Zero-trust architecture based on implied trust-zones

In this study we explored how an organization can design a zero-trust architecture based on implied trust-zones. Implied trust-zones are demarcated parts of an infrastructure that link a piece of functionality to the applicable security requirements and security measures. We introduced a new role (the zone-owner) who looks after the functional and security design of the zone. We also introduced the zoning approach, a method that can be used by individual zone-owners to design, implement and manage zones in a structured manner.

In this model, an enterprise/security architecture is created from multiple smaller architectures (the trust-zones). We believe that implied trust-zones realize a strong business-IT-security alignment by connecting company goals, functionalities, and security. They also realize a strong business IT-security alignment if they are placed decentrally under one entity (the zone-owner).

The research methods included a literature study, conversations with cybersecurity professionals (some of which were security architects), our own ideas and insights, and tests of (parts of) the design method on a number of existing designs. As a next step, we plan to validate the zonings approach in practice. Furthermore, we ask ourselves how an architecture on central level can be assessed when it was created on a decentral level and we suggest to follow this route in further research.

Read more about the publication in PIVB Magazine (in Dutch).