Zero Trust Access Flow
Subject β ResourceSubject
User, app, device
β
PEP
Gatekeeper
β
Policy Engine
Grant/Deny/Revoke
Policy Admin
Tokens + instructions to PEP
β
Enterprise Resource
If allowed
PEP collects info, passes to PDP. Policy Engine decides. Policy Admin tells PEP what to do. PEP enforces.
Traditional Perimeter vs. Zero Trust
| Aspect | Traditional Perimeter | Zero Trust |
|---|---|---|
| Trust model | Trust inside the network | Never trust, always verify |
| After firewall | Lateral movement possible | Every hop requires verification |
| Device trust | On-network = trusted | Devices verified via certificate + posture |
| User trust | Authenticated once at login | Continuously verified based on context |
| Breach blast radius | Large β internal network exposed | Minimal β attacker constrained to verified access |
Data Plane vs. Control Plane
| Aspect | Data Plane | Control Plane |
|---|---|---|
| Purpose | Processes and forwards actual traffic | Manages how the data plane behaves |
| Tasks | Forwarding, NAT, encryption, trunking | Routing tables, firewall rules, session policies |
| When active | Every time a packet traverses the device | When configuration is set or updated |
| Example | A packet traveling through a router | An admin updating the routing table |
Security Zone Trust Matrix
| From Zone | To Zone | Default Treatment |
|---|---|---|
| Untrusted (Internet) | Trusted (Corporate) | β Denied by default |
| Trusted (Corporate) | Internal (Data Center) | β οΈ Implicitly allowed (verified) |
| Trusted | Finance Dept | β οΈ Requires explicit authorization |
| Finance Dept | HR Dept | β Denied unless explicitly permitted |