloitte)
Marten Posthumus – Coach (Deloitte)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Recent advances in the field of ‘Zero Trust’ security strategies have revealed that there is still much novelty regarding the concept of Zero Trust architecture (ZTA). Zero Trust has recently gained attention as the traditional approach, based on network perimeter security, is being outplayed by sophisticated cyber attacks. This research contributes significantly to the scientific knowledge base, as ZTA is hardly investigated. Moreover, recent developments are causing the perimeter to disappear, such as increasing collaboration between companies, ecosystem connections, and working from home due to Covid-19. As a result, public and private organizations need to rethink how to protect their IT infrastructure, assets and data better.
Several organizations are willing to opt for a Zero Trust approach because of its benefits. These benefits include improved security, reduced complexity, and lower overhead and operational costs. Additionally, innovation in enterprise architecture security is urgently needed as it can reduce data breaches, decrease lateral movement, and avoid ransom payments and a company freeze.
Even though Zero Trust brings many advantages, it has not yet replaced existing perimeter-based security approaches. The complication is that many organizations struggle with the implementation of ZTA due to a lack of knowledge and clarity on how to implement the Zero Trust security strategy. Additionally, “Zero Trust” is one of the most frequently used buzzwords in cybersecurity, making it hard to distinguish an actual ZTA. Complexity and misunderstandings of Zero Trust lead to failed projects and implementations. Furthermore, ZTA implementations are complex, and a predefined one-size-fits-all approach does not exist.
Moreover, organizations willing to transform their traditional architecture to a more advanced ZTA lack guidance in their transformation. However, Zero Trust solutions are marketed by multiple vendors, including Zscalar, IBM, Microsoft, and Palo Alto. There is no clear guidance for Enterprise Architects to support organizations in the transformation to a ZTA. Thus, research is needed to investigate 1) what Zero Trust architectures are, 2) what the challenges are, and 3) what the design principles for a successful ZTA transformation are.