Request a demo

In May 2021, executive order (EO) 14028 sent shock waves through the cybersecurity community as the formerly abstract concept of Zero Trust suddenly became a mandate for federal agencies. On January 26, 2022, the Office of Management and Budget (OMB) signaled its alignment with the EO by releasing plans to implement a Zero Trust Architecture (ZTA). With nearly every industry being business-adjacent to the federal workspace, many executives find themselves Googling “Zero Trust” and its related buzzwords. These moves are a shrill warning that the familiar security practices of creating fortressed cyber perimeters are no longer sufficient.  

So what is a Zero Trust Architecture?

Simply put, it’s an approach to cybersecurity requiring continuous user validation. The idea is to protect your environment and sensitive data through network segmentation and robust authentication methods. These measures help prevent malicious—or negligent—actors from moving laterally within your organization to access sensitive data.

Some may have initially thought ZTA would be simply another add-on feature for their legacy security configuration. The framework, however, represents a paradigm shift that promises to drag enterprise operations kicking and screaming into a brave new world. The world has changed, and ZTA acknowledges the realities of modern business ecosystems. 

Check Out Our Confidence Blog Series

Today, critical business workflows mingle among virtual and containerized architectures, community source code, partner and public clouds, and a distributed workforce and customer base. The notion of establishing trust with a username and password or guarding a static perimeter is no longer realistic.

How does this impact CISOs and their teams?

In this three-part series, we will explore the challenges of implementing a ZTA, how to model its operational impact and how it can benefit your organization. 

Finding the new perimeter

At the heart of the ZTA framework is the concept that perimeters are not defined by static boundaries but by partitioning workflows. Enumerating the entities (users, assets, applications, data, exchanges, etc.) involved with business workflows has been a daunting task—even for modestly sized businesses with a focused set of workflows. And identifying the exceptional individuals, or unicorns, who have the technical or line-of-business expertise for this undertaking is no easier. 

Fortunately for medium and large businesses, there are some technological aids to the process, such as Cisco’s Tetration application, which uses deployed agents to provide telemetry data to define workflows and perform ZTA policy discovery. Whether you utilize traditional collaboration methods or a technology supplement, defining business workflows is an essential starting point for micro-segmentation and establishing micro-perimeters along your ZTA journey.

The new trust stack

It’s well established among security professionals that usernames and passwords alone are obsolete. While supplemental processes like multi-factor authentication pose a modest improvement, they still do not bring a satisfactory resolution to user impersonation. 

ZTA takes a more comprehensive view of trust, which you can think of as a “trust stack.” The trust stack goes beyond identity management and network privileges by validating the device, connection, application use and interchange as well as rights to data stores. 

The initial workflow enumeration process mentioned earlier helps define rule sets that statically validate the trust stack. Still, dynamic and continuous validation processes are required to address other threats like session hijacking. This includes user and entity behavior analytics as well as machine learning and policy orchestration to manage complex rule sets. Palo Alto Networks is one vendor that has introduced new solutions and is working with NIST to refine and document requirements.

Understanding the impact of ZTA implementation

The transition from traditional network security practices to a ZTA is a complex undertaking. No business executive would consider implementing a ZTA directly into production—even in a monitoring-only mode. There are too many opportunities to disrupt critical business workflows, and paradoxically, the security gained is questionable until validated within an interactive environment. 

That’s why it’s critical to have a high-fidelity environment to model the impact of a ZTA on your unique production environment. Cyber range platforms are ideal for testing ZTA policies, modeling user behavior and accessing analytics.

Read Part II - Validating your Zero Trust Strategy to identify the right tools for the job.

Did you know that SimSpace can help validate your ZTA implementation and compliance posture? To find out more and request a demo of our ZTA validation capabilities, contact us at

Blog byBud Whiteman
Bud Whiteman
Bud Whiteman
Bud Whiteman serves as Lead Cyber Analyst at SimSpace, applying over 20 years of experience in risk management, cybersecurity risk assessment, business analysis and workforce development. Prior to his civilian career, Bud spent 20 years as a US Navy officer, attached to nuclear submarine operations and US Strategic Command. He holds a MS in Operations Research from the Naval Postgraduate School, and is a Certified FAIR™ practitioner for quantifying cyber risk.