EDUCATIONAL · INTERACTIVE

The Zero Trust Evolution

From physical office trust to Zero Trust Architecture — explore the journey, then see how attacks are handled differently by VPN and a ZTNA system side by side.

Section A · The Network Evolution

Phase 1 · The Office

Physical Trust

TRUSTED ZONEFinanceHREmailInside the building = trusted. Binary perimeter.

"Trust was binary: if you are in the building, you are trusted."

Section B · Network Access (NIST SP 800-207 §2)

subject → PEP ⇄ PDP → resource

In Zero Trust, no request is trusted by virtue of where it comes from. A Subject in the untrusted zone reaches a PEP, which consults the PDP. If allowed, the PEP opens a narrow implicit trust zone to one specific Resource.

UNTRUSTED ZONEinternet · home wifi · mobile 5G · LANIMPLICIT TRUST ZONEone subject · one resource · short-livedSUBJECTalice + laptopPEPenforcementpointPDPpolicy decision pointidentity · device · contextHR APPresourcefinanceemail
1 · Subject initiates request
Alice (user + device) sends a request from the untrusted zone toward an app. No network position grants trust.
2 · PEP consults the PDP
The PEP intercepts the request and asks the PDP: identity? device posture? context? The PDP scores the signals.
3 · PDP returns a decision
PDP says ALLOW for this one resource. The PEP opens a narrow, session-scoped path — the implicit trust zone.
4 · Subject reaches the resource
Alice talks to the HR app only. Other resources stay invisible. When the session ends, the trust evaporates.
Example. Alice opens the HR app from a café. The PEP sees the request, asks the PDP, the PDP checks her identity + laptop posture + risk score, returns ALLOW for HR only. Finance and email stay invisible. Session ends → trust evaporates.

Section C · ZTNA Pillars (NIST 800-207 §2.1)