Sage Journals: Discover world-class research

Abstract

With the rise and advancements of technology, digital security is facing unprecedented challenges. Traditional security measures, such as strong credentials and multi-factor authentication (MFA), are no longer sufficient to protect digital assets from attacks and unauthorized access or to effectively verify user authenticity. Zero trust architecture (ZTA) has emerged as a solution in response to these issues. Leading organizations, including Google, Forrester, Palo Alto, and CISCO, have initiated strategies to design their own deployable ZTAs to offer the perks of ZT to other organizations. It operates on various principles such as removing implicit trust, continuously authenticating users, and de-perimeterization. It provides a top-notch defense against various major cyberattacks on organizations. This study offers a comprehensive and multi-dimensional synthesis of ZTAs. It also examines the principles and implementation strategies of various ZTAs, comparing them using multiple parameters to highlight their strengths and weaknesses. In addition to the synthesis of ZTAs, the work demonstrates its practical value with sector-specific examples to make it more relevant for real-world applications. Through a detailed analysis, the study identified potential research gaps and areas in existing research that require further investigation. These insights can guide future developments in digital security. The findings aim to help organizations select and implement the most effective ZT strategies to enhance their cybersecurity posture.

Keywords

authentication digital security dynamic access control identity and access management (IAM)zero trust architecture zero trust network access (ZTNA)

Get full access to this article

View all access options for this article.

References

Microsoft. Microsoft zero trust solutions deliver 92 percent return on investment, says new forrester study, 2022. https://www.microsoft.com/en-us/security/blog/2022/01/12/microsoft-zero-trust-solutions-deliver-92-percent-return-on-investment-says-new-forrester-study/ (2022, accessed 25 May 2024).

Rose

Borchert

Mitchell

, et al. NIST Special Publication 800-207, National Institute of Standards and Technology (NIST). 2020.

Ward

Beyer

. Beyondcorp: a new approach to enterprise security. ; login:: the Magaz USENIX & SAGE 2014; 39: 6–11.

Varma

. Mcafee labs: combating aurora, 2010.

Kindervag

Balaouras

, et al. No more chewy centers: Introducing the zero trust model of information security. Forrester Research, Technical Report. 2010.

Cybersecurity and Infrastructure Security Agency. Zero trust maturity model, version 2.0. Technical Report Version 2.0, U.S. Department of Homeland Security, CISA, 2023. https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf. TLP:CLEAR.

Office of Management and Budget (OMB). Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (Memorandum M-22-09). Technical report, U.S. Government, 2022. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf. OMB Memorandum for Executive Departments and Agencies.

National Security Agency (NSA). Embracing a Zero Trust Security Model. Technical Report U/OO/115131-21 / PP-21-0191 Ver. 1.0, NSA, 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.pdf. Cybersecurity Information.

Department of Defense (DoD). Zero Trust Reference Architecture, Version 2.0. Technical report, U.S. Department of Defense, 2022. https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf. Classified; (U)ZT_RA_v2.0(U).

10.

National Institute of Standards and Technology (NIST). Implementing a Zero Trust Architecture. NIST Special Publication 1800-35, National Institute of Standards and Technology (NIST), 2024. https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture.

11.

Ponemon Institute and Sullivan Report. Cost of insider risks global report 2023, 2023. https://ponemonsullivanreport.com/2023/10/cost-of-insider-risks-global-report-2023/ (2023, accessed 20 May 2024).

12.

Wang

Sun

. Personal information in passwords and its security implications. IEEE Trans Inform Forens Sec 2017; 12: 2320–2333.

13.

Spiceworks. Passgan AI password cracking time. https://www.spiceworks.com/tech/artificial-intelligence/news/passgan-ai-password-cracking-time/ (2024, accessed 1 June 2024).

14.

Kumar

Shanker

Verma

. Context aware dynamic permission model: a retrospect of privacy and security in android system. In: 2018 international conference on intelligent circuits and systems (ICICS), 2018, pp.324–329. IEEE.

15.

Abowd

Dey

Brown

, et al. Towards a better understanding of context and context-awareness. In: Handheld and Ubiquitous computing: first international symposium, HUC’99 Karlsruhe, Germany, September 27–29, 1999 Proceedings 1, 1999, pp.304–307. Springer.

16.

Khaliq

Tariq

ZUA

Masood

. Role of user and entity behavior analytics in detecting insider attacks. In: 2020 International conference on cyber warfare and security (ICCWS), 2020, pp.1–6. IEEE.

17.

Edo

Ang

Billakota

, et al. A zero trust architecture for health information systems. Health Technol (Berl) 2024; 14: 189–199.

18.

Chuan

, et al. An implementation method of zero-trust architecture. J Phys: Conf Ser 2020; 1651: 012010.

19.

Mehraj

Banday

. Establishing a zero trust strategy in cloud computing environment. In: 2020 International conference on computer communication and informatics (ICCCI), 2020, pp.1–6. IEEE.

20.

Paul

Rao

. Zero-trust model for smart manufacturing industry. Appl Sci 2022; 13: 221.

21.

Hussain

Pal

Jadidi

, et al. Federated zero trust architecture using artificial intelligence. IEEE Wirel Commun 2024; 31: 30–35.

22.

Tsai

Lee

Shieh

. Strategy for implementing of zero trust architecture. IEEE Trans Reliab 2024; 73: 93–100.

23.

Report QC. Quantum threat timeline report 2020. https://quantumcomputingreport.com/quantum-threat-timeline-report-2020/ (2020, accessed 15 July 2024).

24.

Alliance

. Cloud security alliance sets countdown clock to quantum. https://cloudsecurityalliance.org/press-releases/2022/03/09/cloud-security-alliance-sets-countdown-clock-to-quantum (2022, accessed 15 July 2024).

25.

Raheman

. From standard policy-based zero trust to absolute zero trust (AZT): a quantum leap to Q-day security. J Comput Commun 2024; 12: 252–282.

26.

D’Silva

Ambawade

. Building a zero trust architecture using kubernetes. In: 2021 6th international conference for convergence in technology (I2CT), 2021, pp.1–8. IEEE.

27.

Hatakeyama

Kotani

Okabe

. Zero trust federation: sharing context under user control towards zero trust in identity federation. In: 2021 IEEE International conference on pervasive computing and communications workshops and other affiliated events (PerCom Workshops), 2021, pp.514–519. IEEE.

28.

Anderson

Huang

Cheng

, et al. BYOZ: protecting BYOD through zero trust network security. In: 2022 IEEE International conference on networking, architecture and storage (NAS), 2022, pp.1–8. IEEE.

29.

Hong

Huang

, et al. Sysflow: toward a programmable zero trust framework for system security. IEEE Trans Inform Forens Sec 2023; 18: 2794–2809.

30.

Wang

Xue

, et al. Research on medical security system based on zero trust. Sensors 2023; 23: 3774.

31.

Nagarajan

Devarajan

Thangakrishnan

, et al. Artificial intelligence-based zero trust security approach for consumer industry. IEEE Trans Consumer Elect 2024; 70: 5411–5418.

32.

Din

Khan

Almogren

, et al. Securing the metaverse: a blockchain-enabled zero-trust architecture for virtual environments. IEEE Access 2024; 12: 92337–92347.

33.

Lee

Huh

Woo

. Security system design and verification for zero trust architecture. Electronics 2025; 14: 643.

34.

Aleisa

. Blockchain-enabled zero trust architecture for privacy-preserving cybersecurity in IoT environments. IEEE Access 2025; 13: 18660–18676.

35.

Wang

Zhang

, et al. Zero-trust based dynamic access control for cloud computing. Cybersecurity 2025; 8: 12.

36.

Nazir

Iqbal

Muhammad

. ZTA: a novel zero trust framework for detection and prevention of malicious android applications. Wirel Networks 2025; 31: 3187–3203.

37.

Pokhrel

Doss

, et al. Towards decentralized operationalization of zero trust architecture for next generation networks. IEEE J Select Areas Commun 2025; 43: 1998–2010.

38.

Zhou

Liang

Kevin

, et al. Decentralized federated graph learning with lightweight zero trust architecture for next-generation networking security. IEEE J Select Areas Commun 2025; 43: 1908–1922.

39.

Asim

Tariq

Awad

, et al. SecT: a zero-trust framework for secure remote access in next-generation industrial networks. IEEE J Select Areas Commun 2025; 43: 2293–2311.

40.

Shahzad

Singh

. Continuous authentication and authorization for the internet of things. IEEE Internet Comput 2017; 21: 86–90.

41.

Shah

Syed

Shaghaghi

, et al. LCDA: lightweight continuous device-to-device authentication for a zero trust architecture (ZTA). Comput Sec 2021; 108: 102351.

42.

Meng

Huang

, et al. A continuous authentication protocol without trust authority for zero trust architecture. China Commun 2022; 19: 198–213.

43.

Alshomrani

. PUFDCA: a zero-trust-based IoT device continuous authentication protocol. Wireless Commun Mobile Comput 2022; 2022: 6367579.

44.

Embrey

. The top three factors driving zero trust adoption. Comput Fraud Sec 2020; 2020: 13–15.

45.

Teerakanok

Uehara

Inomata

. Migrating to zero trust architecture: reviews and challenges. Sec Commun Networks 2021; 2021: 9947347.

46.

Peck

Beyer

Beske

, et al. Migrating to beyondcorp: maintaining productivity while improving security. Login 2017; 42: 1–7.

47.

Phiayura

Teerakanok

. A comprehensive framework for migrating to zero trust architecture. IEEE Access 2023; 11: 19487–19511.

48.

Duo Security. From mfa to zero trust: a five-phase journey to securing the workforce, 2024. https://duo.com/resources/ebooks/from-mfa-to-zero-trust-a-five-phase-journey-to-securing-the-workforce (2024, accessed 1 June 2024).

49.

Diez

Vasu

Touceda

, et al. Modeling XACML security policies using graph databases. IT Prof 2017; 19: 52–57.

50.

Vanickis

Jacob

Dehghanzadeh

, et al. Access control policy enforcement for zero-trust-networking. In: 2018 29th Irish signals and systems conference (ISSC), 2018, pp.1–6. IEEE.

51.

Dimitrakos

Dilshener

Kravtsov

, et al. Trust aware continuous authorization for zero trust in consumer internet of things. In: 2020 IEEE 19th international conference on trust, security and privacy in computing and communications (TrustCom), 2020, pp.1801–1812. IEEE.

52.

Fatemian

Zamani

Masoumi

, et al. Automatic generation of XACML code using model-driven approach. In: 2021 11th International conference on computer engineering and knowledge (ICCKE), 2021, pp.206–211. IEEE.

53.

Mohamed

Auer

Hofer

, et al. Extended authorization policy for graph-structured data. SN Comput Sci 2021; 2: 351.

54.

Batra

Tyagi

. Comparative analysis of relational and graph databases. Int J Soft Comput Eng (IJSCE) 2012; 2: 509–512.

55.

čerešňák

Kvet

. Comparison of query performance in relational a non-relation databases. Trans Res Proc 2019; 40: 170–177.

56.

UK Government. Cyber security breaches survey 2024. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024 (2024, accessed 6 July 2024).

57.

Ponemon Institute and Sullivan Report. Cost of insider risks global report 2024, 2024. https://ponemonsullivanreport.com/2024/06/ (2024, accessed 1 June 2024).

58.

Zyoud

Lutfi

. The role of information security culture in zero trust adoption: insights from UAE organizations. IEEE Access 2024; 12: 72420–72444.

59.

Daah

Qureshi

Awan

. Zero trust model implementation considerations in financial institutions: a proposed framework. In: 2023 10th International Conference on Future Internet of Things and Cloud (FiCloud), 2023, pp.71–77. IEEE.

60.

Daah

Qureshi

Awan

, et al. Enhancing zero trust models in the financial industry through blockchain integration: a proposed framework. Electronics 2024; 13: 865.

61.

US Department of Health and Human Services. Hipaa laws & regulations. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (2024, accessed 11 August 2024).

62.

Alsuwaidi

Alharmoodi

Al Hamadi

. The transformative impact of zero-trust architecture on healthcare security. In: 2024 2nd International conference on cyber resilience (ICCR), 2024, pp.1–8. IEEE.

63.

Chen

Qiao

Zhao

, et al. A security awareness and protection system for 5G smart healthcare based on zero-trust architecture. IEEE Int Things J 2020; 8: 10248–10263.

64.

Tyler

Viana

. Trust no one? a framework for assisting healthcare organisations in transitioning to a zero-trust network architecture. Appl Sci 2021; 11: 7499.

65.

Dhar

Bose

. Securing IoT devices using zero trust and blockchain. J Organ Comput Elect Commerce 2021; 31: 18–34.

66.

Iqbal

Saxena

. Future industry internet of things with zero-trust security. Inform Syst Front 2022; 1–14.

67.

Feng

Zhong

Sun

, et al. Blockchain enabled zero trust based authentication scheme for railway communication networks. J Cloud Comput 2023; 12: 62.

68.

do Amaral

TMS

Gondim

JJC

. Integrating zero trust in the cyber supply chain security. In: 2021 Workshop on communication networks and power systems (WCNPS), 2021, pp.1–6. IEEE.

69.

Collier

Sarkis

. The zero trust supply chain: managing supply chain risk in the absence of trust. Int J Prod Res 2021; 59: 3430–3445.

70.

Tuyishime

Radu

Cotfas

, et al. Online laboratory access control with zero trust approach: twingate use case. In: 2024 16th International conference on electronics, computers and artificial intelligence (ECAI), 2024, pp.1–7. IEEE.

71.

Twingate. Zero trust network access (ZTNA), 2024. https://www.twingate.com/product/ztna (2024, accessed 3 August 2024).

72.

The White House. Executive order on improving the nation’s cybersecurity, 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ (2021, accessed 11 August 2024).

73.

Ministry of Justice Digital. Zero trust architecture in moj network services. https://mojdigital.blog.gov.uk/2023/07/05/zero-trust-architecture-in-moj-network-services/ (2023, accessed 11 August 2024).

74.

Adahman

Malik

Anwar

. An analysis of zero-trust architecture and its cost-effectiveness for organizational security. Comput Sec 2022; 122: 102911.

75.

Ramamoorthi

Sarkar

. Single sign-on: a solution approach to address inefficiencies during sign-out process. IEEE Access 2020; 8: 195675.

76.

Salles-Loustau

Garcia

Joshi

, et al. Don’t just BYOD, bring-your-own-app too! protection via virtual micro security perimeters. In: 2016 46th Annual IEEE/IFIP international conference on dependable systems and networks (DSN), 2016, pp.526–537. IEEE.

77.

Das

Rout

Mishra

. Blockchain technology: applications and open issues. In: 2022 International conference on communication, computing and internet of things (IC3IoT), 2022, pp.1–6, IEEE.

78.

Rout

Mishra

Das

, et al. “Blockchain based multimedia content authentication using ethereum: transformation towards decentralized framework.” In: International conference on microwave, optical, and communication engineering (ICMOCE), 2025, pp.1–5.

79.

Liu

Hao

Ren

, et al. A blockchain-based decentralized, fair and authenticated information sharing scheme in zero trust internet-of-things. IEEE Trans Comput 2022; 72: 501–512.

80.

Rivera

JJD

Muhammad

Song

. Securing digital identity in the zero trust architecture: a blockchain approach to privacy-focused multi-factor authentication. IEEE Open J Commun Soc 2024.

81.

Haag

Eckhardt

. Shadow IT. Bus Inform Syst Eng 2017; 59: 469–473.

82.

Tabrizchi

Kuchaki Rafsanjani

. A survey on security challenges in cloud computing: issues, threats, and solutions. J Supercomput 2020; 76: 9493–9532.

83.

Meehan

. The need to optimize the electronic health record: usability issues in legacy systems can compromise patient safety. In: Healthinf, 2020, pp.609–613.

84.

Csikor

Szalay

Rétvári

, et al. Transition to SDN is HARMLESS: hybrid architecture for migrating legacy ethernet switches to SDN. IEEE ACM Trans Netw 2020; 28: 275–288.

85.

Zolotukhin

Hämäläinen

Kotilainen

. Intelligent solutions for attack mitigation in zero-trust environments. In: Cyber security: critical infrastructure protection, 2022. pp. 403–417. Cham, Switzerland: Springer.

86.

Iqbal

Saxena

. Future industry internet of things with zero-trust security. Inform Syst Front 2024; 26: 1653–1666.

87.

Carter

. NIST’s perspective on zero trust architectures and post-quantum cryptography, 2024. https://venafi.com/blog/nist-perspective-on-zero-trust-architectures-and-post-quantum-cryptography/. Venafi Blog.

88.

Okika

Nwatuzie

Olarinoye

, et al. Assessing the vulnerability of traditional and post-quantum cryptographic systems through penetration testing and strengthening cyber defenses with zero trust security in the era of quantum computing. Int J Innovat Sci Res Technol 2025; 10: 1240–1258.

A comprehensive review and comparative analysis of zero trust architecture: Evolution,implementation strategies,and key challenges

Abstract

Keywords

Get full access to this article

References