Zero Trust Architecture (ZTA)

ABAC seems to be the backbone of the Zero Trust Architecture (ZTA). No matter where users and devices are located (LAN/VPN/WAN), access requests shall be dynamically authorized at the finest granularity.

The Operative Definition of ZTA

Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.

Network Components

In a ZTA network, there should be a separation (logical or possibly physical) between communication flows used to control and configure the network and application communication flows used to perform the actual work of the organization.

This is often broken down to a control plane for network control communication and a data plane for application communication flows [Gilman].

The control plane is used by the various infrastructure components for maintaining systems; judging, granting, or denying access to resources; and performing any necessary operations to set up connections between resources.

The data plane is used for the actual communication between applications. This communication channel may not be possible prior to the connection being established via the control plane.

For example, the control plane could be used by the PA and PEP to set up the connection between the user and the enterprise resource. The application workload would then use the data plane connection that was established.

Please refer to NIST SP 800-207 (draft) for details.


1 thought on “Zero Trust Architecture (ZTA)


Leave a Reply