Migration Strategies to Zero Trust

Architecture

Christos Katsavos
SID: 3307210015

Supervisor: Prof. Konstantinos Rantos

SCHOOL OF SCIENCE & TECHNOLOGY

A thesis submitted for the degree of
Master of Science (MSc) in Cybersecurity
Abstract

The goal of this thesis is to delves into the structural limitations of traditional security systems and
proposes an innovative migration approach using Zero Trust Architecture (ZTA) in order to
safeguard sensitive data. The study not only examines the theoretical foundations of cybersecurity
but also introduces the principles of the Zero Trust framework. The primary focus lies in
delineating a step-by-step analysis of implementing ZTA, encompassing migration strategies for
on-premises, hybrid, and cloud-based architectures.

Keywords: Zero Trust Architecture (ZTA), Zero Trust Migration, Zero trust, Maturity Model,
Cybersecurity, Information Security.

Katsavos Christos
Date 07-04-24

i
Table of Contents

Abstract ........................................................................................................................................... i
Table of Contents .......................................................................................................................... ii
List of Figures .............................................................................................................................. iv
Blank Page ..................................................................................................................................... v
1. Introduction ............................................................................................................................... 1
1.1 Challenges of Cybersecurity ..................................................................................................1
1.2 Legacy End Point Protection Solutions ....................................................................................1
1.3 Enterprise Security Solutions Growth......................................................................................2
1.4 Zero Trust History ................................................................................................................4
2. Introduction to Zero Trust Architecture ................................................................................. 6
2.1 Main Principles ....................................................................................................................6
2.2 Challenges ...........................................................................................................................7
2.3 Zero Trust Model ..................................................................................................................8
2.4 Zero Trust Advantages ........................................................................................................ 14
2.5 Migration Steps .................................................................................................................. 14
3. Migration procedure to Zero Trust Architecture ................................................................. 17
3.1 Steps to ZTA ...................................................................................................................... 17
3.1.1 Preparation of ZTA Architecture ..................................................................................... 17
3.1.2 Strategizing Zero Trust .................................................................................................. 20
3.1.3 Context Analysis .......................................................................................................... 21
3.1.4 Transformation Toward Zero Trust.................................................................................. 24
3.1.5 Supervision and Maintenance......................................................................................... 27
3.1.6 Enhancing ZTA Security ............................................................................................... 28
3.2 Complete Diagram ZTA migration....................................................................................... 30
4. ZTA scenarios in different environments.............................................................................. 32
4.1 Multi-Cloud in Microsoft 365 .............................................................................................. 32
4.2 Corporate Satellite Facilities Configuration............................................................................ 34
4.3 Outsourced Services and External User Access....................................................................... 34
4.4 Inter-Enterprise Collaboration Initiatives ............................................................................... 35
4.5 Corporate Services for Public Customer Interaction ................................................................ 35

ii
5. Future Application in Cloud Networks ................................................................................. 36
6. Conclusion and Discussion ..................................................................................................... 37
References .................................................................................................................................... 38

iii
List of Figures

Figure 1: Zero Trust Model Pillars.

Figure 2: Zero Trust Journey.
Figure 3: Zero Trust Maturity Model.
Figure 4: Zero Trust High level Maturity Model.
Figure 5: Deployment cycle for Zero Trust Architecture by NIST.
Figure 6: ZTA Architecture.
Figure 7: Strategizing Zero Trust.
Figure 8: Context Analysis.
Figure 9: Transformation Toward Zero Trust.
Figure 10: Supervision and Maintenance.
Figure 11: Enhancing ZTA Security.
Figure 12: Six steps to ZTA Migration.
Figure 1 ZTA Microsoft Security.
Figure 2 Expanded access to multiple sources needing IAM.

iv
Blank Page

v
1. Introduction

This thesis begins with an exploration of cybersecurity fundamentals, highlighting the

shortcomings of conventional security models. Then, it introduces the concept of Zero Trust
Architecture, elucidating its core principles and highlighting its significance in modern
cybersecurity paradigms.
Central to the thesis is a comprehensive analysis, presented in part four, detailing the sequential
steps required to implement ZTA effectively. This includes strategies for transitioning existing
security infrastructures to a Zero Trust model, encompassing considerations for on-premises,
hybrid, and cloud-based environments.
Furthermore, it provides practical ZTA migration scenarios in different environments. These
scenarios serve to demonstrate the efficacy and adaptability of ZTA in diverse organizational
settings.
In conclusion, the study underscores the importance of adopting Zero Trust Architecture as a
proactive measure to enhance data security. By presenting a systematic approach to migration and
showcasing real-world scenarios, this thesis contributes to the discourse on modern cybersecurity
strategies, paving the way for a more secure digital landscape.

1.1 Challenges of Cybersecurity

Introducing and continually refining safety protocols represents a crucial undertaking for any
business, irrespective of its industry. The objective is to uphold the business's integrity, credibility,
and reliability, benefiting both customers and third-party organizations.
Despite the existence of mechanisms and preventive protocols in contemporary systems, attackers
continuously devise novel methods to infiltrate and compromise systems. This chapter will delve
into the historical evolution of IT security, examining past implementations, the challenges
encountered with these security measures, the issues they addressed at the time, and the
progression towards the adoption of the Zero Trust architecture [1].

1.2 Legacy End Point Protection Solutions

The imperative for security has been present since the inception of computers and networks. The
inaugural hack occurred in 1971 when Bob Thomas introduced "Creeper," a program that
functioned as a virus spreading through the ARPANET network. Its message, "IM THE

1
CREEPER, CATCH ME IF YOU CAN!" aimed not at malicious intent but rather at highlighting
internet vulnerabilities and raising awareness about this burgeoning technology. In response to this
inaugural threat, Ray Tomlinson devised the first prototype of an antivirus software named
"Reaper," designed to seek out and eliminate the Creeper.
From this initial hack, the landscape evolved, witnessing the development of various viruses and
threats causing significant damage and prompting the creation of antivirus programs. In 1987, the
Vienna virus infected .com files on DOS-based systems, leading to the inception of the first
documented antivirus program by Bernd Fix, instrumental in eradicating the Vienna virus.
Subsequently, the late '80s saw the emergence of multiple antivirus programs, including Andreas
Lining and Kai Figge's version for the Atari ST platform, and John McAfee's renowned antivirus
program, later incorporated into Intel Security [3].
As computers gained commercial traction and the internet became public, a gateway for diverse
threats and vulnerabilities materialized. The 1990s marked a virus era on the internet, prompting
the invention of various security measures to prevent infections. Innovations like firewalls and
antivirus software were introduced to scan incoming packets for malware, accompanied by
security measures such as password and passphrase management and spam filters.
The '90s signified the nascent phase of making cybersecurity accessible to the public. With the
internet becoming more widely used, the need for new security programs arose. Network
monitoring, endpoint security, access management, advanced software, Wi-Fi security, data
protection, and backup were among the technologies that experienced exponential growth, shaping
what is now recognized as the Internet today [2].

1.3 Enterprise Security Solutions Growth

Throughout various phases of the internet's evolution, distinct security needs have arisen, leading
to varied architectures and designs to address these requirements. Conventional methods centered
on perimeter-based security, employing the metaphor of castle walls and moats to ensure network
security.
These traditional approaches stemmed from the fact that organizational information was
predominantly housed within company premises, shaping security needs based on physical
locations [4][5]. Some of them are legacy firewall devices, Intrusion detection / prevention
systems, Unified threat management systems and Next generation Firewalls.
The initial security model implemented firewalls to instill trust among users and devices within a
network. It operated on the premise that creating a perimeter would render all activities within it
secure. The early iterations of firewalls, specifically the first generation known as packet filtering
firewalls, functioned at layer 3 (network layer) of the OSI model. These firewalls scrutinized
network traffic, filtering packets based on predefined rules and policies to decide whether to permit
or deny them. The process involved two lists, "deny" and "permit," with packets requiring approval

2
from both lists to pass through. Evaluation criteria included the destination address, protocol, and
port number, and rejection ensued if these did not comply with the established rules. This approach
proved vulnerable, as attackers could manipulate packets to gain access to the corporate network
[6][7][9].
The security landscape evolved to stateful firewalls, augmenting packet filtering firewalls with
features like session saving and connection state. These enhancements scrutinized each connection
until a legitimate three-way handshake occurred at the transport layer protocol. Valid connections
were tracked in a table, allowing packets with matching data to pass through. However, this
generation faced a limitation while it could identify valid connections, it could not distinguish
between good and bad traffic.
As attackers persisted in seeking vulnerabilities in the OSI model, firewall technology progressed
to application-gateway firewalls, operating at layer 7 (application layer)[7]. These firewalls
focused on the server's network resources, particularly addressing the surge in web-based attacks.
Instead of serving as a wall, they operated as gateways, inspecting packets at the application layer
for valid data. Proxy services facilitated sessions with remote users, enabling administrators to
exercise better access control, conduct detailed checks for valid data, and maintain audit records
of traffic. Despite notable security improvements, application-gateway firewalls had slower traffic
speeds due to the secure gateway[9].
Subsequently, circuit-gateway firewalls emerged, acting as gateways at layer 5 (session layer) of
the OSI model, concentrating on client-server connections. Proxies were instrumental in
establishing transparent connections and ensuring their legitimacy. However, these firewalls were
less secure than application-gateway firewalls because they overlooked the payload's content. To
address the growing threat of web attacks, web application firewalls surfaced, operating at layer 7
of the OSI model[8]. They defended web applications against threats like SQL injections and
DDoS attacks by scrutinizing HTTP/HTTPS request packets and network traffic patterns. Any
irregularities led to the blocking or termination of the session between the client and server.
Following the progression of enterprise security, the introduction of intrusion detection systems
(IDS) became the next significant development. IDS can be categorized into various types, such
as network-based IDS and host-based IDS. Network-based IDS employ sensors to scrutinize and
analyze the traffic flowing through a network. They can discern diverse attack methods and
reconstruct sessions. The strategic placement of these systems within the network is crucial, as
they can only monitor traffic within their specific connection. Conversely, host-based IDS operate
on dedicated servers, analyzing system records, processes, and files to identify any unusual or
known activity patterns.
The initial generation of IDS was designed to identify abnormal or uncommon behavior. However,
over time, they evolved to recognize specific attack patterns. Unlike firewalls, IDS has the
capability to issue a warning in the event of suspicious behavior, going beyond mere threat
identification, which is the primary function of firewalls [10].
Unified threat management was an extension on previously described traditional firewalls but with
additional security features such as antivirus, virtual private networks (VPNs), deep packet

3
inspection and intrusion detection that would all jointly act as a single point of security. This single
point of security defended against attacks in all layers of the OSI model, but the single point of
security also resulted in a single point of failure, meaning if one defense mechanism failed, it
would expose the whole network. The problem with UTMs was poor performance due to the
handling of many tasks at once, complex policy management, security gaps and barely any
integration between each function[6][8].
In 2009, Gartner issued a groundbreaking report, defining the concept of the Next-Generation
Firewall (NGFW) in response to the evolving landscape of threats. The emergence of Web 2.0 had
transformed the dynamics of protocols and data transmission, exposing firewalls to heightened
vulnerabilities by streamlining data through fewer ports and protocols. This shift in threat
dynamics is aimed at deceiving users into installing malicious executable files to evade detection,
thereby bypassing traditional intrusion detection systems.
Despite the progressive advancements of firewalls, the Unified Threat Management (UTMs)
underwent a transformative phase, giving rise to the Next-Generation Firewall. Gartner outlined
that NGFWs not only retained the core functionalities of regular firewalls, including packet
filtering, stateful inspection, and VPN awareness, but also introduced additional capabilities not
present in conventional firewalls. These encompassed deep packet inspection, application
awareness and control, intrusion prevention, threat intelligence, and pathways for integrating new
information feeds.
NGFWs introduced a host of innovative features that addressed the limitations of previous defense
mechanisms, including SSL encryption and peer-to-peer file-sharing. Additionally, NGFWs
provided insights into packet filtering based on user identity. The distinct advantages of NGFWs
over UTMs were evident in its enhanced performance, heightened security, and the introduction
of a graphical user interface (GUI) that significantly improved visibility and control[6][11].

1.4 Zero Trust History

Due to the rapid globalization and expansion of the internet, as well as the proliferation of devices
such as phones and computers, previous security measures have become obsolete. Consequently,
adaptation was deemed necessary to ensure security. The traditional security model, once effective,
became inadequate with the advent of cloud computing and the digitalization of the world.
Companies started storing data in external cloud data centers, necessitating access beyond the
confines of traditional on-premises security, which relied on castle walls and moat perimeters.
As a result of the shift towards external cloud storage, staff needed access beyond the traditional
security measures, bypassing on-premises perimeter security dependent on firewalls. The rise of
home offices, remote work, and the prevalence of cloud computing rendered the network perimeter
insufficient. To address this, companies increasingly turned to Virtual Private Networks (VPNs) to

4
securely tunnel employees into organizational systems. However, this created a new security
concern, as the VPN connection, once trusted, could potentially be exploited by users introducing
malware into the corporate network.
Furthermore, the expansion of Software as a Service (SaaS) applications added another layer of
complexity. As businesses considered implementing SaaS applications alongside VPNs to
accommodate their growing needs, the use of such applications exposed the perimeter to third-
party organizations. This undermined the very purpose of perimeter-based security [13].
In 2010, Kindervag et al. introduced the concept of Zero Trust, highlighting the flaws in traditional
security measures and the necessity for a new approach. The "Philip Cummings Problem" serves
as a notable illustration of the pitfalls in trusting assumptions about organizational security. This
scenario involves an individual, Philip Cummings, who, despite leaving an IT company in 2000,
was involved in leaking credit reports between 2000 and 2002. Forrester uses this example to
emphasize the importance of distinguishing between trust and validation.
Forrester's response to this challenge is the Zero Trust model, which advocates for the principle of
"never trust, always verify" as opposed to the traditional "trust but verify." This shift in thinking
was further developed by Google, contributing fundamental elements and a solid foundation for
the implementation of the Zero Trust approach [5][12].

5
2. Introduction to Zero Trust Architecture

The momentum away from perimeter-based security has led to a growing adoption of Zero Trust
models. Zero Trust presents a novel approach to enterprise security by extending protection not
only to human users but also to non-human entities like devices and applications. An overarching
objective of Zero Trust is to shift the prevailing mindset from "trust but verify" to "never trust,
always verify."
But what exactly is Zero Trust, and what benefits does it offer? The National Institute of Standards
and Technology defines Zero Trust as an evolving set of cybersecurity paradigms that reorient
defenses from static, network-based perimeters to focus on users, assets, and resources. This model
emphasizes securing resources rather than specific network segments. Notably, Zero Trust extends
its security coverage to remote users, their devices, and cloud-based assets residing outside the
traditional network perimeter. The foundational principle is the assumption that all users and
devices are potential threats, thereby denying implicit trust to any entity[14].

2.1 Main Principles

Various perspectives and strategies exist for implementing a Zero Trust system. However, there
are three fundamental and indispensable principles which are defined by various organizations that
should serve as the core foundation when implementing a Zero Trust model [12].
 Ensure all resources are accessed securely regardless of location.
Any data traffic passing through resources, including applications and servers, is treated as a
potential threat until it undergoes verification authorization, inspection, and securing whether
performed by a human or machine. Encrypting traffic routed through untrusted networks is
essential to prevent cybercriminals from intercepting readable data, ensuring internal data
protection while safeguarding external data. This marks the pivotal differentiation from
traditional security measures to the Zero Trust paradigm[12][14].
 Adopt a least privilege strategy and strictly enforce access control.
In contrast to the traditional approach that granted users network access within the perimeter,
the least privileged strategy restricts user access, thereby minimizing vulnerabilities. Users are
granted access only to the resources essential for their tasks, reducing potential security risks
associated with unnecessary access [12][14].
 Inspect and log all traffic
Representing the shift from the "trust but verify" mindset to "never trust, always verify." When
users gain access to resources, the information is limited to what is strictly necessary, avoiding

6
 unnecessary exposure. The Zero Trust model further ensures that users are engaging in
appropriate actions, reinforcing a continuous verification approach [12][14].

2.2 Challenges

Adopting a Zero Trust architecture poses considerable challenges as named below[16]:

 Vendors lock-in and interoperability.

The issue of vendor lock-in arises when users initially join cloud providers at a low cost, only
to face exponentially increasing costs as they scale their services. Switching providers incurs
additional expenses, and cloud providers are reluctant to lose customers, potentially
complicating the transition. Given that Zero Trust is a novel and evolving architecture,
complete solutions meeting all organizational needs are not readily available from single
vendors. This results in the need to procure solutions from various vendors, introducing a
challenge in ensuring seamless communication and interoperability among devices from
different vendors.

 Avoiding user disruption.

Established companies have adhered to traditional security models for decades, and employees
are accustomed to interacting with the corporate network based on these models. Migrating to
the new Zero Trust architecture without disrupting or impacting employees' work is a major
challenge. A gradual approach involves imposing restrictions slowly, allowing time for
adaptation. Once the organization fully transitions to the new architecture, the removal of the
old security methods can commence.

 Trust level and resource classification.

In the Zero Trust model, adopting a least privileged strategy is fundamental, restricting user
access to resources. However, determining the appropriate level of trust when granting access
presents a significant challenge. Striking a balance between granting too much or too little
access rights is essential. Organizations must navigate the complexity of resource classification
and trust levels to effectively implement the least privilege principle.

7
2.3 Zero Trust Model

The Zero Trust Model (ZTM ) outlines a phased approach to implementation across five distinct
pillars, allowing for gradual advancements towards optimization over time, which is illustrated in
Figure 2, these pillars include Identity, Devices, Networks, Applications and Workloads, and Data.
Each pillar encompasses key aspects related to cross-cutting capabilities such as Visibility and
Analytics, Automation and Orchestration, and Governance [17].
The development of this maturity model draws insights from various Zero Trust Architecture
(ZTA) publications. It aligns with the seven tenets of zero trust outlined in NIST SP 800-207:

 All data sources and computing services are considered resources.

 All communication is secured regardless of network location.
 Access to individual enterprise resources is granted on a per-session basis.
 Access to resources is determined by dynamic policy.
 The enterprise monitors and measures the integrity and security posture of all owned and
associated assets.
 All resource authentication and authorization are dynamic and strictly enforced before
access is allowed.
 The enterprise collects as much information as possible about the current state of assets.

As organizations progress towards optimal zero trust implementations, solutions increasingly rely
on automated processes and systems that seamlessly integrate across pillars, dynamically
enforcing policy decisions. Each pillar can advance at its own pace, potentially surpassing others
until cross-pillar coordination becomes necessary. Achieving this coordination requires compatible
capabilities and dependencies within both the pillars and the broader enterprise environment.

8
 Figure 3 Zero Trust Model Pillars [17].

The ZTM journey unfolds in three stages, progressing from a Traditional starting point to Initial,
Advanced, and Optimal, providing a framework for the federal implementation of Zero Trust
Architecture (ZTA). Each subsequent stage demands increased levels of protection, detail, and
complexity for effective adoption.
As depicted in Figure 2 below, agencies should anticipate a notable rise in both required efforts
and realized benefits as zero trust maturity advances across and within pillars. Agencies, while
navigating their ZTA journey, are advised to explore opportunities for elevating pillar maturity,
aligning with specific mission needs, and fostering growth across other pillars [17].

9
 Figure 4 Zero Trust Journey [17].

Figure 3 illustrates the anticipated evolution of agencies over time, transitioning from a traditional
enterprise to a future state characterized by dynamic updates, automated processes, integrated
capabilities, and other attributes associated with the Optimal stages, as defined in the maturity
model. These stages exhibit dynamic and exponential growth, and the planned progression from
one maturity stage to another may experience shifts in scope and impact over time [17].

10
 Figure 5 Zero Trust Maturity Model [17].

Agencies are encouraged to utilize the outlined criteria for each stage as guiding principles to
assess the maturity of each zero trust technology pillar. This approach ensures consistency
throughout the maturity model [17]:

 Traditional: Involves manually configured lifecycles, attribute assignments, and static

security policies addressing individual pillars with external system dependencies. Least
privilege is established only at provisioning, and there is a presence of siloed policy
enforcement pillars. Response and mitigation deployment are manual, and there is limited
correlation of dependencies, logs, and telemetry.
 Initial: Marks the initiation of automation in attribute assignment and lifecycle
configuration, along with initial cross-pillar solutions integrating external systems. Some
responsive changes to least privilege occur post-provisioning, and aggregated visibility for
internal systems is achieved.
 Advanced: Incorporates automated controls for lifecycle and configuration assignment,
with centralized visibility and identity control. Policy enforcement is integrated across
pillars, and there is a response to pre-defined mitigations. Changes to least privilege are
based on risk and posture assessments, moving towards enterprise-wide awareness,
including externally hosted resources.

11
  Optimal: Represents the fully automated stage, featuring just-in-time lifecycles and
attribute assignments for self-reporting assets and resources. Dynamic policies based on
automated/observed triggers are implemented, enabling dynamic least privilege access
enterprise wide. Cross-pillar interoperability is achieved with continuous monitoring, and
there is centralized visibility with comprehensive situational awareness.

Figure 4 presents a broad overview of the Zero Trust Maturity Model (ZTMM), encompassing
essential elements of the functions specific to each pillar and spanning across all maturity stages
[17].

12
Figure 6 Zero Trust High level Maturity Model [17].

13
2.4 Zero Trust Advantages

Zero Trust has laid the groundwork for a paradigm shift in the trust approach. In traditional security
approaches, the focus was on safeguarding systems against external threats. However, with the
advent of cloud computing and the rise of remote work, there is a need to reconsider the concept
of trust and pivot towards defending the internal network. Forrester has identified eight business
and security benefits associated with the adoption of Zero Trust [18]:

 Improves network visibility, breach detection capabilities, and vulnerability management.

 Prevents the spread of malware.
 Reduces security expenses both financially and operationally.
 Minimizes the scope and cost of complying with regulations.
 Eliminates finger-pointing between different silos.
 Enhances understanding and visibility of data.
 Stops unauthorized access to sensitive information.
 Facilitates the implementation of digital business changes.

2.5 Migration Steps

Transitioning from a traditional perimeter-based architecture to a Zero Trust architecture poses

challenges for many organizations, especially those with a long-standing presence. NIST provides
a strategic approach for this shift, emphasizing an incremental migration process (figure 5).

14
 Figure 7 Deployment cycle for Zero Trust Architecture by NIST [14].

This implies that organizations may need to operate in a hybrid state, combining elements of both
Zero Trust and traditional perimeter-based architectures during the transition. Prior to initiating the
migration, the organization must gather comprehensive information about its physical and virtual
assets, subjects, and business processes [14].
The initial step in transitioning to a Zero Trust architecture involves the preparation phase, a critical
and comprehensive process preceding the actual implementation within an organization. This stage
necessitates gathering information and identifying key actors in the organization, such as
developers or system administrators with potential unrestricted access to all company resources.
In the Zero Trust paradigm, individuals like these should only be granted sufficient access to
perform their specific job functions.
Additionally, the identification and categorization of the organization's assets, encompassing both
hardware components and digital artifacts like phones, computers, and user accounts, is crucial.
Given the challenge of tracking diverse assets across different business units, it becomes
imperative to categorize, identify, and assess newly discovered assets. Evaluation of key processes,
including business processes, data flows, and the relationship between the organization's missions,

15
is equally vital. For instance, business processes should specify authorized resource access
requests and denials.
The subsequent stage involves assessing the risks associated with the process and formulating
policies for Zero Trust architecture candidates. This risk assessment may involve identifying low-
risk business processes to initiate the migration to Zero Trust, minimizing disruptions to a smaller
section of the organization. Formulating effective policies requires a balance in criteria,
considering the importance of a process to the organization, the groups involved, the status of
resources used, upstream and downstream resources, and entities. The NIST Risk Management
Framework offers a framework for assessing assets or workflows regarding their risk.
Once the system is ready for deployment, it is advisable to initially implement selected components
and begin deployment in an observe and monitor mode. This ensures that newly formulated
policies are fully functional. These policies may involve granting the lowest possible set of
privileges to user accounts, ensuring correct access privileges, and denying unauthorized
privileges. Zero Trust business workflows should operate in a mode that allows most access
requests, with logs and connections compared to developed policies from the previous stage. This
facilitates an understanding of assets, access requests, behavior, and communication patterns,
making it easier to identify anomalies in the future.
As the migration to Zero Trust is gradual, the next phase of deployment occurs once the
aforementioned information is implemented, implementing the architecture in a different segment
of the organization. However, any changes in the existing deployment workflow, such as adding
new devices, updating software, or organizational changes, necessitate a re-evaluation of policies
and workflows. Therefore, continuous monitoring is crucial, and resources and processes should
provide feedback for ongoing operational improvement [14][15].

16
3. Migration procedure to Zero Trust Architecture

3.1 Steps to ZTA

Breaking the network into smaller parts (micro-segmentation), is the best way to apply a modern
Zero Trust approach[10][11]. This is especially useful in places like IoT setups and industrial areas
where things change a lot. Some studies talk about how well this idea might work, but they do not
talk about the real problems in setting it up and making it work well[21]. For example, a paper by
Li et al. talks about the big challenges in the industrial sector like how to handle growth and
security[22][23]. Managing networks in 5G-IoT setups is also a big issue. Making sure security
rules are set up and kept up to date in a huge and always changing system is really hard. The main
idea of this thesis is to give a structure (main and sub-processes) by categorizing the procedure in
logical steps for companies need to follow this migration.

3.1.1 Preparation of ZTA Architecture

This structure below, describes the creation and planning for migrating to ZTA. This plan serves
as a roadmap for implementing ZTA within the enterprise. In addition to planning, this process
also focuses on preparing the enterprise's devices, users, and network for the ZTA implementation.
Moreover, it involves designing Zero Trust policies that effectively control user access to resources
(figure 8). The ultimate goal of this process is to establish a target security architecture for the
enterprise, representing the desired state of ZTA.

17
 Figure 8 Preparation of ZTA

3.1.1.1 Development of a ZTA Migration Plan

Before initiating ZTA in the enterprise, it is crucial to select appropriate zero trust solutions and
technologies. This involves choosing vendors that offer solutions aligning with the enterprise's
requirements. A full understanding of the technical aspects of ZTA is essential before procuring
zero trust solutions [25]. Additionally, considerations should be made for software interoperability
to avoid being locked into a specific vendor. Service-related aspects like Quality of Service (QoS)
and Service-Level Agreements (SLA) negotiations are crucial to prevent vendor lock-in issues.
Furthermore, an implementation plan should be created to divide tasks and prioritize them for
implementation. Test and performance measurement plans for ZTA migration should also be
established to evaluate the success and effectiveness of the migration. An enterprise may opt for a
use-case approach to address specific issues, allowing for quick results with a small team and
budget [39].

18
3.1.1.2 Preparation of Devices, Users, and Network

To enhance device security, the enterprise should establish a Device Inventory Database for
registering and permitting only managed devices to access the network. All devices should have
robust security controls and undergo continuous monitoring for potential risks. The registration of
all devices, including both corporate-owned and personally owned devices, aims to establish trust
and security controls over device management[40][41]. For user identification, an enterprise
should create a User Database to manage user profiles and group memberships. The principle of
least privilege should be upheld, ensuring that users are assigned appropriate roles. These user
groups encompass business users, enterprise clients and partners, and IT users with the authority
to modify user access rights and configurations. Additionally, redundant user access permissions
should be removed, and Multi-Factor Authentication (MFA) should be implemented [41].
Administrative controls like privileged identity management (PIM) should also be in place. Proper
allocation of users and devices to the appropriate network segments is vital for deploying an
unprivileged network. Micro-segmentation of sensitive data and planned segmentation should be
managed after identifying dependencies [42]. Assets should be organized into logical groups based
on workflows and business processes, with careful consideration to avoid over-segmentation or
under-segmentation of the network. All traffic should pass through segmentation gateways before
reaching protected resources, and network asset visibility and security standards should be
maintained. User access should be granted on a per-request basis [35][41].

3.1.1.3 Design of Zero Trust Policies

The creation of Zero Trust policies or security policies for the ZTA environment should follow a
systematic approach. These policies should be appropriately designed, tested, and refined based
on identified resource and transaction flows. One approach to policy creation is the Kipling
Method, which identifies who, what, when, where, why, and how users access resources.
Alternatively, access permissions can be designed based on various factors, including the
sensitivity of resources, such as data, users, devices, threats, and regulatory requirements
[26][31][42]. These policies should adhere to correctness, consistency, minimality, and
completeness. For instance, an enterprise should validate policies to eliminate duplication and
redundancy [29][43].

19
3.1.2 Strategizing Zero Trust

The initial step in the journey towards ZTA implementation involves the strategic formulation of
Zero Trust principles within an enterprise. This process begins by crafting comprehensive Zero
Trust strategies tailored to the organization's specific needs. Once these strategies are in place, it
is imperative to secure buy-in from key stakeholders, including top-level management and end-
users, to garner support for the decision to transition to ZTA. Furthermore, the establishment of
dedicated Zero Trust teams, consisting of implementation specialists and IT decision-makers, is
essential to facilitate a smooth transition. The ultimate outcome of this phase is the development
of a strategy for Zero Trust migration (figure 6), serving as a foundational document that enables
stakeholders to articulate their ZTA aspirations, as illustrated in Figure below.

Figure 9 Strategizing Zero Trust.

3.1.2.1 Zero Trust strategy creation.

The inaugural step towards adopting Zero Trust Architecture involves the definition of a clear
vision and the formulation of strategic approaches [24], [25]. Securing backing and alignment from
leadership and relevant stakeholders is paramount [26]. The primary goal is to ensure that all
stakeholders recognize the common underlying reasons driving the transition to ZTA, such as the
enhancement of business agility and the effective management of complexity [27]. Additionally,
many enterprises handle data or systems subject to regulatory requirements [28]. Consequently, it
is crucial for an enterprise to proactively engage with external stakeholders, including
governmental regulators, external auditors, or pertinent third parties, as these entities may not be
up to date with the latest technological advancements and may harbor concerns regarding the novel
Zero Trust solutions. Collaboration and education efforts should be undertaken to ensure these
external stakeholders comprehend the enterprise's strategic direction towards migrating to ZTA.

20
3.1.2.2 Zero Trust teams creation.

In the context of achieving a successful Zero Trust implementation, the presence of specialized
Zero Trust teams is imperative to ensure a seamless transition in Zero Trust implementation
projects [29]. These teams should comprise individuals from diverse backgrounds, spanning both
business and IT decision-making roles, [30]. The formation of these teams typically involves two
distinct groups:

 The first group assumes the role of key decision-makers, providing strategic guidance,
reviewing project plans, and offering comprehensive support for the overarching project.
Examples of these key decision-makers include [28]:

- Governance Board: Responsible for setting the organization's direction and

making decisions concerning new initiatives and technologies.
- Architecture Review Board: Primarily tasked with evaluating existing
technologies and defining the enterprise's architectural framework.
- Change Management Board: Focused on promoting the integration of Zero
Trust solutions into a production environment.

 The second group comprises the Zero Trust implementation team, consisting of individuals
who have been carefully selected based on their expertise in specific areas such as
application and data security, network, and infrastructure security, as well as user and
device identity [30], [31]. It is crucial that individuals involved in Zero Trust
implementation are part of a cross-functional team that includes both business and
decision-makers [32].

3.1.3 Context Analysis

The second phase, known as Context Analysis (figure 7), plays a vital role in enhancing an
enterprise's grasp of its current security standing. This process aids in evaluating the organization's
security posture by focusing on three critical components: the examination of existing security
controls, the execution of a comprehensive security risk assessment, and the undertaking of a
meticulous Zero Trust maturity risk assessment. Moreover, to attain an accurate and holistic
understanding of the enterprise's resources, the enterprise embarks on resource discovery to discern
data and business process flows. The ultimate objective of this multifaceted process is to create a

21
comprehensive blueprint for the enterprise's security architecture, which acts as the fundamental
reference point for establishing both the current and desired Zero Trust maturity states.

Figure 10 Context Analysis.

3.1.3.1 Current state evaluation.

This sub-process encompasses three methodologies:

 Evaluating existing controls.
 Perform security risk assessment.
 Perform zero trust maturity assessment.

22
These methodologies are required for an enterprise to gain a comprehensive insight into its security
landscape.

Evaluate existing controls.

Identification of the organization's existing security capabilities holds paramount importance.
Consequently, the enterprise should continuously monitor and verify the alignment of its current
security policies and regulations with the fundamental tenets of Zero Trust. Following this
evaluation of existing security controls, a gap analysis is carried out to critically assess the
organization's current security stance and identify areas where security enhancements are
warranted. Furthermore, since transitioning to a Zero Trust architecture may pose potential issues
or integration challenges with existing systems, the migration team should meticulously devise a
plan to evaluate the compatibility and effectiveness of the existing legacy systems within the Zero
Trust environment [33].

Perform security risk assessments.

It is imperative for an enterprise to continually analyze and evaluate the myriad risks associated
with its assets and resources. This entails the identification of both external and internal threats,
along with actual and potential risks. Subsequently, the enterprise should craft a comprehensive
risk management strategy aimed at mitigating the identified risks effectively. The insights gleaned
from a comprehensive risk assessment are invaluable, as they facilitate the identification of
security patterns within the Zero Trust ecosystem, [32]. Furthermore, the execution of a security
risk assessment assists the enterprise in identifying the key actors and assets necessitating robust
protection, while simultaneously considering low-risk migration processes [27]. Employing a risk
assessment approach also empowers the organization to design security measures that minimize
access to resources in alignment with the principle of least privilege.

Perform zero trust maturity assessments.

Conducting a Zero Trust maturity assessment equips the enterprise with a deeper understanding of
its prevailing security posture. This assessment categorizes the Zero Trust maturity stage into
several phases. It commences with the traditional stage, wherein the organization has yet to embark
on its Zero Trust journey. Subsequently, the advanced stage denotes the initiation of the Zero Trust
journey, signifying progress like device registration and network segmentation. The ultimate stage,
the optimal stage, represents substantial advancements in security practices, including the
incorporation of AI intelligence to respond to access requests and detect anomalous activities [34].
To effectively navigate this journey, the enterprise must define its desired maturity level and

23
pinpoint the critical success factors [25]. Furthermore, the organization must explicitly outline the
objectives and time frame for realizing the target Zero Trust maturity state.

3.1.3.2 Resource discovery conduction.

Resource discovery is a crucial element of the enterprise's comprehensive security strategy. The
enterprise must identify its protected domains and meticulously pinpoint sensitive data and
business process flows to garner a holistic view of all available resources [35]. It is crucial,
however, for the enterprise to comprehend that achieving complete visibility of every data flow is
not a prerequisite prior to initiating the Zero Trust implementation [31]. Instead, organizations can
opt for an incremental, observational approach to gradually collect and analyze data from the
network, ensuring uninterrupted user productivity [28].
Preceding the deployment of Zero Trust, the enterprise should meticulously describe its protected
domains by conducting assessments of assets and entities such as data repositories, service
accounts, devices, applications, services, hardware, and configuration management [36].
Additionally, the enterprise must identify sensitive data and define the difficulties of business
process flows [37]. Subsequently, an in-depth exploration of data discovery and classification
should ensue, uncovering all data processing activities. For instance, organizations may choose to
establish an inventory of data repositories to ascertain data protection levels. The logical step is
the segmentation of the network based on data classification [35]. Moreover, business process
flows must be harmoniously mapped onto the protective domain to ascertain interdependencies,
thereby facilitating the development of effective security policies. The design of data and business
process workflows should comprehensively specify the authorized personnel who can access
sensitive data within the organization [38].

3.1.4 Transformation Toward Zero Trust

This process commences when an enterprise selects a specific group for migration and initiates the
initial deployment. Subsequently, the chosen group is migrated to an unprivileged network
simulation for a specified period, ensuring the migration team can confirm smooth traffic flow.
This group serves as a test group to secure a successful migration with minimal risk. Afterward,
the migration team proceeds to implement subsequent candidate groups (figure 9). Finally,
measurement of the transformation of Zero Trust Architecture (ZTA) is essential to verify that the
migration aligns with the planned objectives.

24
 Figure 11 Transformation Toward Zero Trust

3.1.4.1 Transition from Pilot Program to Full-Scale Migration

Identifying Candidate Groups.

Implementing a Zero Trust migration project is best done in small, manageable programs.
Therefore, the enterprise identifies potential candidate groups and establishes workflows for their
migration. For example, users may be categorized into three groups: a carefully selected test group
to ensure a low-risk migration, external users accessing resources outside the enterprise network,
and internal users accessing resources within the enterprise network [31][41]. For users not yet
ready for the Zero Trust architecture, the migration team should provide solutions for them to
request temporary exemptions, listing these users in unqualified workflows [44]. Once a workflow
becomes qualified, eligible users are notified of their eligibility.

Migration Methods.
In migrating to Zero Trust, three primary procedures must be considered to minimize disruptions
to users:

25
1st Procedure - Production Pilot.
The pilot group of users for the migration is prepared for deployment on the Zero Trust platform
or the unprivileged network. All devices are assigned to this network, and the enterprise ensures
that applications meet the access proxy's requirements of the Zero Trust platform, using supported
protocols. All applications must run through the access proxy, with users discouraged from using
the VPN unless necessary. During this phase, the unprivileged network simulation monitors
network behavior by tracking the network traffic of all user devices. Deployment includes security
controls or operates in audit mode, allowing users to switch between the Zero Trust platform and
old systems [41][45][46].

2nd Procedure - Validation of Pilot Results.

In this phase, users operate under the unprivileged simulation in audit mode for a defined period
to ensure smooth traffic flow. Users and devices exhibiting qualified traffic during this period can
be activated and assigned to the unprivileged network. The results of the pilot program migration
need validation to ensure a seamless transition to the Zero Trust environment. If issues arise, the
migration team may revert to old technologies and conduct tests to resume the pilot program
migration [28][41][47].

3rd Procedure - Full Production Rollout.

The migration team proceeds to deploy remaining user groups. During this phase, the team
prepares to transition from the test environment to full production. Once the team is confident in
the functions, technologies, and methods, old technologies and solutions can be decommissioned,
and the ZT platform is fully enforced [41][47].

3.1.4.2 Assessing Implementation Success & Addressing Errors

To assess the success of ZTA implementation and the effectiveness of the migrated ZTA, test plans
and implementation metrics are employed. Additionally, the enterprise should establish methods
or channels for error remediation in case of issues. For example, self-remediation channels can
assist users in resolving simple problems by following remediation steps or manuals. Self-service
help can address common questions and inform users about project timelines and potential
impacts. For complex cases, the support team should be prepared to troubleshoot and provide
immediate assistance, ensuring minimal disruptions and a swift return to normalcy for affected
users [38]. As the migration team gains confidence in the functions and Zero Trust components,

26
promoting the success of the migration project becomes essential to garner support and raise
awareness among stakeholders [48].

3.1.5 Supervision and Maintenance

Upon the successful transition to Zero Trust Architecture (ZTA), it is imperative for the
organization to maintain vigilance over the ZTA ecosystem in order to gain insight into network
activities. This ongoing process is designed to ensure the efficient functioning of all ZTA
components and functions while also evaluating user experience and the effectiveness of security
measures (figure 10).

Figure 12 Supervision and Maintenance.

27
3.1.5.1 Supervision of the Zero Trust Environment.

To achieve real-time visibility into both user and network activities, the organization should
diligently inspect and log all network traffic. Monitoring the availability of services and network
components is paramount for IT operations [38][43]. Furthermore, it is essential to perpetually
monitor the organization's IT infrastructure components, conduct compliance checks against
security standards, perform vulnerability scans, and promptly detect any potential data breaches.
The deployment of security analytics tools is critical for continuous monitoring, and their
compatibility within the ZTA ecosystem must be confirmed. If necessary, considering vendors who
offer analytics solutions tailored to the ZTA ecosystem is a prudent step [35][37].

3.1.5.2 Assessing Security Effectiveness.

Following the implementation of ZTA, the organization should conduct an evaluation of security
effectiveness. This evaluation should encompass an assessment of user experience and the
identification of any disruptions that may lead to a subpar user experience. It is important to
examine security interruptions in user workflows, such as incidents involving multifactor
authentication prompts or login failures. Additionally, the organization can track the number of
employees actively engaging in multifactor authentication and accessing applications [27].
The implementation of the Zero Trust architecture should result in enhanced security effectiveness,
leading to a reduction in the quantity and impact of security incidents. This can be measured by
evaluating the number of security incidents and the percentage of IT user time dedicated to low-
value activities, such as password resets. Additionally, assessing the number of manual tasks
involved in routine workflows for investigating alerts and providing user remediations assists in
gauging security effectiveness [27].

3.1.6 Enhancing ZTA Security

To enforce the security of Zero Trust Architecture (ZTA) post-deployment, an enterprise should
begin by evaluating the effectiveness of their ZTA solution. Subsequently, the enterprise should
devise a plan to upgrade ZTA's capabilities to adapt to evolving business needs (figure 11). The
objective of these upgraded capabilities is to provide more precise automation in actions and
responses.

28
 Figure 13 Enhancing ZTA Security.

3.1.6.1 Upgrade Plan for Zero Trust Performance.

Once Zero Trust solutions have been fully integrated, the next phase revolves around enhancing
their capabilities and maturity, recognizing that both business and technology are subject to change
over time. Consequently, it becomes crucial to enhance the capabilities and security controls of
ZTA. Thus, the enterprise should contemplate the creation of a Zero Trust performance
improvement plan. This plan should assess security performance and establish strategies for
augmenting the efficacy of Zero Trust. It should also specify the stage of ZTA maturity that the
enterprise aims to achieve. The pinnacle of the ZTA maturity model is reached when the enterprise
can employ automated threat detection and responses to swiftly counter advanced threats [29][45].

3.1.6.2 Embracing Security Automation and Orchestration.

Zero Trust solutions are expected to offer advanced automated actions and responses. To enhance
the performance of Zero Trust capabilities, the enterprise should evaluate manual security
procedures and operations and consider the transformation of these processes into technological
automation. Furthermore, the adoption of security automation and orchestration is essential for the
rapid and automated identification of security risks [35].

29
The enterprise may contemplate the integration of Security Orchestration, Automation, and
Response (SOAR) or Security Information and Event Management (SIEM) tools to enhance the
efficiency of security operations. These tools can elevate Zero Trust capabilities by introducing a
high degree of automation and orchestration [26][48].

3.2 Complete Diagram ZTA migration

30
Figure 14 Six steps to ZTA Migration

31
4. ZTA scenarios in different environments

4.1 Multi-Cloud in Microsoft 365

Modern IT systems need strong security, and zero trust security is the way to go. Besides hosting
networks and programs, the cloud also stores data. Many organizations are moving their resources
to cloud-based services like software and infrastructure.
With zero trust security, every user has to prove who they are, and all network activity is watched
closely. Different layers of protection keep credentials safe. Only the right people can get into
highly secure devices. When it comes to networks, people can use VPNs for secure connections,
or IT folks can set up VLANs to control who gets access to what (figure 13)[49].

Figure 15 ZTA Microsoft Security [54]

There are even options like geofencing by IP and location to make network access even stricter.
Using cloud-based systems for zero trust security is cheaper and easier for businesses of any size.
IT teams get better security without the hassle of maintaining hardware on-site, and everything
works together smoothly.

32
Protecting multi-cloud identities with Zero Trust in Microsoft 365 requires a departure from
traditional identity security methods. The dynamic nature of digital environments demands agility,
seamless user experiences, and robust protections that conventional approaches struggle to
provide[49]. To meet these challenges and accommodate the evolving work landscape of remote
and diverse users, many organizations are adopting Zero Trust principles.
The proliferation of remote users and devices expands the potential attack surfaces, increasing the
risk of unauthorized access (figure 14). Zero Trust strategies proactively mitigate these risks by
addressing potential vulnerabilities before they are exploited.

Figure 16 Expanded access to multiple sources needing IAM [55]

Under this new identity and access paradigm, users and devices enjoy enhanced flexibility in
accessing applications and data. However, the broad connectivity of devices, applications, and data
to the internet amplifies the risk of malicious attacks. Presently, user identities often rely heavily
on usernames and passwords to access applications. While measures such as conditional access
controls and multi-factor authentication (MFA) help mitigate risks, businesses should aim to
optimize identity and access management to minimize reliance on passwords. Effective identity
and access management practices include implementing password-less authentication across all
devices and applications.
Additionally, registering Mobile Device Management (MDM) or Mobile Application Management
(MAM) policies on all devices accessing company resources enhances security. Real-time analysis
of user, device, location, and behavior aids in risk assessment and continuous security monitoring.

33
By prioritizing identity and access management, organizations ensure that users' identities are
rigorously verified at every access attempt, forming the foundation of Zero Trust implementation.
Password-less solutions leveraging MFA provide an added layer of security by requiring two forms
of validation: something they are (biometric features like fingerprint or facial recognition) and
something they have (a phone or token), omitting the reliance on "something you know" like
passwords or PIN numbers. Administrators can choose the most suitable authentication methods
from a range of available options based on user workflows and security requirements[50][ 49c].
Zero-trust security is becoming more popular because it's hard to keep multi-cloud operations safe.
In the past, IT leaders used firewalls and endpoint protection to keep out attackers. But with more
remote devices, IoT, and a mix of office setups, multi-cloud operations are growing. This makes it
easier for bad actors to find ways in or trick people into letting them in[52].
That's why we've seen more cyberattacks since COVID-19, including ransomware and wiper
malware, and a black market for sensitive data. Multi-cloud operations offer businesses more
chances for growth and innovation, but they also need new security rules. To control costs and
keep organizations flexible, CIOs and CISOs need to change how they work with cloud vendors.
They should focus on a shared responsibility model for security.

4.2 Corporate Satellite Facilities Configuration

In this scenario, an enterprise comprises a headquarters along with several branch offices or remote
users. While remote users can easily access resources, access to more critical assets is restricted to
on-premises only. In this setup, the PDP is located in the cloud, while the PEP follows either an
agent-based or portal approach. Designing the Zero Trust Architecture (ZTA) in this manner
eliminates the need for remote workers to authenticate every time they require access, as they can
directly access cloud services for assessment [53].

4.3 Outsourced Services and External User Access

Many organizations require contractor and partner access, a scenario addressed by NIST. Partners
may need limited internet access or network connectivity for their tasks but don't require access to
corporate resources like applications or databases. Implementing ZTA allows company employees
to access resources as needed through a PEP. Contractors, on the other hand, would receive
restricted access and be denied corporate resources due to insufficient credentials or the absence
of an installed agent [53].

34
4.4 Inter-Enterprise Collaboration Initiatives

Companies often need to collaborate with external parties and grant access to their employees. In
such cases, Company 1 providing access requires employees from Company 2 to validate either
through an agent-based PEP or a resource-based one. The PDP should be in the cloud, enabling
Company 1 to manage risks without significant alterations to its architecture [53].

4.5 Corporate Services for Public Customer Interaction

In this scenario, the company lacks control over the security posture of the assets, as resources are
accessed by external entities beyond its jurisdiction. NIST recommends heavily relying on
behavioral metrics to assess the security posture of incoming requests, utilizing a resource-based
PEP.

35
5. Future Application in Cloud Networks

Zero Trust, when applied to cloud networks, aims to reorganize existing technologies available to
end-users and devise a streamlined system that reduces authentication delays while ensuring
uninterrupted business operations. Currently, Zero Trust Architecture (ZTA) integrates various
technologies such as security information and event management (SIEM), data analytics, trust
calculation through event logging, mediation of file system permissions using active directory, and
multi-factor authentication (MFA). However, there is still considerable room for improvement and
expansion in the realm of Zero Trust Cloud Networks (ZTCN). Several areas warrant particular
attention:
 5G/6G Networks: With the advancements in data transfer rates, traditional security measures
may struggle to cope with the sheer volume and diversity of data [55][56]. This necessitates
revolutionary changes in network protocol design and data routing mechanisms. Artificial
Intelligence (AI) algorithms can play a crucial role in detecting and mitigating malicious
requests, especially in critical sectors like healthcare, air defense, and autonomous
vehicles.[57]

 Military Networks: The genesis of Zero Trust stemmed from concerns about the reliability of
military communication networks across diverse operational environments. It has evolved into
a vital technology for safeguarding military networks, many of which rely on cloud services
ranging from non-essential to highly critical. By adopting a Zero Trust approach mandated by
EO 14028, the United States Army, along with various government agencies, is transitioning
its entire ecosystem to a Zero Trust-based architecture[58]. This concerted effort aims to bolster
national security by creating a unified operational framework informed by the DoD's Zero
Trust Reference Architecture.

 Internet-of-Things (IoT) and Blockchains: Zero Trust principles can be utilized to validate
transactions, with nodes assigned varying levels of trust. The integration of Zero Trust with
emerging technologies like blockchain and IoT holds promise for enhancing security.

 Sustainable Cloud Systems: The security of any IT system hinges on its availability as much
as its confidentiality and integrity. Future cloud networks must strike a balance between
security, reliability, and energy efficiency to ensure sustainability and reduce environmental
impact.

 Containerized Software and Microservices: Microservices, while offering scalability, pose

challenges in scheduling and managing processes, necessitating further research and
enhancements. Performance improvements are essential to comprehensively analyze the
impact of microservices on cloud networks [54].

36
6. Conclusion and Discussion

In this thesis, there were represented all the necessary steps for a transition to ZTA. All of this
procedure gives an effective and practical approach driven by a systematic process for migration.
It is developed based on a thorough review, where we synthesized and analyzed methods and
techniques for ZTA migration. Within this process, we outline six key processes, each
encompassing subprocesses and vital components necessary for successful ZTA migration. These
processes include: ZTA Architecture, Strategizing Zero Trust, Context Analysis, Transformation
Toward Zero Trust, Supervision and Maintenance, Enhancing ZTA Security.
The suggested ZTA migration provides not only migration details but also it presents main and
sub-processes consistently. It covers technical and managerial aspects of ZTA migration
throughout the lifecycle. Evaluated against ZTA-related criteria, it fulfills requirements such as
process clarity, traceability, and adaptability. Under this thesis, it was tried to delineate not only
the main processes but also the subprocesses, with clear outputs and accompanying procedures.
Additionally, it provides a low-risk migration strategy for cloud, hybrid and on-premises
environments. It tackles challenges associated with ZTA migration, including vendor lock-in,
analysis paralysis, political resistance, and resource discovery. Solutions for these challenges are
addressed within specific processes, such as Architect ZTA, Strategize Zero Trust, and Context
Assessment.

37
References

[1] History of Cyber Security [Internet]. GeeksforGeeks. 2022 [cited 20/11/2022]. Available
from: https://www.geeksforgeeks.org/history-ofcyber-security/
[2] Terekhov A. History of the Antivirus [Internet]. Hotspot Shield; [cited 20/11/2022]. Available
from: https://www.hotspotshield.com/blog/historyof-the-antivirus/
[3] The Evolution of Cybersecurity Solutions for Businesses [Internet]. Impact Networking.
2022 [cited 16/12/2022]. Available from: https://www.impact-mybiz.com/blog/evolution-of-
cybersecurity-solutions/
[4] Alsehibani S, Almuhammadi S. Anomaly Detection: Firewalls Capabilities and Limitations.
In: 2018 International Conference on Computing Sciences and Engineering (ICCSE). IEEE;
2018. p. 1-5.
[5] Garbis J, Chapman JW. Zero Trust Security: An Enterprise Guide. Berkeley, CA: Apress L. P;
2021
[6] Liang J, Kim Y. Evolution of firewalls: Toward Securer Network Using Next Generation
Firewall. In: 2022 IEEE 12th Annual Computing and Communication Workshop and Conference
(CCWC). IEEE; 2022. p. 0752–9.
[7] Thompson-Melanson J. Learn About Firewall Evolution from Packet Filter to Next
Generation [Internet]. Juniper.net. [cited 05/12/2022]. Available from:
https://www.juniper.net/documentation/en_US/learn-about/LA_FirewallEvolution.pdf
[8] The Evolution of Firewalls [Internet]. Palo Alto Networks. [cited 05/12/2022]. Available
from: https://www.paloaltonetworks.com/resources/infographics/the-evolution-of-firewalls
[9] Evolution of the Firewall Industry [Internet]. Mik.ua. [cited 05/12/2022]. Available from:
https://docstore.mik.ua/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.pdf
[10]Firewalls, intrusion detection systems and vulnerability assessment: A superior conjunction?
Network Security [Internet]. 2002;2002(9):8–11. Available from
https://www.sciencedirect.com/science/article/pii/S1353485802090098
[11]Pescatore J, Young G. Defining the Next-Generation Firewall [Internet]. Gartner. 2009 [cited
05/12/2022]. Available from: https://www.gartner.com/en/documents/1204914
[12]Kindervag J, Balaouras S. No More Chewy Centers: Introducing The Zero Trust Model Of
Information Security. Forrester Research; 2010.
[13]Weinert A, Mayfield P, Costica Y, O’Donovan S, Gulati G, Radhakrishnan D, et al.
Traditional perimeter-based network defense is obsolete—transform to a Zero Trust model
[Internet]. Microsoft. 2019 [cited 21/11/2022]. Available from: https://www.microsoft.com/en-
us/security/blog/2019/10/23/perimeter-based-network-defense-transform-zero-trust-model/

38
[14]Rose S, Borchert O, Mitchell S, Connelly S. Zero Trust Architecture [Internet]. National
Institute of Standards and Technology; 2020 [cited 10/11/2022]. Available from:
https://www.nist.gov/publications/zero-trust-architecture
[15]Ross R, Roberts T, Burris J, Marron J, Pappas D, Faigin D, et al. Risk Management
Framework for Information Systems and Organizations: A System Life Cycle Approach for
Security and Privacy. Gaithersburg, MD: National Institute of Standards and Technology; 2018
Dec. Available from: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
[16]Teerakanok S, Uehara T, Inomata A. Migrating to Zero Trust Architecture: Reviews and
Challenges. Security and communication networks [Internet]. 2021;2021: 1-10
[17]Cyber Security and Infrastructure Security Agency. Zero Trust Maturity Model, April 2023,
Version 2.0 https://www.cisa.gov/sites/default/files/2023-
04/zero_trust_maturity_model_v2_508.pdf
[18]Holmes D, Pollard J, Cunningham C. The Eight Business and Security Benefits of Zero
Trust [Internet]. 2019. Available from: https://www.forrester.com/report/the-eight-business-and-
security-benefits-of-zerotrust/RES134863
[19] Syed N.F., Shah S.W., Shaghaghi A., Anwar A., Baig Z., Doss R. Zero trust architecture
(ZTA): A comprehensive survey IEEE Access, 10 (2022), pp. 57143-57179
[20] Basta N., Ikram M., Kaafar M.A., Walker A. Towards a zero-trust micro-segmentation
network security strategy: An evaluation framework NOMS 2022-2022 IEEE/IFIP Network
Operations and Management Symposium (2022), pp. 1-7, 10.1109/NOMS54207.2022.9789888
[21] Voas J., Kuhn R., Laplante P., Applebaum S. Internet of things (IoT) trust concerns NIST
Tech. Rep., 1 (2018), pp. 1-50
[22] Wasicek A. The future of 5G smart home network security is micro-segmentation Netw.
Secur., 2020 (11) (2020), pp. 11-13
[23] Li S., Iqbal M., Saxena N. Future industry internet of things with zero-trust security Inf.
Syst. Front. (2022), 10.1007/s10796-021-10199-5
[24] S. Turner, D. Holmes, C. Cunningham, J. Budge, P. McKay, A. Cser, H. Shey, and M.
Maxim, ‘‘A practical guide to a zero trust implementation,’’ Forrester Research, Inc., Cambridge,
MA, USA, Tech. Rep. 157736, Mar. 2021.
[25] Zero Trust and Access Management: A Journey, Not a Destination, Hitachi ID Systems, Inc.,
Calgary, AB, Canada, 2021.
[26] Achieving Zero Trust With ILLUMIO, Illumio, Inc., Sunnyvale, CA, USA, 2020. [Online].
Available: https://www.illumio.com/sites/ default/files/2021-02/achieving-zero-trust-
20sb10%20%281%29.pdf.
[27] Microsoft. Zero Trust Business Plan—Microsoft. Accessed: Nov. 27, 2022. [Online].
Available: https://query.prod.cms.rt.microsoft.com/cms/api/ am/binary/RWJtxq.

39
[28] J. Garbis and J. W. Chapman, Zero Trust Security: An Enterprise Guide, 1st ed. New York,
NY, USA: Apress, 2021.
[29] Palo Alto Networks, Inc. (2022). Best Practices Implementing Zero Trust With Palo Alto
Networks. [Online]. Available:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/bestpractices/ zero-trust-
best-practices/zero-trust-best-practices.pdf
[30] L. Cittadini, B. Spear, B. Beyer, and M. Saltonstall, ‘‘Beyond Corp: The access proxy,’’
Login, vol. 41, no. 4, pp. 1–6, 2016. [Online]. Available:
https://www.usenix.org/system/files/login/articles/ login_winter16_05_cittadini.pdf
[31] S. Rose, O. Borchert, S. Mitchell, and S. Connelly. NIST Special Publication 800–207 Zero
Trust Architecture. National Institute of Standards and Technology. US Department of
Commerce. [Online]. Available:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 207.pdf
[32] J. Budge and C. Cunningham, ‘‘How to implement zero trust security in Asia Pacific,’’
Forrester Research, Inc., Cambridge, MA, USA, Tech. Rep. 162457, Oct. 2020.
[33] T. M. S. do Amaral and J. J. C. Gondim, ‘‘Integrating zero trust in the cyber supply chain
security,’’ in Proc. Workshop Commun. Netw. Power Syst. (WCNPS),
[34] Microsoft. Implementing a Zero Trust Security Model at Microsoft Accessed: Nov. 27,
2022. [Online]. Available: https://www.microsoft.com/en-us/insidetrack/implementing-a-zero-
trust-security-model-at-microsoft.
[35] M. J. Haber, Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to
Protect Organizations, 2nd ed. New York, NY, USA: Apress,2020.
[36]S. Teerakanok, T. Uehara, and A. Inomata, ‘‘Migrating to zero trust architecture: Reviews
and challenges,’’ Secur. Commun. Netw., vol. 2021, pp. 1–10, May 2021, doi:
10.1155/2021/9947347.
[37]I. Ahmed, T. Nahar, S. S. Urmi, and K. A. Taher, ‘‘Protection of sensitive data in zero trust
model,’’ in Proc. Int. Conf. Comput. Advancements, Jan. 2020, pp. 1–5, doi:
10.1145/3377049.3377114.
[38]Palo Alto Networks, Inc. (2022). Best Practices Implementing Zero Trust With Palo Alto
Networks. [Online]. Available:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/bestpractices/zero-trust-
best-practices/zero-trust-best-practices.pdf
[39]K. D. Uttecht, ‘‘Zero trust (ZT) concepts for federal government architectures,’’ Lincoln
Lab., Massachusetts Inst. Technol., Lexington, MA, USA, Tech. Rep. TR-1253, 2020. [Online].
Available: https://apps.dtic.mil/sti/pdfs/AD1108910.pdf

40
[40]CISCO. (2021). From MFA to Zero Trust: A Five-Phase Journey to Securing the Federal
Workforce. CISCO SECURE. Accessed: Nov. 25, 2022. [Online]. Available:
https://www.meritalk.com/wp-content/ uploads/2021/06/mfa-to-zero-trust.pdf
[41]R. Ward and B. Beyer, ‘‘BeyondCorp: A new approach to enterprise security,’’ Login, vol.
39, no. 6, pp. 6–11, Dec. 2014. [Online]. Available:
https://www.usenix.org/system/files/login/articles/login_dec14_02ward.pdf
[42]D. Klein, ‘‘Micro-segmentation: Securing complex cloud environments,’’ Netw. Secur., vol.
2019, no. 3, pp. 6–10, Mar. 2019, doi: 10.1016/s1353-4858(19)30034-0.
[43] R. Mass. A Hands-on Approach to Zero Trust Implementation, ON2IT, Gelderland, The
Netherlands, 2020. [Online]. Available: https://www.cymbel.com/wp-
content/uploads/2020/10/A-hands-on-approach-to-Zero-Trust-implementation.pdf
[44]V. M. Escobedo, F. Zyzniewski, and M. Saltonstall, ‘‘BeyondCorp: The user experience,’’
Login, vol. 42, no. 3, pp. 6–11, 2017. [Online].Available:
https://www.usenix.org/system/files/login/articles/login_fall17_08_esco bedo.pdf
[45]C. Gero, ‘‘A blueprint for zero trust architecture: Actionable implementation guide,’’ Akamai
Technologies, Inc., Cambridge, MA, USA, Tech. Rep., 2021. [Online]. Available:
https://www.intelligentcio.com/me/wp-content/uploads/sites//2022/05/A-Blueprint-for-Zero-
Trust-Architecture-WP.pdf
[46]H. King, M. Janosko, B. Beyer, and M. Saltonstall, ‘‘BeyondCorp: Building a healthy fleet,’’
Login, vol. 43, no. 3, pp. 1–7, 2018. [Online]. Available:
https://www.usenix.org/system/files/login/articles/login_ fall18_05_king.pdf.
[47]E. Bertino and K. Brancik, ‘‘Services for zero trust architectures—A research roadmap,’’ in
Proc. IEEE Int. Conf. Web Services (ICWS), Sep. 2021, pp. 14–20, doi:
10.1109/ICWS53863.2021.00016.
[48]Zero Trust Architecture: A Paradigm Shift in Cybersecurity and Privacy,
PricewaterhouseCoopers Consulting, Singapore, 2021. [Online]. Available:
https://www.pwc.com/sg/en/publications/assets/page/zero-trust-architecture.pdf
[49]Microsoft Zero-Trust: Zero Trust Model - Modern Security Architecture
https://www.microsoft.com/en-in/security/business/zero-trust
[50]AvePoint Zero-Trust Security Protection: https://www.avepoint.com/blog/protect/zero-trust-
identity-protection
[51]Palo Alto Networks Whitepaper: Applying Zero Trust to Cloud Environments
(paloaltonetworks.com)
[52] Dell Technologies Zero Trust Solutions to protect Multi-cloud Environments: Dell
Technologies Delivers Zero Trust, Cybersecurity Solutions to Protect Multicloud and Edge
Environments | Dell USA

41
[53]Taimur Ljlal “Zero Trust Security, A no-fluff guide to implementing Zero Trust architecture
using NIST”.
[54]Kyryk, M.; Pleskanka, N.; Pleskanka, M.; Kyryk, V. Infrastructure as Code and
Microservices for Intent-Based Cloud Networking.In Future Intent-Based Networking; Springer:
Berlin/Heidelberg, Germany, 2022; pp. 51–68
[55]Dzogovic, B.; Santos, B.; Hassan, I.; Feng, B.; Jacot, N.; Van Do, T. Zero-Trust
Cybersecurity Approach for Dynamic 5G Network Slicing with Network Service Mesh and
Segment-Routing over IPv6. In Proceedings of the 2022 International Conference on
Development and Application Systems (DAS), Suceava, Romania, 26–28 May 2022; pp. 105–
114.
[56]Ramezanpour, K.; Jagannath, J. Intelligent Zero Trust Architecture for 5G/6G Networks:
Principles, Challenges, and the Role of Machine Learning in the context of O-RAN. arXiv 2021,
arXiv:2105.
[57]Bello, Y.; Hussein, A.R.; Ulema, M.; Koilpillai, J. On Sustained Zero Trust
Conceptualization Security for Mobile Core Networks in 5G and Beyond. IEEE Trans. Netw.
Serv. Manag. 2022,19, 1876–1889. [CrossRef]
[58]Stewart, A. Three Emerging Innovative Technologies Required for Cyber Operations to
Execute Commander’s Intent at Machine Speed. Mil. Cyber Aff. 2020,4, 3. [CrossRef]

42