Modernising Security: The House of Zero Trust Architecture

Faraz Ahmad

Management Consultant, Advisory & Consulting Practice, Cybersecurity, TCS

Muhammad Ahmad

Senior Consultant, Advisory & Consulting Practice, Cybersecurity, TCS

Varun Kashyap

Global Consulting Partner, Advisory & Consulting Practice, Cybersecurity, TCS

Highlights

The zero-trust architecture transitions from traditional perimeter-based security to a "never trust, always verify" philosophy that continuously validates every access request.
Organisations achieve resilience by securing five core pillars, identity, endpoints, network, data, and cloud/apps, supported by visibility, automation, and governance.
The implementation journey is a multi-phased triathlon involving initial discovery, architectural design, and continuous optimisation to ensure long-term security maturity.

The security mandate

As organisations continue to embrace digital transformation, the limitations of perimeter-based security models have become increasingly apparent. The shift towards remote working, cloud services, and interconnected devices has created a fluid environment where traditional boundaries are no longer effective. This has necessitated a move to a zero-trust approach, which moves away from “trust but verify” to “never trust, always verify” and helps organisations manage threats that may originate both inside and outside the network, and therefore continuously verifies every access request.

Zero-trust architecture (ZTA) is designed to address these challenges by enforcing strict identity verification, continuous monitoring, and adaptive access controls. By treating all entities as potentially untrusted and requiring validation at every step, ZTA helps organisations reduce vulnerabilities, contain threats, and safeguard critical assets in an ever-evolving cyber landscape.

The rapidly evolving threat landscape has made this a top priority for senior leadership. To mitigate mounting cyber risks, organisations can leverage the zero trust operation model (ZTOM™©) framework, which integrates leading industry standards and global best practices such as the National Institute of Standards and Technology (NIST), MITRE, and the Cybersecurity and Infrastructure Security Agency (CISA). This framework, when implemented alongside the Purdue Enterprise Reference Architecture, The Open Group Architecture Framework (TOGAF), and Sherwood Applied Business Security Architecture (SABSA), ensures effective zero trust status and a secure Information Technology (IT) and Operational Technology (OT) estate. Organisations can improve their cybersecurity and risk posture by holistically assessing themselves and enhancing their overall maturity and resilience. We have built a strong zero-trust architecture foundation, and this leads us to a critical next aspect.

Architectural design or Structural integrity

The house of ZTA provides organisations with a structured and strategic approach to implement zero trust core fundamentals across the enterprise. It helps define how the core security principles (foundation), key technology domains (pillars) and strategic business outcomes come together to life and form an overarching resilient, yet adaptive, zero-trust architecture.

From the ground up, each layer of the house of ZTA supports the layer above it allowing organisations to deliver consistent protection and control over their users, devices, network, data, infrastructure, and systems.

2.1 Roof: The zero trust value layer

The roof represents the key business values, strategic goals, and tactical outputs of zero trust. It reflects the outcomes organisations care the most about including data protection, risk reduction, risk posture, risk tolerance, adherence to regulation, threat containment, vulnerabilities, improved resilience posture and security by design.

2.2 Pillars of protection

The pillars of protection provide core building blocks that help establish controls matrix, operational resilience, and implement zero trust to achieve the required outcomes.

Identity: Deploy identity and access management (IAM) solutions to manage user identities and access rights based on least privilege, access policies, and authentication.

Endpoint/devices: Ensure devices meet security standards and compliance requirements before granting access such as having updated antivirus software, active firewalls, and proper encryption. Monitor user behaviour to detect anomalies.

Network: Implement granular network partitioning to ensure that a security incident in one area remains contained and cannot easily spread into the other sector. Use technologies like virtual local area network (VLAN) and software-defined networking (SDN) to micro segment your network. Use firewalls, VPNs, and zero trust network access (ZTNA) solutions to secure network inbound and outgoing traffic and enforce segmentation.

Cloud/applications: Integrate best security practices into each stage of development and conduct regular application testing. Use virtual machines of sandboxes to segment workloads. Enforce compliance with industry standards and regulations such as Payment Card Industry (PCI) and General Data Protection Regulation (GDPR).

Data: Enforce end-to-end encryption to safeguard sensitive datasets from unauthorised access. Categorise data and implement data loss prevention (DLP) solutions to prevent unauthorised data exfiltration.

Visibility and analytics: Maximise visibility by integrating data from cloud, logs, and network traffic into a unified view. Use advanced techniques and tools to turn this data into context needed to detect and stop emerging threats.

Automation and orchestration: Keep all systems and applications up to date with the latest security patches to mitigate vulnerabilities. Continuously scan for and remediate vulnerabilities. Generating alerts for suspicious activities and blocking IP addresses in real time. Orchestrating threat detection systems with incident response platforms and integrating tools like security information and event management (SIEM), endpoint detection and response (EDR) with the broader cybersecurity operation aligned with security strategy objectives.

Governance and risk: Develop policies and clear rules aligned with regulatory requirements like health insurance portability and accountability act (HIPPA) and GDPR. Supported by regular ZTA focused audits. Risks are mitigated by continuous verification. Incorporate real time monitoring and swift response mechanism.

2.3 Foundation: The bedrock of zero trust

The foundation is the security philosophy that underpins zero-trust architecture. Principles such as “Assume Breach”, “Never Trust, Always Verify”, “Continuous Authentication” are the guiding ethos that senior management / executive can use to prioritise strategic investments, drive decision-making, manage risks, apply controls and ensure a proactive approach to risk and threat management.

The ZTA journey

Implementing a zero-trust architecture is a transformative and evolving journey rather than a single project or programme. It has wider implications for an enterprise strategy. To help visualise this, we have framed the journey into a triathlon which symbolises the unique yet inter-connected phases that an organisation must go through before they can reach the desired state of zero trust.

Operational barriers

Pitfalls	Success factors
Absence of a well-defined security strategy	A clear IT and OT strategy along with the defined objectives Measurable KPIs/ objectives mapped against security risks and outcomes Implement security by default and design principles Resilient and proactive security posture with enhanced capability to mitigate sophisticated emerging threats Automate regulatory compliance tracking against global industry standards
User experience	Balance security measures with user experience to avoid productivity hindrances Seamless access experience without compromising security
Underestimating complexity	Recognise ZTA as a strategic framework that impacts every layer of the organisation’s infrastructure Factor in the necessary long-term effort and capital investment required for enterprise-wide adoption
Compatibility, interoperability, and scaling challenges	Address challenges with legacy infrastructure that may not support zero trust principles Move away or have a plan to transpose legacy infrastructure Integration of different security tools and systems Maintain and scale up security measures as the cyber threat involves and organisation grows

Measurable outcomes

The successful ZTA implementation delivers measurable business advantages. To gauge the impact of the ZTA implementation programme, organisations can utilise the following attributes to evaluate the overall effectiveness of the implementation.

Business benefits of ZTA	Metrics used to measure benefits
Enterprise risk reduction	Assess and evaluate overall risk reduction through risk assessments and audits Score the risks and review its upward or downward trajectory Reduction in attack service by using asset inventory, comparison with baseline assessment along with detecting new vulnerabilities and fewer successful attacks
Cyber incident response time	Measure the time taken to detect and respond to security incidents and benchmark against industry standards Set a minimal time limit to respond to an incident
Organisation wide reduction in breaches	Evaluate the number of security breaches prior to and following the ZTA implementation
Authentication success rates, access control violations	Monitor unauthorised access attempts before and after ZTA implementation Measure success rates of multi-factor authentication (MFA) and other methods Granularity of access controls
Adaptability to hybrid cloud/environments	ZTA is designed to protect modern environments, including multi-cloud and on-premises systems. Its principles are applied across various platforms, ensuring consistent security measures throughout the organisation
Reduction in supply chain attacks	By enforcing strict access controls and continuous verification, ZTA enhances the security of interactions with third-party vendors and supply chain partners.
Return on investment (ROI)	Calculate ROI by comparing implementation costs with benefits like reduced breach costs and improved compliance

The path forward

A successful transition is executed through six strategic phases designed to align security with enterprise risk goals:

Strategic design: Aligning ZTA with the organization's unique risk profile.

Asset discovery: Comprehensive cataloging of data flows and infrastructure vulnerabilities.

Maturity analysis: Establishing a baseline "as-is" state to prioritize investments.

Targeted implementation: Developing a roadmap with defined scopes for each security initiative.

Cultural alignment: Fostering a "security-first" culture through workforce training and awareness.

Sustained optimisation: Conducting regular audits to address emerging gaps and ensure perpetual adaptability.

About the authors

Faraz Ahmad

Faraz Ahmad is a management consultant in the Cybersecurity practice at TCS. He has extensive experience in leading large-scale, intricate risk and cybersecurity, and digital transformation programs globally for different organisations in various sectors. His key focus areas include risk and cyber strategy, governance, risk, and compliance (GRC), cyber risk quantification, zero-trust architecture, major complex portfolio management, and the use of emerging technologies to protect organisations from diverse threats.

WRITE TO ME

Muhammad Ahmad

Muhammad Ahmad is a senior consultant in the cybersecurity practice TCS. He has broad and diverse experience of leading and delivering engagements across technology resilience, cybersecurity risk management, incident management, business continuity, IT disaster recovery (ITDR), operational resilience and IT process and controls advisory.

WRITE TO ME

Varun Kashyap

Varun Kashyap is a global consulting partner in the Cybersecurity practice at TCS. He works closely with CISOs, CIOs and CROs for driving various cyber risk, cyber strategy, cybersecurity-related initiatives. He has supported multiple organisations across the globe in leading large transformation programs and brings in multi-sector experience and knowledge. Apart from this, he leads market development, practice development, and cross-region expansion for consulting services across regions for TCS.

WRITE TO ME

Perpetually Adaptive Enterprise

About Us

TCS Insights

Upcoming events

Recent recognitions

Want to be a global change-maker? Join our team.

Find the latest news about TCS

Recent News

Perpetually Adaptive Enterprise

About Us

TCS Insights

Upcoming events

Recent recognitions

Want to be a global change-maker? Join our team.

Find the latest news about TCS

Recent News

Modernising security: The house of zero-trust architecture

Highlights

On this page

The security mandate

Architectural design or Structural integrity

Figure 1

The ZTA journey

Figure 2

Operational barriers

Measurable outcomes

The path forward

About the authors

Faraz Ahmad

Muhammad Ahmad

Varun Kashyap

Transformation starts here

Find out more

Perpetually Adaptive Enterprise

About Us

TCS Insights

Upcoming events

Recent recognitions

Want to be a global change-maker? Join our team.

Find the latest news about TCS

Recent News

Highlights

On this page

The security mandate

Architectural design or Structural integrity

Figure 1

The ZTA journey

Figure 2

Operational barriers

Measurable outcomes

The path forward

About the authors

Faraz Ahmad

Muhammad Ahmad

Varun Kashyap

Related reading

Transformation starts here

Find out more

Accessibility Adjustments