█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Zero Trust Architecture
40 minIntermediate

Zero Trust Architecture

After this lesson, you will be able to: Explain what Zero Trust means in practice, name the controls a real Zero Trust deployment uses, and identify the gap between marketing and engineering reality.

Zero Trust is the most over-marketed term in security and one of the most useful architectural shifts of the last decade. This lesson cuts through the slogan to the concrete controls, where to start, and which vendors actually deliver what.

Prerequisites:OAuth 2.0 and OIDC

What 'never trust, always verify' actually means

Traditional networks were perimeter-trusted, once you were past the firewall, you were assumed friendly. Zero Trust assumes the network is hostile and requires every request to prove its identity, device posture, and context regardless of where it came from. The principle is straightforward; the implementation requires every component (identity, device, network, application) to verify continuously.

The five pillars (CISA Zero Trust Maturity Model)

Identity, every user and service is uniquely identified and authenticated. Devices, posture-checked before granting access (managed, patched, encrypted). Networks, micro-segmented; no flat networks. Applications and Workloads, authenticated, authorised, and continuously monitored. Data, classified, encrypted, and DLP-enforced everywhere. Visibility and analytics and automation cut across all five.

Identity
  • ·Verify every user
Devices
  • ·Check device posture
Networks
  • ·Segment and encrypt
Applications
  • ·Secure every app request
Data
  • ·Classify and protect
The five CISA Zero Trust pillars. Three capabilities cut across all of them: Visibility & Analytics, Automation & Orchestration, and Governance.

What real Zero Trust deployments look like

Identity layer, Entra ID or Okta with phishing-resistant MFA and Conditional Access. Device posture, Intune, Jamf, or CrowdStrike compliance signals fed into the IdP. Network access, Zscaler Private Access, Cloudflare Access, or Tailscale instead of corporate VPN. Workload access, AWS IAM Identity Center + SCPs, GCP context-aware access, Azure conditional access for applications. Continuous monitoring, SIEM (Splunk, Sentinel) + UEBA on the identity + network telemetry.

💡 Where Zero Trust marketing breaks down

Almost every vendor will tell you their product 'is Zero Trust'. Most are one pillar at best. A useful interview question: 'If I deployed your product alone, would I have Zero Trust?' The honest answer is always no. Real ZT is the integration across pillars.

Map your school or workplace to the CISA model

This is the exercise security architects do for real organizations. Score each pillar as Traditional / Initial / Advanced / Optimal.

  1. 1

    Identity, is MFA universal? Is it phishing-resistant (FIDO2)? Are conditional access rules in place?

  2. 2

    Devices, are all laptops and phones enrolled in MDM with posture checks?

  3. 3

    Networks, is the corporate network flat or micro-segmented? Is there still a VPN as a single ingress?

  4. 4

    Applications, do internal apps require SSO + per-request auth, or are they on the trusted LAN?

  5. 5

    Data, is data classified? Is DLP on email, endpoints, and cloud?

  6. 6

    For each pillar, note one concrete improvement that would advance one maturity level

Common mistakes only experienced architects catch

Treating Zero Trust as a product purchase (it's an architecture, not a SKU). Buying a ZTNA vendor and leaving Active Directory unchanged underneath. Forgetting service accounts and CI/CD pipelines (they're identities too). Skipping device posture (an authenticated user on a compromised laptop still owns the company). Not investing in detection (Zero Trust slows attackers down, it doesn't stop them; you still need to see them).

Quick Check

What's the difference between Zero Trust and 'just turn on MFA everywhere'?

Pick the cleanest one-line answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←OAuth 2.0 and OIDC Flows
Back to Identity and Access Management
IAM Resources and Next Steps→