Chapter 6 Β· Helper 2

Concept Map

Zero Trust architecture flows and comparison tables.

Zero Trust Access Flow

Subject β†’ Resource

Subject

User, app, device

β†’

PEP

Gatekeeper

↕

Policy Engine

Grant/Deny/Revoke

Policy Admin

Tokens + instructions to PEP

β†’

Enterprise Resource

If allowed

PEP collects info, passes to PDP. Policy Engine decides. Policy Admin tells PEP what to do. PEP enforces.

Traditional Perimeter vs. Zero Trust

AspectTraditional PerimeterZero Trust
Trust modelTrust inside the networkNever trust, always verify
After firewallLateral movement possibleEvery hop requires verification
Device trustOn-network = trustedDevices verified via certificate + posture
User trustAuthenticated once at loginContinuously verified based on context
Breach blast radiusLarge β€” internal network exposedMinimal β€” attacker constrained to verified access

Data Plane vs. Control Plane

AspectData PlaneControl Plane
PurposeProcesses and forwards actual trafficManages how the data plane behaves
TasksForwarding, NAT, encryption, trunkingRouting tables, firewall rules, session policies
When activeEvery time a packet traverses the deviceWhen configuration is set or updated
ExampleA packet traveling through a routerAn admin updating the routing table

Security Zone Trust Matrix

From ZoneTo ZoneDefault Treatment
Untrusted (Internet)Trusted (Corporate)❌ Denied by default
Trusted (Corporate)Internal (Data Center)⚠️ Implicitly allowed (verified)
TrustedFinance Dept⚠️ Requires explicit authorization
Finance DeptHR Dept❌ Denied unless explicitly permitted