The National Institute of Standards and Technology (NIST) has published a new resource to aid organizations in implementing zero trust architectures (ZTAs), a cybersecurity approach that assumes no user or device is inherently trustworthy.
The guidance, titled Implementing a Zero Trust Architecture (NIST SP 1800-35), details 19 example ZTA implementations using commercially available technologies, offering organizations practical blueprints for securing modern, distributed networks.
Developed through a four-year collaboration at NIST’s National Cybersecurity Center of Excellence (NCCoE) with 24 industry partners, including major technology firms, the publication addresses the complexities of transitioning from traditional perimeter-based security to zero trust.
Unlike legacy models that rely on a single firewall to protect assets within a defined network boundary, ZTA continuously evaluates and verifies access requests, regardless of the user’s location or prior authentication.
This approach is critical for securing hybrid environments with remote workers, cloud-based applications, and distributed data centers.
“Switching to zero trust requires understanding who’s accessing what resources and why,” said Alper Kerman, a NIST computer scientist and co-author of the publication. “Every organization’s network is unique, making ZTA a custom build. This guidance provides a foundational starting point for organizations to construct their own ZTAs.”
The publication builds on NIST’s 2020 document, Zero Trust Architecture (NIST SP 800-207), which outlined ZTA concepts and deployment models.
The new guidance goes further, offering detailed implementation examples, test results, and best practices derived from real-world scenarios.
These scenarios simulate complex enterprise environments, including multi-cloud platforms, branch offices, and public WiFi access points like coffee shops used by remote employees.
The 19 example architectures leverage off-the-shelf commercial technologies, though NIST and NCCoE emphasize that their inclusion does not constitute an endorsement.
The guidance maps these solutions to cybersecurity frameworks, including the NIST Cybersecurity Framework and NIST SP 800-53, providing organizations with actionable insights for aligning ZTA deployments with industry standards.
Key features of the publication include:
- Practical Implementations: 19 ZTA configurations, each tested and documented with setup details, configurations, and troubleshooting insights.
- Real-World Scenarios: Use cases reflecting modern network challenges, such as securing remote access and multi-cloud environments.
- Collaborative Effort: Contributions from 24 industry collaborators, ensuring a broad perspective on ZTA deployment.
- Best Practices: Lessons learned from four years of testing, offering guidance on technology selection and integration.
Here’s a clean, structured table based on your provided content — showing various Policy Engines / Policy Decision Points and their associated Zero Trust Architecture (ZTA) builds, along with architecture and implementation instruction links or placeholders.
| Build | Policy Engine / PDP | ZTA Architecture Instantiated | Architecture Details | Implementation Instructions |
|---|---|---|---|---|
| E1B1 | Okta Identity Cloud, Ivanti Access ZSO | EIG Crawl | E1B1 Build Architecture | E1B1 Build Implementation Instructions |
| E2B1 | Ping Identity PingFederate | EIG Crawl | E2B1 Build Architecture | E2B1 Build Implementation Instructions |
| E3B1 | Azure AD (Entra Conditional Access) | EIG Crawl | E3B1 Build Architecture | E3B1 Build Implementation Instructions |
| E1B2 | Zscaler ZPA Central Authority (CA) | EIG Run | E1B2 Build Architecture | E1B2 Build Implementation Instructions |
| E3B2 | Azure AD (Entra Conditional Access), Microsoft Intune, Forescout eyeControl, eyeExtend | EIG Run | E3B2 Build Architecture | E3B2 Build Implementation Instructions |
| E4B3 | IBM Security Verify | EIG Run | E4B3 Build Architecture | E4B3 Build Implementation Instructions |
| E1B3 | Zscaler ZPA Central Authority (CA) | SDP | E1B3 Build Architecture | E1B3 Build Implementation Instructions |
| E2B3 | PingFederate, Cisco ISE, Cisco Secure Workload | Microsegmentation | E2B3 Build Architecture | E2B3 Build Implementation Instructions |
| E3B3 | Azure AD (Entra), Intune, Microsoft Sentinel, Forescout eyeControl & eyeExtend | SDP + Microsegmentation | E3B3 Build Architecture | E3B3 Build Implementation Instructions |
| E1B4 | Appgate SDP Controller | SDP | E1B4 Build Architecture | E1B4 Build Implementation Instructions |
| E2B4 | Symantec Cloud SWG, ZTNA, CASB | SDP + SASE | E2B4 Build Architecture | E2B4 Build Implementation Instructions |
| E3B4 | F5 BIG-IP, NGINX Plus, Forescout eyeControl & eyeExtend | SDP | E3B4 Build Architecture | E3B4 Build Implementation Instructions |
| E4B4 | VMware Workspace ONE, UAG, NSX-T | SDP + Microsegmentation + EIG | E4B4 Build Architecture | E4B4 Build Implementation Instructions |
| E1B5 | Palo Alto NGFW, Prisma Access | SASE + Microsegmentation | E1B5 Build Architecture | E1B5 Build Implementation Instructions |
| E2B5 | Lookout SSE, Okta Identity Cloud | SDP + SASE | E2B5 Build Architecture | E2B5 Build Implementation Instructions |
| E3B5 | Microsoft Entra Conditional Access (formerly Azure AD Conditional Access), Microsoft Security Service Edge | SDP and SASE | E3B5 Build Architecture | E3B5 Build Implementation Instructions |
| E4B5 | AWS Verified Access, Amazon VPC Lattice | SDP and Microsegmentation | E4B5 Build Architecture | E4B5 Build Implementation Instructions |
| E1B6 | Ivanti Neurons for Zero Trust Access | SDP and Microsegmentation | E1B6 Build Architecture | E1B6 Build Implementation Instructions |
| E2B6 | Google CEP – Access Context Manager | SASE | E2B6 Build Architecture | E2B6 Build Implementation Instructions |
Let me know if you want this table exported to Excel, a PDF, or visualized as a clickable infographic or architecture map.
“This resource is a comprehensive toolkit for organizations navigating the shift to zero trust,” Kerman said. “It demonstrates the capabilities needed to deploy a ZTA effectively.”
The rise of distributed workforces and cloud services has rendered traditional perimeter-based security obsolete, as organizations now manage multiple internal networks and external resources.
ZTA’s risk-based approach mitigates both internal and external threats by restricting lateral movement within networks, making it a preferred strategy for many organizations, including those mandated to adopt it.
The full publication is available through NIST’s website, providing a critical resource for cybersecurity professionals seeking to bolster their defenses in an increasingly complex threat landscape.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
