采用零信任架构的实用指南

A Practical Guide to Adopting aZero Trust Architecture Author: Chris Zayas This whitepaper shares specialist insight to helporganizations understand the rewards and risksassociated with adopting a Zero Trust architecture,providing a foundation to enable them to start identifyingwhat they need to do next to progress in their journeytoward maturity. Traditional perimeter-based models are no longerenough to secure today’s dynamic, distributedenvironments. Evolving security threats, alongsidethe shift to cloud, hybrid work and increased third-party access, have significantly broadened the attacksurface, accelerating the need for adaptive securitymodels. As an answer to this growing organizationalchallenge, Zero Trust has emerged as a leadingframework for reducing risk by continuouslyvalidating trust across users, devices, applicationsand data. As a result, organizations that adopt a ZeroTrust mindset and architecture are better positionedto minimize breach impact, enhance visibility andstrengthen regulatory readiness. Read on to learn about the hazards of relying onlong-established security defenses, what exactly ZeroTrust is (and what it isn’t), how to progress from initialadoption stage to optimal maturity, common pitfalls,myths, and more. The Limitations of Traditional Security Defenses Organizations face increasing threats as a result of cloudadoption, hybrid work, over-permissioned access andlegacy architectures. Traditional perimeter-baseddefenses are unable to keep pace with hybrid workforces,cloud-first strategies and expanding attack surfaces.This is because they assume implicit trust and fail to secureaccess across cloud, hybrid and third-party environments.Breaches often stem from gaps in visibility, fragmentedaccess control, and unverified internal movement acrossthe enterprise. Inresearchundertaken by IBM in 2025,65% of organizations surveyed stated that they had stillnot recovered from a data breach. According to the sameresearch by IBM, poor control and visibility of endpointslengthen the breach lifecycle, and breach lifecyclescontained under 200 days save $1.14M USD on average.While overall the cost of a breach lifecycle contained under200 days is declining, averaging $4.07M USD in 2024 andcompared to $3.87M USD in 2025, the speed and costs ofa breach remain too high. The signs are clear: even withthe best tools available, organizations may still have limitedvisibility due to misconfiguration, lack of integration andthe absence of 360-degree observability. Without a Zero Trust strategy, organizations areimpacted by: Inconsistent access controlsacross users,devices, and third parties Limited visibilityinto user behavior andsystem activity Tool sprawland integration gapsthat weaken overall protection Increased breach impactdue to overprivileged access and lateral movement Regulatory pressureto demonstrate strongeraccess governance and data protection Unlike perimeter-based models that trust anythinginside the network, Zero Trust assumes breach, untilproven otherwise. Zero Trust Defined: Identity is the New Perimeter Zero Trust provides a collection ofconcepts and ideas designed to minimizeuncertainty in enforcing accurate, least privilegeper-request access decisions in informationsystems and services in the face of a networkviewed as compromised. Zero Trust Architectureis an enterprise’s cybersecurity plan that usesZero Trust concepts and encompassescomponent relationships, workflow planning,and access policies. Therefore, a Zero Trustenterprise is the network infrastructure (physicaland virtual) and operational policies that are inplace for an enterprise as a product of a ZeroTrust Architecture plan. Source: The National Institute of Standards and Technology (NIST)Special Publication (SP) 800-207 The concept of Zero Trust is a modern security paradigm that assumes breach, continuously verifies identity, and limitsaccess by context—meaning that every user, device, or application must be continuously verified, even after initial access. Breaking Down the Access Request Workflow A simplified workflow of a user requesting access in aZero Trust architecturestarts with a user or devicerequesting access to a resource. because it is responsible for evaluating and determiningif the access request should be granted or deniedbasedupon the logic, context, and policy an organization creates. ThePolicy Enforcement Point (PEP) acts as thegatekeeper,as it ensures all access requests are evaluatedagainst the Policy Decision Point. The PEP receives therequest and forwards it to the Policy Decision Point (PDP). Examples include Microsoft’s EntraID andOkta Identity Cloud. The PDP evaluates the requestagainst a variety of factors,such as the identity, role, location, or other contextgenerated from the PEPs, etc. and makes a determinationfor what should happen with the request. Types of PEPs vary according to the type oftechnology an organization has in place. Examplesinclude Next-Generation Fi