CISA Zero Trust Model is based on 5 pillars: Identity, Devices, Networks, Applications, and Data.
Focuses on continuous verification to secure enterprise environments.
Identity: Verify users explicitly and manage access.
Devices: Ensure devices are secure and compliant.
Networks: Segment and monitor traffic to limit risks.
Applications: Control app access and protect workloads. Can be private, hosted on IaaS or SaaS.
Data: How we are interacting with the data. Secure data through classification and encryption so data is protected. DPDPA is about how governance happens on the inside and data movement.
Visibility & Analytics: Monitor and analyze all activity.
Automation & Orchestration: Enable real-time threat response and policy enforcement.
Monolithic: There is a single instance. We have our personal GitHub, OneDrive, email services (SaaS/cloud), we need to know the instance of these services. GitHub corporate data can be migrated from corporate instance to personal instance.
Behaviour score: behaviour of the user needs to be considered. Visibility needed if any malicious software is being downloaded, leaver/malicious intent employee might want to leave the organisation and would want the applications to shut down, they would want the public workloads to shut down.
Unintentionally trying to do something which they might be doing which is risky for user, which can be risky for the organisation.
Isolation of machines so they don’t talk, virtual browser running in datacenter which talks to the browser, then only the content should be delivered. It’s a layer in between so the machine doesn’t get affected by a malware, disabling keyboard and screenshot etc. So accordingly action can be taken.
Context
Context awareness in a zero trust security model involves assessing multiple factors—such as user identity, device posture, location, data sensitivity, and activity—before granting access to applications or resources. By continuously analyzing these elements along with behavioral patterns and risk scores, organizations can make dynamic decisions to allow, block, or adapt access. This approach ensures that trust is never assumed and is instead verified in real time, reducing the risk of breaches and unauthorized access across cloud and on‑premises environments.
Dynamic adaptability underpins a Zero Trust security model. It shows that access decisions are made continuously based on multiple context signals—user identity, device posture, location, and behavioral trust—rather than static credentials. Data and activities are evaluated in real time, allowing the system to permit, block, or challenge actions to protect applications and instances effectively.
Key points:
User Identity: Confirms who is requesting access.
Device Posture: Evaluates device security status and compliance.
Location: Considers where the access attempt is coming from.
Behavioral Trust: Monitors and scores user behavior for anomalies.
Dynamic Actions: System can allow, block, or require additional checks.
Zero Trust Goal: Continuously adapt and enforce security before granting access to apps or instances.
How Microsoft Intune manages employee devices across both on-premises and internet environments. It begins with user activity and app evaluation, which interact with Microsoft Graph and other data sources to assess compliance. Based on this assessment, Intune can take actions such as isolating, adjusting, blocking, or locking the device. This workflow ensures that devices remain secure and compliant regardless of their connection location.
Use case 2:
The employees can work from outside the office and still use the company’s internal apps safely. When someone is off-site, their work device connects over the internet through a secure VPN, which acts like a private tunnel to the company’s network. Once connected, they can access the same apps and data they would have in the office, but with protection against outside threats.
Use case: On prem network and accessing internal apps
Just firewalls and ACL is not enough.
Use case 4: 3rd party which is from an outsourced through CRM or IT support.
It can be on/off prem but unmanaged
Device is not within our control and they have to use customer manager or contractor owned.
Data Centric 