NIST SP 800-207 \u2014 Zero Trust Architecture<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:228px;min-width:228px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:920px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.tc{border-top:3px solid var(--cyan);}\n.tc:nth-child(1){border-top-color:#00d8f0;}\n.tc:nth-child(2){border-top-color:#29b6f6;}\n.tc:nth-child(3){border-top-color:#8866ff;}\n.tc:nth-child(4){border-top-color:#ffb300;}\n.tc:nth-child(5){border-top-color:#00cc70;}\n.tc:nth-child(6){border-top-color:#ff7043;}\n.tc:nth-child(7){border-top-color:#ec407a;}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.tid{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.tdev{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tnet{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.tres{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.tbeh{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tpa{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tpep{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tcl{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.deny{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.or.step{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.d{background:var(--red);}.od.s{background:var(--amber);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.pg{display:grid;grid-template-columns:1fr 1fr;gap:12px;}\n.pb{background:var(--surf);border:1px solid var(--border);padding:18px;}\n.pbg{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;padding:3px 8px;border-radius:2px;text-transform:uppercase;display:inline-block;margin-bottom:10px;}\n.pbg.c{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.pbg.d{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.pbn{font-family:var(--cond);font-size:17px;font-weight:700;color:#fff;margin-bottom:12px;}\n.pi{display:flex;gap:8px;font-size:12.5px;color:var(--text2);line-height:1.5;margin-bottom:7px;}\n.pi::before{content:'\u25b8';color:var(--text3);font-size:9px;flex-shrink:0;margin-top:2px;}\n.pi strong{color:var(--text);}\n.dc{background:var(--surf);border:1px solid var(--border);padding:20px;}\n.di{font-size:20px;margin-bottom:10px;}\n.dt{font-family:var(--cond);font-size:16px;font-weight:700;color:#fff;margin-bottom:3px;}\n.ds{font-family:var(--mono);font-size:8px;font-weight:700;color:var(--text3);letter-spacing:.12em;text-transform:uppercase;margin-bottom:10px;}\n.dxt{font-size:12px;line-height:1.6;color:var(--text2);}\n.dl li{font-size:11.5px;color:var(--text2);list-style:none;display:flex;align-items:flex-start;gap:6px;margin-top:5px;}\n.dl li::before{content:'\u2014';color:var(--text3);font-size:9px;margin-top:2px;flex-shrink:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n.diag{background:var(--surf);border:1px solid var(--border);padding:20px;margin-bottom:18px;}\n.dcap{font-family:var(--mono);font-size:9px;color:var(--text3);margin-top:10px;letter-spacing:.06em;}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\nbody.light .sb-copy{color:#4a6680;}\n.ni-doc:hover{color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd-ext{font-size:11px;color:var(--cyan);flex-shrink:0;line-height:1;}\n.an:hover rect,.an:hover circle{opacity:.82;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.fsz:active{background:rgba(0,216,240,.15);color:var(--cyan);border-color:var(--cyan);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title{color:#0a111e;}\nbody.light .sb-sub{color:#2a3f58;}\nbody.light .sb-logo{color:#005f8a;}\nbody.light .ngl{color:var(--cyan);border-bottom-color:var(--border2);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);color:#0a111e;}\nbody.light .fsize-label{color:#2a3f58;}\nbody.light .fsz{color:#0a111e;border-color:var(--border2);}\nbody.light .theme-btn{color:#0a111e;border-color:var(--border2);}\nbody.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light h3{color:#0a111e;}\nbody.light .card{background:var(--surf);border-color:var(--border);}\nbody.light .ctitle{color:#0a111e;}\nbody.light .sn{color:#0a111e;}\nbody.light .ol{color:#0a111e;}\nbody.light .ibt{color:#0a111e;}\nbody.light .pbname{color:#0a111e;}\nbody.light .dt{color:#0a111e;}\nbody.light .diag{background:var(--surf);}\nbody.light .pb{background:var(--surf);}\nbody.light table td:first-child{color:#1a2535;}\nbody.light .or.grant{background:rgba(0,122,64,.06);}\nbody.light .or.deny{background:rgba(192,32,42,.06);}\nbody.light .or.step{background:rgba(192,112,0,.06);}\nbody.light .ib{background:var(--surf);}\nbody.light .prose code{background:rgba(0,119,170,.1);}\nbody.light .fsz,.body.light .theme-btn{background:var(--surf2);border-color:var(--border2);}\n\n\/* \u2500\u2500 HAMBURGER BUTTON \u2500\u2500 *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\nbody.light .hamburger{background:#fff;border-color:var(--border);}\nbody.light .hamburger span{background:var(--cyan);}\n\n\/* \u2500\u2500 SIDEBAR OVERLAY (mobile) \u2500\u2500 *\/\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n\/* \u2500\u2500 TABLE SCROLL WRAPPER \u2500\u2500 *\/\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n\n\/* \u2500\u2500 RESPONSIVE: TABLET (\u2264 900px) \u2500\u2500 *\/\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;box-shadow:none;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3{grid-template-columns:1fr 1fr;}\n .pg{grid-template-columns:1fr;}\n .diag{padding:12px;overflow-x:auto;-webkit-overflow-scrolling:touch;}\n}\n\n\/* \u2500\u2500 RESPONSIVE: PHONE (\u2264 560px) \u2500\u2500 *\/\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .p-sub{font-size:14px;margin-bottom:18px;}\n h3{font-size:16px;}\n .prose{font-size:12.5px;}\n .cg2,.cg3{grid-template-columns:1fr;}\n .pg{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;font-size:11px;}\n .diag{padding:8px;margin-bottom:12px;}\n .diag svg{min-width:600px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n .related{margin-top:22px;}\n .rl{font-size:10.5px;padding:4px 8px;}\n .sb-fsize{flex-wrap:wrap;gap:6px;}\n .card{padding:12px;}\n .ib{padding:10px 12px;}\n}\n<\/style>\n<\/head>\n<body>\n<div class=\"app\">\n\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST SP 800-207<\/div>\n <div class=\"sb-title\">Zero Trust<br>Architecture<\/div>\n <div class=\"sb-sub\">Interactive reference<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\" title=\"Decrease font size\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\" title=\"Reset font size\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\" title=\"Increase font size\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\" title=\"Toggle dark\/light mode\">\u2600 Light<\/button>\n <\/div>\n <nav>\n <div class=\"ng\"><div class=\"ngl\">Architecture<\/div>\n <div class=\"ni active\" onclick=\"nav('overview')\"><span class=\"nd\"><\/span>Overview Diagram<\/div>\n <div class=\"ni\" onclick=\"nav('subject')\"><span class=\"nd\"><\/span>Subject<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><span class=\"nd\"><\/span>Policy Engine<\/div>\n <div class=\"ni\" onclick=\"nav('pa')\"><span class=\"nd\"><\/span>Policy Administrator<\/div>\n <div class=\"ni\" onclick=\"nav('pep')\"><span class=\"nd\"><\/span>Policy Enforcement Point<\/div>\n <div class=\"ni\" onclick=\"nav('resource')\"><span class=\"nd\"><\/span>Enterprise Resource<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Infrastructure<\/div>\n <div class=\"ni\" onclick=\"nav('idms')\"><span class=\"nd\"><\/span>IDMS & PKI<\/div>\n <div class=\"ni\" onclick=\"nav('cdm')\"><span class=\"nd\"><\/span>CDM System<\/div>\n <div class=\"ni\" onclick=\"nav('threat')\"><span class=\"nd\"><\/span>Threat Intelligence<\/div>\n <div class=\"ni\" onclick=\"nav('actlog')\"><span class=\"nd\"><\/span>Activity Log<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Diagrams<\/div>\n <div class=\"ni\" onclick=\"nav('logical')\"><span class=\"nd\"><\/span>Logical Architecture<\/div>\n <div class=\"ni\" onclick=\"nav('dataflow')\"><span class=\"nd\"><\/span>Access Request Data Flow<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Concepts<\/div>\n <div class=\"ni\" onclick=\"nav('tenets')\"><span class=\"nd\"><\/span>Seven Tenets<\/div>\n <div class=\"ni\" onclick=\"nav('trust')\"><span class=\"nd\"><\/span>Trust Algorithm<\/div>\n <div class=\"ni\" onclick=\"nav('planes')\"><span class=\"nd\"><\/span>Control & Data Planes<\/div>\n <div class=\"ni\" onclick=\"nav('deploy')\"><span class=\"nd\"><\/span>Deployment Models<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Source<\/div>\n <div class=\"ni ni-doc\" onclick=\"openNIST()\"><span class=\"nd-ext\">\u2197<\/span>NIST SP 800-207 PDF<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">2026 Steve Hatch<\/div>\n<\/aside>\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-overview\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0<\/div>\n <div class=\"p-title\">Zero Trust <span>Architecture<\/span><\/div>\n <div class=\"p-sub\">Logical component model \u2014 click any node to explore<\/div>\n <div class=\"diag\">\n <svg width=\"100%\" viewBox=\"0 0 680 470\" style=\"display:block\">\n <defs><marker id=\"arr\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"6\" markerHeight=\"6\" orient=\"auto-start-reverse\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"context-stroke\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker><\/defs>\n <rect x=\"6\" y=\"6\" width=\"668\" height=\"268\" rx=\"3\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"20\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00d8f0\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">CONTROL PLANE<\/text>\n <rect x=\"6\" y=\"282\" width=\"668\" height=\"158\" rx=\"3\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"296\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">DATA PLANE<\/text>\n <g class=\"an\" onclick=\"nav('cdm')\"><rect x=\"16\" y=\"26\" width=\"138\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/><rect x=\"16\" y=\"26\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".7\"\/><text x=\"85\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">CDM system<\/text><text x=\"85\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Device posture<\/text><\/g>\n <g class=\"an\" onclick=\"nav('idms')\"><rect x=\"170\" y=\"26\" width=\"138\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/><rect x=\"170\" y=\"26\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".7\"\/><text x=\"239\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">IDMS \u00b7 PKI<\/text><text x=\"239\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Identity \u00b7 credentials<\/text><\/g>\n <g class=\"an\" onclick=\"nav('threat')\"><rect x=\"330\" y=\"26\" width=\"164\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/><rect x=\"330\" y=\"26\" width=\"164\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/><text x=\"412\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">Threat intel<\/text><text x=\"412\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Feeds \u00b7 SIEM \u00b7 SOC<\/text><\/g>\n <g class=\"an\" onclick=\"nav('actlog')\"><rect x=\"516\" y=\"26\" width=\"150\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/><rect x=\"516\" y=\"26\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/><text x=\"591\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">Activity log<\/text><text x=\"591\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Audit \u00b7 analytics<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pe')\"><rect x=\"210\" y=\"104\" width=\"260\" height=\"68\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/><rect x=\"210\" y=\"104\" width=\"260\" height=\"5\" rx=\"2\" fill=\"#1a7fd4\"\/><text x=\"340\" y=\"132\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy engine<\/text><text x=\"340\" y=\"149\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\" letter-spacing=\"1\">PE<\/text><text x=\"340\" y=\"163\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Trust algorithm \u00b7 access decisions<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pa')\"><rect x=\"210\" y=\"190\" width=\"260\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/><rect x=\"210\" y=\"190\" width=\"260\" height=\"5\" rx=\"2\" fill=\"#8866ff\" opacity=\".8\"\/><text x=\"340\" y=\"218\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy administrator<\/text><text x=\"340\" y=\"234\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\" letter-spacing=\"1\">PA<\/text><text x=\"340\" y=\"247\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Session tokens \u00b7 PEP commands<\/text><\/g>\n <g class=\"an\" onclick=\"nav('subject')\"><rect x=\"14\" y=\"304\" width=\"148\" height=\"80\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/><text x=\"88\" y=\"332\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Subject<\/text><text x=\"88\" y=\"350\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">User + device<\/text><text x=\"88\" y=\"366\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">ZT agent<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pep')\"><rect x=\"226\" y=\"298\" width=\"228\" height=\"92\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.4\"\/><rect x=\"226\" y=\"298\" width=\"228\" height=\"5\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/><text x=\"340\" y=\"328\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Policy enforcement point<\/text><text x=\"340\" y=\"345\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\" letter-spacing=\"1\">PEP<\/text><text x=\"340\" y=\"362\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Inline session gateway<\/text><text x=\"340\" y=\"378\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">cannot be bypassed<\/text><\/g>\n <g class=\"an\" onclick=\"nav('resource')\"><rect x=\"516\" y=\"304\" width=\"150\" height=\"80\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/><text x=\"591\" y=\"332\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Resource<\/text><text x=\"591\" y=\"350\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Apps \u00b7 data<\/text><text x=\"591\" y=\"366\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Services \u00b7 APIs<\/text><\/g>\n \n \n <path d=\"M85,82 L85,138 L210,138\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M239,82 L239,96 L290,96 L290,104\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M412,82 L412,96 L390,96 L390,104\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M591,82 L591,138 L470,138\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n\n \n <line x1=\"340\" y1=\"172\" x2=\"340\" y2=\"190\" stroke=\"#1a7fd4\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"316\" y=\"174\" width=\"48\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"340\" y=\"183\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#1a7fd4\">decision<\/text>\n\n \n <line x1=\"340\" y1=\"254\" x2=\"340\" y2=\"298\" stroke=\"#8866ff\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"298\" y=\"268\" width=\"84\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"340\" y=\"277\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#b39dff\">enable \/ revoke<\/text>\n\n \n <line x1=\"162\" y1=\"344\" x2=\"226\" y2=\"344\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"172\" y=\"333\" width=\"44\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"194\" y=\"342\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#00cc70\">request<\/text>\n\n \n <line x1=\"454\" y1=\"344\" x2=\"516\" y2=\"344\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"455\" y=\"333\" width=\"60\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"485\" y=\"342\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#00cc70\">authorized<\/text>\n\n \n <path d=\"M88,304 L88,282 L5,282 L5,223 L210,223\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.2\" stroke-dasharray=\"4,2\" marker-end=\"url(#arr)\" opacity=\".75\"\/>\n <rect x=\"30\" y=\"215\" width=\"30\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"45\" y=\"224\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#4d6780\">auth<\/text>\n\n \n <path d=\"M454,320 L490,320 L490,54 L516,54\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.2\" stroke-dasharray=\"4,2\" marker-end=\"url(#arr)\" opacity=\".65\"\/>\n <rect x=\"468\" y=\"181\" width=\"58\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"497\" y=\"190\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#4d6780\">telemetry<\/text>\n <line x1=\"16\" y1=\"452\" x2=\"40\" y2=\"452\" stroke=\"#00cc70\" stroke-width=\"2\"\/>\n <text x=\"46\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">authorized flow<\/text>\n <line x1=\"190\" y1=\"452\" x2=\"214\" y2=\"452\" stroke=\"#1a7fd4\" stroke-width=\"2\"\/>\n <text x=\"220\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PE decision<\/text>\n <line x1=\"330\" y1=\"452\" x2=\"354\" y2=\"452\" stroke=\"#8866ff\" stroke-width=\"2\"\/>\n <text x=\"360\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PA command<\/text>\n <line x1=\"472\" y1=\"452\" x2=\"496\" y2=\"452\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\"\/>\n <text x=\"502\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">telemetry \/ auth<\/text>\n <\/svg>\n <div class=\"dcap\">Click any component to navigate to its detail page \u00b7 NIST SP 800-207 \u00a73.0 logical architecture<\/div>\n <\/div>\n <div class=\"prose\">Zero Trust Architecture defines a paradigm where <strong>no implicit trust is ever granted<\/strong> based on network location or asset ownership. Every access request is authenticated, authorized, and continuously evaluated. The three core enforcement components \u2014 Policy Engine, Policy Administrator, and Policy Enforcement Point \u2014 form the decision and enforcement pipeline. Supporting infrastructure (IDMS, PKI, CDM, Threat Intel, Activity Log) feeds the trust algorithm with real-time signals.<\/div>\n <div class=\"related\"><div class=\"rlab\">Start exploring<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-tenets\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a72.1<\/div>\n <div class=\"p-title\">Seven <span>Tenets<\/span><\/div>\n <div class=\"p-sub\">The foundational principles \u2014 all seven must be satisfied by a ZTA implementation<\/div>\n <div class=\"cg\" style=\"grid-template-columns:repeat(auto-fill,minmax(240px,1fr))\">\n <div class=\"card tc\"><div class=\"cnum\">T-01<\/div><div class=\"ctitle\">All data sources & services are resources<\/div><div class=\"ctext\">Every network-connected device and data source qualifies as a resource \u2014 regardless of form factor, ownership, or physical location. Personal devices qualify as resources.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-02<\/div><div class=\"ctitle\">All communication secured regardless of location<\/div><div class=\"ctext\">Network location alone does not imply trust. All communication \u2014 internal or external \u2014 must be authenticated, authorized, and encrypted. Being on the LAN grants nothing.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-03<\/div><div class=\"ctitle\">Access to resources granted per-session<\/div><div class=\"ctext\">Access is granted on a per-session basis with least-privilege principles. Trust is evaluated before access is granted and is not persistent \u2014 it does not carry over between sessions.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-04<\/div><div class=\"ctitle\">Access determined by dynamic policy<\/div><div class=\"ctext\">Resource access policy is dynamic, enforced in real time using identity, device health, behavioral data, and environmental attributes such as time of day, location, and threat intelligence.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-05<\/div><div class=\"ctitle\">Enterprise monitors & measures all asset integrity<\/div><div class=\"ctext\">The enterprise monitors the security posture of all owned and associated assets continuously. No device is trusted based on prior authentication state \u2014 posture is re-evaluated constantly.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-06<\/div><div class=\"ctitle\">All auth & authorization is dynamic & strictly enforced<\/div><div class=\"ctext\">Authentication and authorization are strictly enforced before access is allowed. Continuous re-evaluation occurs throughout sessions; anomalies trigger reauthentication or immediate revocation.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-07<\/div><div class=\"ctitle\">Collect data to improve security posture<\/div><div class=\"ctext\">The enterprise collects and analyzes behavioral, traffic, and access data to continuously improve authentication strength, access policies, and threat detection capabilities.<\/div><\/div>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"ib\"><div class=\"ibt\">The unifying principle<\/div><div class=\"ibb\">All seven tenets converge on a single premise: <strong>no implicit trust is granted to assets or user accounts based solely on their physical or network location.<\/strong> Authentication and authorization are discrete functions performed before a session is established \u2014 derived from verified signals, not from network adjacency.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PE<\/div>\n <div class=\"p-title\">Policy <span>Engine<\/span><\/div>\n <div class=\"p-sub\">The trust brain \u2014 evaluates all signals and renders the access decision<\/div>\n <div class=\"prose\">The Policy Engine is responsible for the <strong>ultimate decision<\/strong> to grant, deny, or revoke access to a resource for a given subject. It receives input from the enterprise’s supporting infrastructure \u2014 CDM data, identity assertions, threat intelligence, behavioral logs \u2014 processes them against enterprise access policy, and computes a trust score that drives the decision. The PE and PA are logical components that may be co-located or distributed.<\/div>\n <h3>What the PE evaluates<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">Subject identity & credential strength<\/div><div class=\"sd\">IdP-asserted identity, MFA status and factor type, credential freshness, privileged account flags, federated assertions (SAML, OIDC). An MFA assertion 8 hours old carries less weight than one from 5 minutes ago.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device health & posture<\/div><div class=\"sd\">CDM telemetry: patch level, EDR agent status, certificate validity, OS compliance, MDM enrollment, software inventory. A device matching a known IoC from threat intel fails this signal regardless of identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location & context<\/div><div class=\"sd\">Source IP, geolocation, time-of-day, network path characteristics. <strong>Contextual signal only \u2014 never a trust anchor.<\/strong> Per Tenet T-02, location does not imply trust.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Resource sensitivity & access policy<\/div><div class=\"sd\">Data classification, resource criticality, required assurance level. The PE checks the requesting subject’s attributes against the resource’s policy requirements before granting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">Behavioral & threat intelligence<\/div><div class=\"sd\">Historical access patterns, UEBA baseline deviation, threat feed hits (IP\/domain reputation, IoCs, CVE correlation), SIEM correlation output. The continuous signal \u2014 it updates mid-session.<\/div><\/div><\/div>\n <h3>Decision outcomes<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Grant access<\/div><div class=\"oc\">All signals pass policy thresholds. PE instructs PA to issue a session token to the PEP. Access scope is limited to least-privilege per Tenet T-03.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Deny access<\/div><div class=\"oc\">One or more signals fail: unregistered device, failed MFA, anomalous behavior, policy violation, resource classification exceeds clearance. No token issued; traffic blocked at PEP.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Step-up or revoke mid-session<\/div><div class=\"oc\">Risk picture changes during an active session. PE re-evaluates and may require step-up MFA, reduce scope, or instruct PA to revoke the PEP tunnel immediately.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">PE is logical, not physical<\/div><div class=\"ibb\">NIST explicitly states the PE and PA are <strong>logical components<\/strong>. In real deployments they may be a single identity-aware proxy, a ZTNA gateway’s policy service, or distributed microservices. What matters is that the functions are performed \u2014 not how they are packaged.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pa\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PA<\/div>\n <div class=\"p-title\">Policy <span>Administrator<\/span><\/div>\n <div class=\"p-sub\">Executes the Policy Engine’s decisions \u2014 commands the PEP to open or close sessions<\/div>\n <div class=\"prose\">The Policy Administrator is responsible for <strong>establishing and severing communication paths<\/strong> between subjects and enterprise resources. Where the PE decides, the PA acts. It communicates with the PEP on the <strong>control plane<\/strong>, entirely separate from the user’s data traffic. This separation is architectural \u2014 the PA’s commands cannot be observed or tampered with by anything on the data plane.<\/div>\n <h3>What the PA does<\/h3>\n <div class=\"sr\"><span class=\"st tpa\">ENABLE<\/span><div class=\"si\"><div class=\"sn\">Issue session tokens to the PEP<\/div><div class=\"sd\">When the PE grants access, the PA generates a session token scoped to the specific subject, device, and resource. It pushes that token to the PEP, instructing it to permit traffic matching those parameters.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">REVOKE<\/span><div class=\"si\"><div class=\"sn\">Terminate active sessions<\/div><div class=\"sd\">When the PE revokes access \u2014 due to a mid-session anomaly, posture change, or explicit policy \u2014 the PA instructs the PEP to immediately terminate the tunnel. The PEP executes; it does not decide independently.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">SCOPE<\/span><div class=\"si\"><div class=\"sn\">Enforce least-privilege access scope<\/div><div class=\"sd\">Session tokens are scoped to exactly the resource and action the policy permits. The PA issues the minimum required for the requested task, per Tenet T-03 \u2014 not broad-access tokens.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">CHANNEL<\/span><div class=\"si\"><div class=\"sn\">Control plane communication channel<\/div><div class=\"sd\">All PA-to-PEP communications occur out-of-band from user data traffic. This channel must be mutually authenticated and encrypted (TLS 1.3+). A compromised data plane cannot interfere with PA commands.<\/div><\/div><\/div>\n <div class=\"ib p\"><div class=\"ibt\">PA as the enforcement relay<\/div><div class=\"ibb\">The PA is the <strong>operational bridge<\/strong> between policy and enforcement. The PE reasons about trust; the PA operationalizes that reasoning. Neither component alone is sufficient \u2014 a PE without a PA has no means of enforcement, and a PEP without a PA has no policy guidance.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pep\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PEP<\/div>\n <div class=\"p-title\">Policy Enforcement <span>Point<\/span><\/div>\n <div class=\"p-sub\">The inline gateway \u2014 the only valid path between a subject and an enterprise resource<\/div>\n <div class=\"prose\">The PEP enables, monitors, and terminates connections between a subject and an enterprise resource. It is the <strong>only valid path<\/strong> to any resource \u2014 no route bypasses it. All data plane traffic flows through it. The PEP doesn’t make access decisions; it executes PA commands and enforces session tokens.<\/div>\n <h3>Architecture<\/h3>\n <div class=\"prose\">The PEP logically splits into two halves. The <strong>subject-side component<\/strong> (a ZT agent on the device, or a clientless proxy) intercepts the access request and initiates the auth flow. The <strong>resource-side component<\/strong> (a gateway or proxy in front of the resource) receives the session token and enforces it for every connection attempt.<\/div>\n <h3>What the PEP enforces<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">GATE<\/span><div class=\"si\"><div class=\"sn\">Session token validation<\/div><div class=\"sd\">The PEP validates that each connection attempt carries a valid session token issued by the PA. No token, no access \u2014 regardless of network origin, protocol, or claimed identity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">SCOPE<\/span><div class=\"si\"><div class=\"sn\">Least-privilege scope enforcement<\/div><div class=\"sd\">The session token specifies the exact resource, port, protocol, and action permitted. The PEP enforces these constraints on every packet and does not permit lateral movement to adjacent resources.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">MONITOR<\/span><div class=\"si\"><div class=\"sn\">Continuous session monitoring<\/div><div class=\"sd\">The PEP watches all traffic for anomalies throughout the session: unusual data volumes, protocol deviations, new destination IPs, suspicious payload patterns. Anomalies are reported to the activity log.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">REVOKE<\/span><div class=\"si\"><div class=\"sn\">Session termination on PA command<\/div><div class=\"sd\">When the PA issues a revoke command, the PEP tears down the session immediately \u2014 mid-transfer if necessary. No grace period.<\/div><\/div><\/div>\n <h3>Telemetry the PEP reports to the activity log<\/h3>\n <div class=\"prose\">Per-session data (identity, device, resource, bytes, duration, termination reason), anomaly indicators (lateral movement patterns, volume spikes, protocol deviations), authentication events (MFA challenges, step-up triggers, failed attempts), and every policy evaluation result it enforces \u2014 grant, deny, and revocation.<\/div>\n <div class=\"ib a\"><div class=\"ibt\">The PEP cannot be bypassed \u2014 by design<\/div><div class=\"ibb\">In an SDP deployment, resources are <strong>dark<\/strong> to unauthenticated subjects \u2014 they don’t respond to port scans or connection attempts that haven’t been authorized by the PA. The PEP isn’t a filter on a known path; it <em>is<\/em> the path.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-subject\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1<\/div>\n <div class=\"p-title\"><span>Subject<\/span><\/div>\n <div class=\"p-sub\">The combination of a user account and the device used to request access<\/div>\n <div class=\"prose\">In ZTA, a <strong>subject<\/strong> is not simply a user. It is the composite of a user account <em>plus<\/em> the specific device being used to access a resource. Neither element is trusted independently. Trust is computed as a function of both, along with session context. A trusted user on an unmanaged device \u2014 or a managed device with a compromised credential \u2014 results in reduced or denied access.<\/div>\n <h3>Subject components<\/h3>\n <div class=\"sr\"><span class=\"st tid\">USER<\/span><div class=\"si\"><div class=\"sn\">User identity<\/div><div class=\"sd\">The IdP-verified identity of the human (or non-person entity) initiating the request. Includes MFA assertions, role memberships, entitlement attributes, and credential freshness. Sourced from IDMS.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device posture<\/div><div class=\"sd\">The health and compliance state of the endpoint. Managed devices carry a device certificate (PKI). CDM telemetry reports patch level, EDR status, OS compliance, and MDM enrollment. Unmanaged devices receive reduced access by policy.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">AGENT<\/span><div class=\"si\"><div class=\"sn\">ZT agent (client-side PEP component)<\/div><div class=\"sd\">Software on the device that intercepts resource access requests, enforces posture checks, communicates with the PEP\/PA for authentication, and routes traffic through the authorized tunnel. Required for full ZTA enforcement on managed devices.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">Non-person entities (NPEs) are subjects too<\/div><div class=\"ibb\">NIST explicitly includes <strong>service accounts, workloads, automated processes, and IoT devices<\/strong> as subjects. Each NPE must authenticate, present posture signals, and obtain session authorization just as a human user would. Service-to-service communication is not exempt from ZTA enforcement.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-resource\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a72.1 T-01<\/div>\n <div class=\"p-title\">Enterprise <span>Resource<\/span><\/div>\n <div class=\"p-sub\">Any data source or service the enterprise protects \u2014 regardless of location or form factor<\/div>\n <div class=\"prose\">Tenet T-01 defines a resource broadly: <strong>any data source or computing service<\/strong> the enterprise cares about protecting qualifies. This includes on-premise applications, cloud services, APIs, databases, file shares, IoT sensors, printers, and personal devices used for enterprise work. The resource is always the destination being protected \u2014 the PEP sits in front of it, and the PE’s policy governs who can access it under what conditions.<\/div>\n <h3>Resource sensitivity classification<\/h3>\n <div class=\"sr\"><span class=\"st tres\">LOW<\/span><div class=\"si\"><div class=\"sn\">Low-sensitivity resources<\/div><div class=\"sd\">General intranet content, read-only reference databases, non-personal productivity tools. May be accessible to managed and unmanaged devices with standard MFA. Session lifetimes can be longer.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">MED<\/span><div class=\"si\"><div class=\"sn\">Medium-sensitivity resources<\/div><div class=\"sd\">Internal collaboration platforms, HR self-service portals, customer data repositories. Requires managed device plus MFA. Behavioral anomalies trigger step-up auth more aggressively.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">HIGH<\/span><div class=\"si\"><div class=\"sn\">High-sensitivity resources<\/div><div class=\"sd\">Financial systems, privileged admin consoles, classified data stores, security tooling. Managed device required, hardware MFA preferred, short session lifetimes, real-time behavioral monitoring mandatory.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">Resources must be dark outside the PEP<\/div><div class=\"ibb\">For ZTA to be effective, resources must not be reachable by any path that bypasses the PEP. In SDP deployments, resources are <strong>not publicly resolvable<\/strong> \u2014 they have no DNS entry or IP accessible outside the authorized tunnel. The PEP is the exclusive path.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-idms\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.1 \u00b7 \u00a73.1.3<\/div>\n <div class=\"p-title\">IDMS <span>& PKI<\/span><\/div>\n <div class=\"p-sub\">Identity management + cryptographic verification \u2014 the two-layer trust anchor for all subject identity<\/div>\n <div class=\"prose\">Two distinct but tightly coupled components that together give the Policy Engine its authoritative answer to <strong>“who is this, and can I verify it cryptographically?”<\/strong> Without them, the PE has no trust anchor for identity \u2014 and in ZTA, unverified identity means no access, regardless of network location.<\/div>\n <h3>Identity Management System (IDMS) \u2014 \u00a73.1.1<\/h3>\n <div class=\"prose\">The IDMS is responsible for <strong>creating, storing, and managing identity information<\/strong> for all subjects. It is what the PE queries to resolve a claimed identity into a verified set of attributes.<\/div>\n <div class=\"sr\"><span class=\"st tid\">IdP<\/span><div class=\"si\"><div class=\"sn\">Identity assertions<\/div><div class=\"sd\">The authoritative binding of a credential to a subject, issued by the Identity Provider. The PE trusts the IdP’s assertion \u2014 not the credential the subject presents directly. Delivered as SAML assertions or OIDC tokens.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">RBAC<\/span><div class=\"si\"><div class=\"sn\">Role and attribute data<\/div><div class=\"sd\">Group memberships, entitlements, job function, clearance level, organizational unit. These map directly to the access policy rules the PE evaluates for each resource request.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">MFA<\/span><div class=\"si\"><div class=\"sn\">MFA status & credential freshness<\/div><div class=\"sd\">Whether the authentication event included a second factor, which factor type was used, and how recently it was completed. An MFA assertion 8 hours old carries less weight than one from 5 minutes ago.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">PAM<\/span><div class=\"si\"><div class=\"sn\">Privileged account flags<\/div><div class=\"sd\">PAM integration surfaces whether a subject is using a privileged account, whether it was checked out from a vault, and whether it has time-bounded access. Privileged sessions are higher-risk by policy regardless of other signals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">FED<\/span><div class=\"si\"><div class=\"sn\">Federated identity<\/div><div class=\"sd\">For global enterprises, subjects may authenticate through partner IdPs or regional directories. IDMS handles federation (SAML, OIDC, SCIM) and presents a normalized assertion to the PE regardless of upstream source.<\/div><\/div><\/div>\n <h3>Public Key Infrastructure (PKI) \u2014 \u00a73.1.3<\/h3>\n <div class=\"prose\">PKI is the <strong>cryptographic verification layer<\/strong> beneath identity assertions. Where IDMS tells the PE <em>who<\/em> a subject claims to be, PKI lets the PE verify that claim is <strong>mathematically unforgeable<\/strong>. ZTA requires mutual authentication \u2014 the subject authenticates to the PE\/PA, and the PE\/PA authenticates back. PKI is the foundation of that mutual authentication.<\/div>\n <div class=\"sr\"><span class=\"st tdev\">CERT<\/span><div class=\"si\"><div class=\"sn\">Device certificates (X.509)<\/div><div class=\"sd\">Every managed device carries an enterprise-issued certificate. The PEP validates this certificate during session establishment. This is the primary mechanism distinguishing managed from unmanaged devices.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">OCSP<\/span><div class=\"si\"><div class=\"sn\">Certificate validity & revocation (OCSP\/CRL)<\/div><div class=\"sd\">The PE queries OCSP responders or checks CRLs in real time. A revoked certificate results in immediate denial regardless of all other signals \u2014 one of the fastest enforcement mechanisms in ZTA.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">mTLS<\/span><div class=\"si\"><div class=\"sn\">Mutual TLS session authentication<\/div><div class=\"sd\">All communication between subjects and the PEP uses mTLS. PKI issues the certificates that make mTLS work. A successful mTLS handshake is part of what the PE considers when determining session integrity.<\/div><\/div><\/div>\n <h3>Combined signal in the trust algorithm<\/h3>\n <table><thead><tr><th>Signal<\/th><th>Source<\/th><th>What the PE learns<\/th><\/tr><\/thead><tbody>\n <tr><td>IdP assertion + MFA<\/td><td>IDMS<\/td><td>Who the user is, how strongly authenticated<\/td><\/tr>\n <tr><td>Role & entitlement<\/td><td>IDMS<\/td><td>What they’re allowed to access by policy<\/td><\/tr>\n <tr><td>Device certificate validity<\/td><td>PKI (OCSP)<\/td><td>Is this a managed, enterprise-issued device?<\/td><\/tr>\n <tr><td>Certificate revocation status<\/td><td>PKI (CRL)<\/td><td>Has this device been removed from trust?<\/td><\/tr>\n <tr><td>mTLS handshake success<\/td><td>PKI<\/td><td>Is the session cryptographically authentic?<\/td><\/tr>\n <tr><td>Credential freshness<\/td><td>IDMS<\/td><td>How recently was identity asserted?<\/td><\/tr>\n <\/tbody><\/table>\n <div class=\"ib r\"><div class=\"ibt\">Valid IdP assertion + revoked device cert = denied<\/div><div class=\"ibb\">The PE requires both signal layers to be clean. A valid identity assertion from a device with a revoked certificate is denied \u2014 the PKI failure overrides the identity assertion. A valid device certificate with a weak identity assertion (no MFA) is blocked for sensitive resources. Neither dimension can compensate for the other.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('subject')\">Subject<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cdm\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.2<\/div>\n <div class=\"p-title\">CDM <span>System<\/span><\/div>\n <div class=\"p-sub\">Continuous Diagnostics & Mitigation \u2014 real-time device posture for the Policy Engine<\/div>\n <div class=\"prose\">The CDM system provides the Policy Engine with <strong>continuous, real-time data about the current state of enterprise assets<\/strong>. Unlike a point-in-time compliance check at login, CDM is an ongoing telemetry stream. If a device’s posture changes mid-session \u2014 a patch becomes uninstalled, an EDR agent stops reporting, a new vulnerability is disclosed \u2014 CDM surfaces that change, and the PE can act on it.<\/div>\n <h3>What CDM feeds to the Policy Engine<\/h3>\n <div class=\"sr\"><span class=\"st tdev\">PATCH<\/span><div class=\"si\"><div class=\"sn\">Software inventory & patch level<\/div><div class=\"sd\">Current installed software versions, outstanding patches, and active CVEs. When a new critical vulnerability is disclosed, CDM correlates it against device software inventories and flags non-compliant devices immediately \u2014 without waiting for the next login.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">EDR<\/span><div class=\"si\"><div class=\"sn\">Endpoint Detection & Response status<\/div><div class=\"sd\">Whether the EDR agent is active and reporting, last scan timestamp, active alerts, and detection events. An EDR agent that goes silent is treated as a posture failure \u2014 the PE reduces trust for that device until it resumes reporting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">MDM<\/span><div class=\"si\"><div class=\"sn\">MDM enrollment & compliance state<\/div><div class=\"sd\">Whether the device is enrolled in MDM, current compliance (screen lock, encryption, approved app list), and MDM-reported health. Unenrolled devices are treated as unmanaged regardless of user identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">CERT<\/span><div class=\"si\"><div class=\"sn\">Certificate & configuration state<\/div><div class=\"sd\">Enterprise certificate presence and validity on the device. Configuration compliance: firewall enabled, disk encryption active, approved browser\/runtime versions, no unauthorized remote access tools.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">IoC<\/span><div class=\"si\"><div class=\"sn\">IoC correlation<\/div><div class=\"sd\">CDM correlates device process, file, and network telemetry against threat intelligence IoC feeds. A device running a process matching a known malware hash, or communicating with a C2 domain, is flagged as compromised immediately.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">CDM is Tenet T-05 in practice<\/div><div class=\"ibb\">Tenet T-05 requires the enterprise to <strong>monitor and measure the integrity of all assets continuously<\/strong> \u2014 not at login time, but throughout the asset lifecycle. CDM is the infrastructure that makes T-05 operational. It transforms the abstract principle of continuous monitoring into a concrete data feed the PE can act on in real time.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('subject')\">Subject<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-threat\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.4<\/div>\n <div class=\"p-title\">Threat <span>Intelligence<\/span><\/div>\n <div class=\"p-sub\">External context that adjusts the Policy Engine’s trust score in real time<\/div>\n <div class=\"prose\">Threat intelligence is one of the external data sources the PE consults <strong>at the moment of access evaluation<\/strong> \u2014 not as a post-incident tool, but as a live signal that shapes the trust score before a session is granted. The PE doesn’t store or generate threat intel; it queries external feeds as part of the trust algorithm alongside CDM, identity, and behavioral data. It is the PE’s window into the <strong>broader threat landscape<\/strong> it couldn’t derive from enterprise telemetry alone.<\/div>\n <h3>What the Policy Engine consumes<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">IP\/DOM<\/span><div class=\"si\"><div class=\"sn\">IP and domain reputation<\/div><div class=\"sd\">If a subject’s observed egress or the resource being requested is associated with known malicious infrastructure, the PE factors that into the trust score. A request from a TOR exit node or recently-flagged ASN raises risk even if identity and device signals are clean.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">IoC<\/span><div class=\"si\"><div class=\"sn\">Indicator-of-compromise feeds<\/div><div class=\"sd\">Hashes, signatures, and behavioral patterns associated with known malware or attack tooling. When combined with a CDM hit (device running matching process), the PE denies or steps down access immediately.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">CVE<\/span><div class=\"si\"><div class=\"sn\">Vulnerability intelligence<\/div><div class=\"sd\">CVE feeds correlated against device software inventory from CDM. A device running an actively-exploited unpatched vulnerability gets reduced trust even if its posture check otherwise passes. PE response scales with CVSS score and exploit availability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">SIEM<\/span><div class=\"si\"><div class=\"sn\">SIEM correlation output<\/div><div class=\"sd\">The most dynamic input. The SIEM aggregates activity log telemetry and correlates against threat patterns in near-real time. When a rule fires \u2014 credential stuffing, impossible travel, lateral movement \u2014 the SIEM surfaces an elevated risk signal to the PE immediately.<\/div><\/div><\/div>\n <h3>Impact on trust score<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">No threat signal<\/div><div class=\"oc\">Neutral weight. Other signals dominate. Access proceeds normally if all other factors pass.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Low-confidence hit<\/div><div class=\"oc\">E.g., shared IP on a blocklist. PE may still grant access but require step-up MFA, or flag the session for enhanced monitoring.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">High-confidence hit<\/div><div class=\"oc\">E.g., device IoC match or SIEM anomaly correlation. PE denies access or revokes an active session; PA commands PEP to terminate the tunnel immediately.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">The continuous feedback loop<\/div><div class=\"ibb\">Threat intelligence isn’t evaluated once at login. The activity log feeds the SIEM, the SIEM correlates against threat feeds, and if the risk picture changes mid-session, that signal flows back to the PE. The PE re-evaluates, the PA issues a revoke command, and the PEP tears down the tunnel \u2014 without waiting for the session to end. This is what makes Tenet T-06’s requirement for “dynamic” authorization operationally meaningful.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-actlog\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.4<\/div>\n <div class=\"p-title\">Activity <span>Log<\/span><\/div>\n <div class=\"p-sub\">The enterprise’s behavioral memory \u2014 audit, analytics, and Policy Engine feedback<\/div>\n <div class=\"prose\">The activity log is what NIST \u00a73.1.4 describes as the enterprise’s mechanism for collecting and storing all network traffic and access request data \u2014 not as a passive audit trail, but as an <strong>active input to the trust algorithm<\/strong>. The PE’s access decisions improve over time as behavioral baselines accumulate. The activity log is the memory that makes that possible.<\/div>\n <h3>What the PEP reports<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">SESSION<\/span><div class=\"si\"><div class=\"sn\">Per-session telemetry<\/div><div class=\"sd\">Source identity and device, timestamp, resource requested, session token used, bytes transferred, session duration, and termination reason (normal close, revocation, timeout, anomaly). The raw record of every authorized access event.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">ANOMALY<\/span><div class=\"si\"><div class=\"sn\">Anomaly indicators<\/div><div class=\"sd\">Unusual access times, atypical data volumes, lateral movement patterns (single subject hitting many resources in sequence), protocol deviations, new destination IPs mid-session, sudden changes in access velocity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">AUTH<\/span><div class=\"si\"><div class=\"sn\">Authentication events<\/div><div class=\"sd\">MFA challenges issued, step-up auth triggers, failed authentication attempts, and credential anomalies detected mid-session. Critical inputs for UEBA behavioral baseline modeling.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">POLICY<\/span><div class=\"si\"><div class=\"sn\">Policy evaluation results<\/div><div class=\"sd\">Every grant, deny, and revocation the PEP enforces, along with which policy rule triggered it. The audit trail for compliance and the dataset for policy refinement over time.<\/div><\/div><\/div>\n <h3>Where the telemetry flows<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Back to the Policy Engine<\/div><div class=\"oc\">The PE uses historical behavioral data as one of its five trust algorithm inputs. A subject whose access patterns match their historical baseline gets higher trust; anomalies suppress it.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">To SIEM \/ UEBA<\/div><div class=\"oc\">Activity logs are routed to security analytics tools for correlation with threat intelligence. When a SIEM rule fires, the elevated risk signal flows to the PE for re-evaluation \u2014 triggering mid-session revocation if needed.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">Tenet T-07 \u2014 the activity log is its implementation<\/div><div class=\"ibb\">NIST \u00a72.1 T-07 states the enterprise must <strong>“collect as much information as possible about the current state of assets, network infrastructure and communications and use it to improve its security posture.”<\/strong> ZTA isn’t a static gate \u2014 it’s a continuously learning system. The PEP’s telemetry flowing into the activity log closes that loop.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-trust\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.3 \u00b7 \u00a73.4<\/div>\n <div class=\"p-title\">Trust <span>Algorithm<\/span><\/div>\n <div class=\"p-sub\">How the Policy Engine computes a trust score and renders an access decision<\/div>\n <div class=\"prose\">The trust algorithm is the core computational function of the PE. It takes multiple input signals, scores them against access policy thresholds, and produces a confidence level for the subject-device-resource tuple. NIST \u00a73.3 describes this as a function of <strong>observable information about subjects, devices, and the enterprise environment<\/strong> evaluated against policy rules. The result produces a confidence level that maps to grant, deny, or step-up \u2014 not a simple binary.<\/div>\n <h3>Five input signals<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">Subject identity & credentials<\/div><div class=\"sd\">IdP-asserted identity, MFA status and factor type, credential freshness, privileged account flags, federated assertions. The strongest identity signal combines a hardware MFA factor with a recently-issued IdP assertion.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device health & posture<\/div><div class=\"sd\">CDM telemetry: patch level, EDR status, device certificate validity, OS compliance, MDM enrollment. Often binary in practice \u2014 managed and compliant, or not.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location & context<\/div><div class=\"sd\">Source IP, geolocation, time-of-day, network path. <strong>Contextual signal only.<\/strong> It modulates other signals (anomalous location reduces trust) but cannot on its own grant or deny access.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Resource sensitivity<\/div><div class=\"sd\">Data classification, criticality, required assurance level. A high-sensitivity resource raises the thresholds all other signals must meet. A low-sensitivity resource permits weaker signals to succeed.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">Behavioral & threat intelligence<\/div><div class=\"sd\">UEBA baselines, historical patterns, threat feed hits, SIEM correlation. The dynamic signal \u2014 continuously updated, triggers mid-session re-evaluation when it changes significantly.<\/div><\/div><\/div>\n <h3>Access outcomes<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Grant access<\/div><div class=\"oc\">All signals pass their respective thresholds for the resource requested. PA issues a session token to the PEP. Access scope is limited to the minimum required per Tenet T-03.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Deny access<\/div><div class=\"oc\">One or more signals fail their threshold: unregistered device, missing MFA, anomalous behavior, IoC match, policy violation, or resource classification exceeds subject clearance. No token issued.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Step-up authentication<\/div><div class=\"oc\">Trust score is borderline, or context has changed mid-session. PE requires an additional authentication factor. If the subject satisfies the step-up, access continues. If not, the session is denied or terminated.<\/div><\/div><\/div>\n <h3>Policy constraints \u2014 \u00a73.4<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">No access without verified MFA-asserted identity<\/div><div class=\"sd\">Access is denied if the subject cannot present a current, IdP-verified assertion with MFA satisfied. Password-only authentication does not meet the threshold for any non-trivial resource.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Unmanaged devices receive reduced or no access to sensitive resources<\/div><div class=\"sd\">The device signal is a hard gate for high-sensitivity resources. An unmanaged device cannot satisfy the device threshold regardless of identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location cannot substitute for identity or device trust<\/div><div class=\"sd\">Being on the corporate LAN does not reduce identity or device requirements. No implicit trust from network proximity \u2014 Tenet T-02 is a hard constraint.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Access scope bounded to minimum necessary<\/div><div class=\"sd\">The session token is scoped to the specific resource and action requested. Over-provisioning is a policy violation. Least-privilege is enforced at the token level.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">All decisions and session activity are logged<\/div><div class=\"sd\">Every grant, deny, and revocation is recorded. Both a compliance requirement and the data that continuously improves the behavioral baseline used in future trust evaluations.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-planes\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0<\/div>\n <div class=\"p-title\">Control <span>& Data<\/span> Planes<\/div>\n <div class=\"p-sub\">The architectural separation that makes ZTA enforcement tamper-resistant<\/div>\n <div class=\"prose\">One of ZTA’s most critical architectural properties is the <strong>strict separation of the control plane from the data plane<\/strong>. The control plane carries policy decisions, session tokens, and revocation commands. The data plane carries user traffic. They share no channel. A compromised subject on the data plane has no visibility into \u2014 and no ability to interfere with \u2014 the control plane signals that govern their own access.<\/div>\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">Control plane<\/div>\n <div class=\"pbn\">Policy & trust signaling<\/div>\n <div class=\"pi\"><strong>PE\u2192PA trust decisions<\/strong> \u2014 computed grants or denials passed from Policy Engine to Policy Administrator<\/div>\n <div class=\"pi\"><strong>PA\u2192PEP command channel<\/strong> \u2014 session establishment and termination commands, out-of-band from all user data<\/div>\n <div class=\"pi\"><strong>Subject authentication flows<\/strong> \u2014 identity verification, MFA challenges, device posture attestation<\/div>\n <div class=\"pi\"><strong>CDM & IDMS feeds<\/strong> \u2014 continuous device telemetry and identity data for dynamic PE re-evaluation<\/div>\n <div class=\"pi\"><strong>Mutually authenticated, TLS 1.3+<\/strong> \u2014 all control plane communications are encrypted and mutually authenticated<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg d\">Data plane<\/div>\n <div class=\"pbn\">Resource access traffic<\/div>\n <div class=\"pi\"><strong>Subject \u2194 Resource traffic<\/strong> \u2014 all application, API, data, and service communication after authorization<\/div>\n <div class=\"pi\"><strong>PEP as the exclusive boundary<\/strong> \u2014 the PEP sits inline; no path to resources exists outside the PEP, regardless of network topology<\/div>\n <div class=\"pi\"><strong>Session tokens enforced<\/strong> \u2014 the PEP validates the PA-issued token for every resource transaction<\/div>\n <div class=\"pi\"><strong>Continuous monitoring<\/strong> \u2014 all data plane traffic is logged; anomalies trigger control plane re-evaluation<\/div>\n <div class=\"pi\"><strong>Encrypted in transit<\/strong> \u2014 network location does not grant trust regardless of underlying encryption state<\/div>\n <\/div>\n <\/div>\n <div class=\"ib\" style=\"margin-top:14px\"><div class=\"ibt\">Why the separation matters<\/div><div class=\"ibb\">If the control and data planes were co-mingled, a compromised session could observe PA commands, replay session tokens, or inject false telemetry into the activity log. The separation ensures that even a fully compromised endpoint can only affect its own session \u2014 and that session can be revoked by the PA the moment the PE detects the compromise from CDM or SIEM signals, because that revocation command travels on a channel the compromised device cannot touch.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-deploy\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1<\/div>\n <div class=\"p-title\">Deployment <span>Models<\/span><\/div>\n <div class=\"p-sub\">Three NIST-defined approaches \u2014 not mutually exclusive, most mature deployments combine all three<\/div>\n <div class=\"prose\">NIST \u00a73.1 defines three deployment approaches, each emphasizing a different primary enforcement mechanism. The approaches are defined by <strong>where and how the PEP function is implemented<\/strong>, not by vendor. Most enterprises combine elements of all three.<\/div>\n <div class=\"cg cg3\" style=\"margin-top:18px\">\n <div class=\"dc\"><div class=\"di\">\ud83e\udeaa<\/div><div class=\"dt\">Identity-based segmentation<\/div><div class=\"ds\">Enhanced identity governance<\/div><div class=\"dxt\">Access policy based primarily on the identity of the user or service. Network location is insufficient for access decisions. The IdP and PAM system are the primary enforcement infrastructure.<\/div><ul class=\"dl\"><li>Strong IdP, PAM, and MFA enforced universally<\/li><li>Least-privilege assigned per-role, per-session<\/li><li>Service accounts governed identically to users<\/li><li>Federated identity (SAML, OIDC) for external users<\/li><li>Best fit: enterprises with mature IAM programs<\/li><\/ul><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83d\udd2c<\/div><div class=\"dt\">Micro-segmentation<\/div><div class=\"ds\">Workload & network segmentation<\/div><div class=\"dxt\">Individual workloads placed in separate micro-segments with independent security gateways. Each segment enforces access policy independently, limiting blast radius of any single compromise.<\/div><ul class=\"dl\"><li>NGFWs or SDN-based policy enforcement<\/li><li>East-west traffic controlled at workload level<\/li><li>Policy applied at network, OS, and app layers<\/li><li>Eliminates implicit trust from network adjacency<\/li><li>Best fit: data centers and cloud workloads<\/li><\/ul><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83c\udf10<\/div><div class=\"dt\">Software-defined perimeter<\/div><div class=\"ds\">Network-based (SDP \/ ZTNA)<\/div><div class=\"dxt\">Network infrastructure acts as a policy enforcement agent. Dynamic, per-session tunnels connect authenticated subjects to authorized resources only. Resources are dark to unauthenticated subjects.<\/div><ul class=\"dl\"><li>ZTNA overlay replaces traditional VPN perimeter<\/li><li>Resources have no publicly-resolvable presence<\/li><li>Per-session tunnels scoped to identity + device posture<\/li><li>Centralized PE\/PA controls distributed PEPs<\/li><li>Best fit: remote access and multi-cloud environments<\/li><\/ul><\/div>\n <\/div>\n <div class=\"ib a\" style=\"margin-top:14px\"><div class=\"ibt\">Combining all three<\/div><div class=\"ibb\">Most mature ZTA implementations combine all three deployment models. <strong>ZTNA \/ SDP<\/strong> handles north-south remote access, <strong>microsegmentation<\/strong> addresses east-west workload isolation, and <strong>identity governance with application-layer controls<\/strong> enforces fine-grained access policy \u2014 each model targeting a distinct attack surface.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-logical\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0 \u2014 Structural view<\/div>\n <div class=\"p-title\">Logical <span>Architecture<\/span><\/div>\n <div class=\"p-sub\">Component groupings, trust relationships, and plane boundaries<\/div>\n <div class=\"prose\">This diagram organises the NIST \u00a73.0 components into three structural tiers: <strong>supporting infrastructure<\/strong> that feeds signals to the decision engine, the <strong>ZTA core<\/strong> (PE + PA) that computes and dispatches decisions, and the <strong>enforcement path<\/strong> where subjects traverse the PEP to reach resources. Arrows show the direction of authority and data \u2014 not network routing.<\/div>\n\n <div class=\"diag\" style=\"margin-top:20px\">\n <svg width=\"100%\" viewBox=\"0 0 800 560\" style=\"display:block\">\n <defs>\n <marker id=\"a1\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a2\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a3\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a4\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a5\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#ffb300\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a6\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <\/defs>\n\n \n <text x=\"10\" y=\"44\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#00b4a8\" letter-spacing=\"2\" opacity=\".7\">TIER 1 \u2014 SUPPORTING INFRASTRUCTURE<\/text>\n <text x=\"10\" y=\"210\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#1a7fd4\" letter-spacing=\"2\" opacity=\".7\">TIER 2 \u2014 ZTA CORE (CONTROL PLANE)<\/text>\n <text x=\"10\" y=\"380\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".7\">TIER 3 \u2014 ENFORCEMENT PATH (DATA PLANE)<\/text>\n\n \n <rect x=\"8\" y=\"50\" width=\"764\" height=\"142\" rx=\"4\" fill=\"rgba(0,180,168,.03)\" stroke=\"#00b4a8\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n <rect x=\"8\" y=\"216\" width=\"764\" height=\"144\" rx=\"4\" fill=\"rgba(26,127,212,.03)\" stroke=\"#1a7fd4\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n <rect x=\"8\" y=\"386\" width=\"764\" height=\"148\" rx=\"4\" fill=\"rgba(0,204,112,.03)\" stroke=\"#00cc70\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n\n \n \n <g class=\"an\" onclick=\"nav('idms')\">\n <rect x=\"28\" y=\"68\" width=\"160\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"28\" y=\"68\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"108\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">IDMS<\/text>\n <text x=\"108\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Identity management<\/text>\n <text x=\"108\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">IdP assertions \u00b7 RBAC<\/text>\n <text x=\"108\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">MFA status \u00b7 PAM \u00b7 Fed<\/text>\n <text x=\"108\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.1<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('idms')\">\n <rect x=\"204\" y=\"68\" width=\"150\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"204\" y=\"68\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"279\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">PKI<\/text>\n <text x=\"279\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Crypto verification<\/text>\n <text x=\"279\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">X.509 device certs<\/text>\n <text x=\"279\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">OCSP\/CRL \u00b7 mTLS<\/text>\n <text x=\"279\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.3<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('cdm')\">\n <rect x=\"370\" y=\"68\" width=\"150\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"370\" y=\"68\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"445\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">CDM<\/text>\n <text x=\"445\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Device posture<\/text>\n <text x=\"445\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Patch \u00b7 EDR \u00b7 MDM<\/text>\n <text x=\"445\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Config compliance \u00b7 IoC<\/text>\n <text x=\"445\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.2<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('threat')\">\n <rect x=\"536\" y=\"68\" width=\"156\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"536\" y=\"68\" width=\"156\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"614\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">Threat intel<\/text>\n <text x=\"614\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#ff8a80\">External feeds<\/text>\n <text x=\"614\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">IP\/domain rep \u00b7 IoC<\/text>\n <text x=\"614\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">CVE intel \u00b7 SIEM output<\/text>\n <text x=\"614\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.4<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('actlog')\">\n <rect x=\"708\" y=\"68\" width=\"56\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"708\" y=\"68\" width=\"56\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"736\" y=\"94\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#fff\">Activity<\/text>\n <text x=\"736\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#fff\">log<\/text>\n <text x=\"736\" y=\"123\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Audit<\/text>\n <text x=\"736\" y=\"136\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">UEBA<\/text>\n <text x=\"736\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#4d6780\">\u00a73.1.4<\/text>\n <\/g>\n\n \n \n <g class=\"an\" onclick=\"nav('pe')\">\n <rect x=\"100\" y=\"234\" width=\"258\" height=\"108\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <rect x=\"100\" y=\"234\" width=\"258\" height=\"5\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"229\" y=\"263\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy engine<\/text>\n <text x=\"229\" y=\"279\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\" letter-spacing=\"1\">PE \u00b7 \u00a73.1<\/text>\n <text x=\"229\" y=\"297\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Evaluates 5 signals \u2192 trust score<\/text>\n <text x=\"229\" y=\"312\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Grant \/ Deny \/ Step-up<\/text>\n <text x=\"229\" y=\"330\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Logical component \u2014 may co-locate with PA<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('pa')\">\n <rect x=\"420\" y=\"234\" width=\"258\" height=\"108\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/>\n <rect x=\"420\" y=\"234\" width=\"258\" height=\"5\" rx=\"2\" fill=\"#8866ff\" opacity=\".85\"\/>\n <text x=\"549\" y=\"263\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy administrator<\/text>\n <text x=\"549\" y=\"279\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\" letter-spacing=\"1\">PA \u00b7 \u00a73.1<\/text>\n <text x=\"549\" y=\"297\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Issues \/ revokes session tokens<\/text>\n <text x=\"549\" y=\"312\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Commands PEP via control plane<\/text>\n <text x=\"549\" y=\"330\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Out-of-band from data traffic \u00b7 mTLS<\/text>\n <\/g>\n\n \n \n <g class=\"an\" onclick=\"nav('subject')\">\n <rect x=\"28\" y=\"404\" width=\"148\" height=\"106\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"102\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Subject<\/text>\n <text x=\"102\" y=\"450\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">User + device<\/text>\n <text x=\"102\" y=\"465\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">ZT agent (client PEP)<\/text>\n <text x=\"102\" y=\"482\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">NPEs included<\/text>\n <text x=\"102\" y=\"497\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('pep')\">\n <rect x=\"240\" y=\"396\" width=\"300\" height=\"122\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.5\"\/>\n <rect x=\"240\" y=\"396\" width=\"300\" height=\"5\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"390\" y=\"426\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Policy enforcement point<\/text>\n <text x=\"390\" y=\"442\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\" letter-spacing=\"1\">PEP \u00b7 \u00a73.1<\/text>\n <text x=\"390\" y=\"460\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Inline gateway \u2014 cannot be bypassed<\/text>\n <text x=\"390\" y=\"476\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Validates tokens \u00b7 enforces scope<\/text>\n <text x=\"390\" y=\"492\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Monitors traffic \u00b7 reports to activity log<\/text>\n <text x=\"390\" y=\"508\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Subject-side agent + resource-side gateway<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('resource')\">\n <rect x=\"604\" y=\"404\" width=\"160\" height=\"106\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"684\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Resource<\/text>\n <text x=\"684\" y=\"450\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Apps \u00b7 APIs \u00b7 Data<\/text>\n <text x=\"684\" y=\"465\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Services \u00b7 Cloud<\/text>\n <text x=\"684\" y=\"482\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Dark outside PEP<\/text>\n <text x=\"684\" y=\"497\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a72.1 T-01<\/text>\n <\/g>\n\n \n <line x1=\"108\" y1=\"174\" x2=\"200\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <line x1=\"279\" y1=\"174\" x2=\"252\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <path d=\"M445,174 L445,216 L280,216 L280,234\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <line x1=\"580\" y1=\"174\" x2=\"330\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n \n <path d=\"M708,150 L688,196 L390,196 L390,234\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\" opacity=\".6\"\/>\n\n \n <line x1=\"358\" y1=\"288\" x2=\"420\" y2=\"288\" stroke=\"#1a7fd4\" stroke-width=\"1.5\" marker-end=\"url(#a2)\"\/>\n <text x=\"376\" y=\"282\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#1a7fd4\" opacity=\".8\">decision<\/text>\n\n \n <line x1=\"549\" y1=\"342\" x2=\"430\" y2=\"396\" stroke=\"#8866ff\" stroke-width=\"1.4\" marker-end=\"url(#a3)\"\/>\n <text x=\"507\" y=\"374\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".8\">enable \/ revoke<\/text>\n\n \n <path d=\"M102,404 L102,362 L420,362 L420,342\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#a1)\" opacity=\".6\"\/>\n <text x=\"200\" y=\"356\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\" opacity=\".8\">auth \/ identity assertion<\/text>\n\n \n <line x1=\"176\" y1=\"457\" x2=\"240\" y2=\"457\" stroke=\"#00cc70\" stroke-width=\"1.4\" marker-end=\"url(#a4)\"\/>\n <text x=\"182\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".7\">request<\/text>\n\n \n <line x1=\"540\" y1=\"457\" x2=\"604\" y2=\"457\" stroke=\"#00cc70\" stroke-width=\"1.4\" marker-end=\"url(#a4)\"\/>\n <text x=\"546\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".7\">authorized<\/text>\n\n \n <path d=\"M540,490 L772,490 L772,121 L764,121\" fill=\"none\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#a6)\" opacity=\".4\"\/>\n <text x=\"774\" y=\"340\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".5\" transform=\"rotate(-90,774,340)\">session telemetry<\/text>\n\n \n <line x1=\"10\" y1=\"552\" x2=\"34\" y2=\"552\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\"\/>\n <text x=\"40\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">signal \/ telemetry feed<\/text>\n <line x1=\"188\" y1=\"552\" x2=\"212\" y2=\"552\" stroke=\"#1a7fd4\" stroke-width=\"1.4\"\/>\n <text x=\"218\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PE decision<\/text>\n <line x1=\"316\" y1=\"552\" x2=\"340\" y2=\"552\" stroke=\"#8866ff\" stroke-width=\"1.4\"\/>\n <text x=\"346\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PA command<\/text>\n <line x1=\"452\" y1=\"552\" x2=\"476\" y2=\"552\" stroke=\"#00cc70\" stroke-width=\"1.4\"\/>\n <text x=\"482\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">authorized data flow<\/text>\n <line x1=\"618\" y1=\"552\" x2=\"642\" y2=\"552\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\"\/>\n <text x=\"648\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">telemetry feedback<\/text>\n <\/svg>\n <div class=\"dcap\">Structural hierarchy \u2014 click any component to navigate \u00b7 arrows show authority and data direction, not network routing<\/div>\n <\/div>\n\n <h3>Reading the diagram<\/h3>\n <div class=\"prose\"><strong>Tier 1<\/strong> feeds the Policy Engine with real-time signals \u2014 identity assertions from IDMS\/PKI, device posture from CDM, external threat context, and behavioral feedback from the activity log. None of these components enforce access on their own; they are data providers.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Tier 2<\/strong> is the decision and dispatch layer. The PE evaluates all incoming signals and produces a trust score. It passes its decision to the PA, which operationalizes it by commanding the PEP. The PE and PA share no data-plane visibility \u2014 they operate exclusively on the control plane.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Tier 3<\/strong> is the enforcement path. The Subject’s ZT agent initiates a request; the PEP intercepts, validates the session token issued by the PA, and either routes traffic to the resource or terminates it. The PEP then streams session telemetry back to the Activity Log, closing the feedback loop into Tier 1.<\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('dataflow')\">Access request data flow<\/span><span class=\"rl\" onclick=\"nav('overview')\">Overview diagram<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-dataflow\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0 \u2014 Dynamic view<\/div>\n <div class=\"p-title\">Access Request <span>Data Flow<\/span><\/div>\n <div class=\"p-sub\">Step-by-step lifecycle of a single access request \u2014 from initiation to session or denial<\/div>\n <div class=\"prose\">This diagram traces the full lifecycle of an access request through the ZTA \u2014 from the subject initiating the request through authorization, enforcement, and the continuous monitoring feedback loop that can trigger mid-session revocation. Steps are numbered in sequence. The <strong>control plane<\/strong> (top swim lane) and <strong>data plane<\/strong> (bottom swim lane) are shown separately.<\/div>\n\n <div class=\"diag\" style=\"margin-top:20px\">\n <svg width=\"100%\" viewBox=\"0 0 828 680\" style=\"display:block\">\n <defs>\n <marker id=\"df1\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df2\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df3\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df4\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df5\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#ffb300\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df6\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"dfg\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <\/defs>\n\n \n \n <rect x=\"0\" y=\"0\" width=\"828\" height=\"80\" fill=\"rgba(17,27,46,.7)\"\/>\n <text x=\"12\" y=\"17\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1.5\">SUBJECT + ZT AGENT<\/text>\n \n <rect x=\"0\" y=\"80\" width=\"828\" height=\"300\" fill=\"rgba(26,127,212,.03)\"\/>\n <rect x=\"0\" y=\"80\" width=\"3\" height=\"300\" fill=\"#1a7fd4\" opacity=\".35\"\/>\n <text x=\"12\" y=\"97\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#1a7fd4\" letter-spacing=\"1.5\" opacity=\".8\">CONTROL PLANE \u2014 PE \u00b7 PA \u00b7 IDMS \u00b7 CDM \u00b7 THREAT INTEL<\/text>\n \n <rect x=\"0\" y=\"380\" width=\"828\" height=\"300\" fill=\"rgba(0,204,112,.03)\"\/>\n <rect x=\"0\" y=\"380\" width=\"3\" height=\"300\" fill=\"#00cc70\" opacity=\".35\"\/>\n <text x=\"12\" y=\"397\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#00cc70\" letter-spacing=\"1.5\" opacity=\".8\">DATA PLANE \u2014 PEP \u00b7 RESOURCE \u00b7 ACTIVITY LOG \u00b7 SIEM<\/text>\n \n <line x1=\"0\" y1=\"80\" x2=\"828\" y2=\"80\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <line x1=\"0\" y1=\"380\" x2=\"828\" y2=\"380\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n\n \n\n \n \n <circle cx=\"60\" cy=\"44\" r=\"18\" fill=\"#0d1420\" stroke=\"#00d8f0\" stroke-width=\"1.5\"\/>\n <text x=\"60\" y=\"49\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00d8f0\">1<\/text>\n <text x=\"60\" y=\"72\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Access<\/text>\n <text x=\"60\" y=\"82\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">request<\/text>\n\n \n <circle cx=\"190\" cy=\"44\" r=\"18\" fill=\"#0d1420\" stroke=\"#00d8f0\" stroke-width=\"1.5\"\/>\n <text x=\"190\" y=\"49\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00d8f0\">2<\/text>\n <text x=\"190\" y=\"72\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">ZT agent<\/text>\n <text x=\"190\" y=\"82\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">intercepts<\/text>\n\n \n <circle cx=\"320\" cy=\"130\" r=\"18\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <text x=\"320\" y=\"135\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#60a8f0\">3<\/text>\n <text x=\"320\" y=\"160\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Auth flow<\/text>\n <text x=\"320\" y=\"172\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">to PA<\/text>\n\n \n <circle cx=\"450\" cy=\"130\" r=\"18\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <text x=\"450\" y=\"135\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#60a8f0\">4<\/text>\n <text x=\"450\" y=\"160\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">PA forwards<\/text>\n <text x=\"450\" y=\"172\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">to PE<\/text>\n\n \n <circle cx=\"320\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1.2\"\/>\n <text x=\"320\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#40d8d0\">5a<\/text>\n <text x=\"320\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query IDMS<\/text>\n <text x=\"320\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">identity\/MFA<\/text>\n\n \n <circle cx=\"450\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1.2\"\/>\n <text x=\"450\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#40d8d0\">5b<\/text>\n <text x=\"450\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query CDM<\/text>\n <text x=\"450\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">device posture<\/text>\n\n \n <circle cx=\"580\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"580\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">5c<\/text>\n <text x=\"580\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query threat<\/text>\n <text x=\"580\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">intel feeds<\/text>\n\n \n <rect x=\"660\" y=\"108\" width=\"138\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <rect x=\"660\" y=\"108\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"729\" y=\"130\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">PE decision<\/text>\n <text x=\"729\" y=\"146\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\">Step 6<\/text>\n <text x=\"729\" y=\"161\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Trust score \u2192<\/text>\n <text x=\"729\" y=\"173\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Grant \/ Deny<\/text>\n\n \n <circle cx=\"580\" cy=\"430\" r=\"18\" fill=\"#0a1f14\" stroke=\"#00cc70\" stroke-width=\"1.5\"\/>\n <text x=\"580\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00cc70\">7<\/text>\n <text x=\"580\" y=\"458\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">PA issues<\/text>\n <text x=\"580\" y=\"469\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">token \u2192 PEP<\/text>\n\n \n <circle cx=\"700\" cy=\"430\" r=\"18\" fill=\"#1f0a0a\" stroke=\"#e84848\" stroke-width=\"1.5\"\/>\n <text x=\"700\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"10\" font-weight=\"700\" fill=\"#e84848\">\u2715<\/text>\n <text x=\"700\" y=\"458\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Deny \u2014 no<\/text>\n <text x=\"700\" y=\"469\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">token issued<\/text>\n\n \n <rect x=\"200\" y=\"408\" width=\"290\" height=\"64\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.4\"\/>\n <rect x=\"200\" y=\"408\" width=\"290\" height=\"4\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"345\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">PEP enforces session<\/text>\n <text x=\"345\" y=\"447\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\">Step 8<\/text>\n <text x=\"345\" y=\"462\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Validates token \u00b7 enforces scope \u00b7 Subject \u2194 Resource<\/text>\n\n \n <circle cx=\"60\" cy=\"430\" r=\"18\" fill=\"#1f0a0a\" stroke=\"#e84848\" stroke-width=\"1.2\" opacity=\".85\"\/>\n <text x=\"60\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"10\" font-weight=\"700\" fill=\"#e84848\">\u2715<\/text>\n <text x=\"60\" y=\"456\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Request<\/text>\n <text x=\"60\" y=\"467\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">blocked<\/text>\n\n \n <circle cx=\"345\" cy=\"560\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"345\" y=\"565\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">9<\/text>\n <text x=\"345\" y=\"585\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Session telemetry<\/text>\n <text x=\"345\" y=\"596\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">\u2192 Activity log<\/text>\n\n \n <circle cx=\"580\" cy=\"560\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"580\" y=\"565\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">10<\/text>\n <text x=\"580\" y=\"585\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">SIEM anomaly<\/text>\n <text x=\"580\" y=\"596\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">\u2192 PE re-eval<\/text>\n\n \n <text x=\"680\" y=\"558\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#e84848\" opacity=\".8\">Mid-session<\/text>\n <text x=\"680\" y=\"572\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#e84848\" opacity=\".8\">revocation<\/text>\n <text x=\"680\" y=\"587\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\" opacity=\".7\">PA \u2192 PEP teardown<\/text>\n\n \n\n \n <line x1=\"78\" y1=\"44\" x2=\"172\" y2=\"44\" stroke=\"#00d8f0\" stroke-width=\"1.2\" marker-end=\"url(#df1)\"\/>\n\n \n <path d=\"M200,62 L200,80 L260,80 L260,116 L302,116\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\"1.2\" marker-end=\"url(#df1)\"\/>\n\n \n <line x1=\"338\" y1=\"130\" x2=\"432\" y2=\"130\" stroke=\"#1a7fd4\" stroke-width=\"1.2\" marker-end=\"url(#df2)\"\/>\n\n \n <path d=\"M450,148 L450,200 L320,200 L320,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n <path d=\"M450,148 L450,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n <path d=\"M450,148 L450,200 L580,200 L580,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n\n \n <path d=\"M320,256 L320,298 L675,298 L675,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n <path d=\"M450,256 L450,290 L710,290 L710,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n <path d=\"M580,256 L580,282 L745,282 L745,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n\n \n <path d=\"M680,172 L680,395 L598,395 L598,412\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.3\" marker-end=\"url(#df4)\"\/>\n <text x=\"686\" y=\"330\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".9\">GRANT<\/text>\n\n \n <path d=\"M798,140 L812,140 L812,395 L718,395 L718,412\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.3\" marker-end=\"url(#df6)\"\/>\n <text x=\"814\" y=\"300\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".9\" transform=\"rotate(-90,814,300)\">DENY<\/text>\n\n \n <line x1=\"562\" y1=\"430\" x2=\"490\" y2=\"440\" stroke=\"#8866ff\" stroke-width=\"1.3\" marker-end=\"url(#df3)\"\/>\n <text x=\"510\" y=\"424\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".8\">session token<\/text>\n\n \n <path d=\"M700,448 L700,510 L60,510 L60,448\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <line x1=\"345\" y1=\"472\" x2=\"345\" y2=\"544\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <line x1=\"361\" y1=\"560\" x2=\"564\" y2=\"560\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <path d=\"M596,560 L806,560 L806,160 L798,160\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\" opacity=\".6\"\/>\n <text x=\"804\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".6\" transform=\"rotate(-90,804,450)\">re-evaluate<\/text>\n\n \n <path d=\"M660,172 L640,172 L640,360 L480,360 L480,408\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df3)\" opacity=\".6\"\/>\n <text x=\"556\" y=\"354\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".6\">revoke<\/text>\n\n \n <rect x=\"10\" y=\"610\" width=\"790\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <text x=\"22\" y=\"626\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1\">STEP SUMMARY<\/text>\n <text x=\"22\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#00d8f0\">\u2460\u2461<\/tspan> Subject initiates \u00b7 ZT agent intercepts <\/text>\n <text x=\"22\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#1a7fd4\">\u2462\u2463<\/tspan> Auth flow \u2192 PA \u2192 PE <\/text>\n <text x=\"200\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#40d8d0\">\u2464<\/tspan> PE queries IDMS \u00b7 CDM \u00b7 Threat intel (parallel) <\/text>\n <text x=\"200\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#60a8f0\">\u2465<\/tspan> PE computes trust score \u2192 Grant \/ Deny <\/text>\n <text x=\"460\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#00cc70\">\u2466\u2467<\/tspan> Grant: PA token \u2192 PEP \u00b7 PEP enforces session <\/text>\n <text x=\"460\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#e84848\">\u2468\u2469<\/tspan> Telemetry \u2192 Activity log \u2192 SIEM \u2192 PE re-eval loop <\/text>\n <\/svg>\n <div class=\"dcap\">Full access request lifecycle \u00b7 control plane (top) separated from data plane (bottom) \u00b7 mid-session revocation shown via feedback loop<\/div>\n <\/div>\n\n <h3>Key flows to note<\/h3>\n <div class=\"prose\"><strong>Steps 1\u20132 (Subject lane):<\/strong> The subject’s ZT agent intercepts the access request before it ever reaches the network. It performs local posture checks and initiates the authentication flow \u2014 the request cannot proceed without this gate.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 3\u20136 (Control plane):<\/strong> The authentication flow goes to the PA, which hands off to the PE. The PE queries IDMS, CDM, and Threat Intel in parallel \u2014 these are concurrent signal lookups, not a sequential chain. The PE then computes a trust score and produces a Grant or Deny decision.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 7\u20138 (Data plane enforcement):<\/strong> A Grant decision causes the PA to issue a session token to the PEP. The PEP validates that token and permits traffic to flow to the resource within the authorized scope. A Deny means no token is issued and the request is blocked at the agent.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 9\u201310 (Feedback loop):<\/strong> Throughout the active session, the PEP streams telemetry to the Activity Log. The SIEM correlates this against threat feeds and behavioral patterns. If an anomaly fires, the signal flows back to the PE for re-evaluation \u2014 which can trigger a Revoke command from the PA to the PEP, tearing down the session immediately. This is what makes ZTA dynamic rather than static.<\/div>\n\n <div class=\"ib r\" style=\"margin-top:18px\"><div class=\"ibt\">Mid-session revocation is architectural, not optional<\/div><div class=\"ibb\">The feedback loop from the PEP through the Activity Log and SIEM to the PE isn’t a nice-to-have \u2014 it’s how ZTA satisfies Tenet T-06’s requirement that <strong>authentication and authorization are “dynamic and strictly enforced.”<\/strong> Without this loop, ZTA grants access once at login and then has no mechanism to respond to changing risk during the session \u2014 which is exactly the failure mode of traditional VPN-based architectures.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('logical')\">Logical architecture<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><\/div><\/div>\n<\/div>\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-207<\/span><\/div>\n <div class=\"p-sub\">Zero Trust Architecture \u2014 Final, August 2020<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-207 defines Zero Trust Architecture (ZTA) and provides guidance for federal agencies and enterprises planning a ZTA migration. It establishes the seven tenets of Zero Trust, defines the logical components (PE, PA, PEP), describes supporting infrastructure, and outlines three deployment models. This reference app is based on the Final version published August 2020.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 Open PDF (nvlpubs.nist.gov)\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST CSRC publication page\n <\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Full citation:<\/strong> Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). <em>Zero Trust Architecture<\/em> (NIST Special Publication 800-207). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-207<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction openNIST() {\n nav('nist');\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n \/* Only zoom sidebar on desktop where it's always visible *\/\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n \/* Auto-close sidebar on mobile after navigating *\/\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-207 \u2014 Zero Trust Architecture NIST SP 800-207 Zero TrustArchitecture Interactive reference Size A\u2212 A A+ \u2600 Light Architecture Overview Diagram Subject Policy Engine Policy Administrator Policy Enforcement Point Enterprise Resource Infrastructure IDMS & PKI CDM System Threat Intelligence Activity Log Diagrams Logical Architecture Access Request Data Flow Concepts Seven Tenets Trust Algorithm… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-207\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/landing-page.php","meta":{"footnotes":""},"class_list":["post-66","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":1,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions"}],"predecessor-version":[{"id":67,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions\/67"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":66,"date":"2026-03-26T09:38:05","date_gmt":"2026-03-26T16:38:05","guid":{"rendered":"https:\/\/www-geek.com\/?page_id=66"},"modified":"2026-03-26T09:38:05","modified_gmt":"2026-03-26T16:38:05","slug":"800-207","status":"publish","type":"page","link":"https:\/\/www-geek.com\/index.php\/800-207\/","title":{"rendered":"800-207"},"content":{"rendered":"\n\n\n\n\n\nNIST SP 800-207 \u2014 Zero Trust Architecture<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:228px;min-width:228px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:920px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.tc{border-top:3px solid var(--cyan);}\n.tc:nth-child(1){border-top-color:#00d8f0;}\n.tc:nth-child(2){border-top-color:#29b6f6;}\n.tc:nth-child(3){border-top-color:#8866ff;}\n.tc:nth-child(4){border-top-color:#ffb300;}\n.tc:nth-child(5){border-top-color:#00cc70;}\n.tc:nth-child(6){border-top-color:#ff7043;}\n.tc:nth-child(7){border-top-color:#ec407a;}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.tid{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.tdev{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tnet{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.tres{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.tbeh{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tpa{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tpep{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tcl{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.deny{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.or.step{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.d{background:var(--red);}.od.s{background:var(--amber);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.pg{display:grid;grid-template-columns:1fr 1fr;gap:12px;}\n.pb{background:var(--surf);border:1px solid var(--border);padding:18px;}\n.pbg{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;padding:3px 8px;border-radius:2px;text-transform:uppercase;display:inline-block;margin-bottom:10px;}\n.pbg.c{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.pbg.d{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.pbn{font-family:var(--cond);font-size:17px;font-weight:700;color:#fff;margin-bottom:12px;}\n.pi{display:flex;gap:8px;font-size:12.5px;color:var(--text2);line-height:1.5;margin-bottom:7px;}\n.pi::before{content:'\u25b8';color:var(--text3);font-size:9px;flex-shrink:0;margin-top:2px;}\n.pi strong{color:var(--text);}\n.dc{background:var(--surf);border:1px solid var(--border);padding:20px;}\n.di{font-size:20px;margin-bottom:10px;}\n.dt{font-family:var(--cond);font-size:16px;font-weight:700;color:#fff;margin-bottom:3px;}\n.ds{font-family:var(--mono);font-size:8px;font-weight:700;color:var(--text3);letter-spacing:.12em;text-transform:uppercase;margin-bottom:10px;}\n.dxt{font-size:12px;line-height:1.6;color:var(--text2);}\n.dl li{font-size:11.5px;color:var(--text2);list-style:none;display:flex;align-items:flex-start;gap:6px;margin-top:5px;}\n.dl li::before{content:'\u2014';color:var(--text3);font-size:9px;margin-top:2px;flex-shrink:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n.diag{background:var(--surf);border:1px solid var(--border);padding:20px;margin-bottom:18px;}\n.dcap{font-family:var(--mono);font-size:9px;color:var(--text3);margin-top:10px;letter-spacing:.06em;}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\nbody.light .sb-copy{color:#4a6680;}\n.ni-doc:hover{color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd-ext{font-size:11px;color:var(--cyan);flex-shrink:0;line-height:1;}\n.an:hover rect,.an:hover circle{opacity:.82;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.fsz:active{background:rgba(0,216,240,.15);color:var(--cyan);border-color:var(--cyan);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title{color:#0a111e;}\nbody.light .sb-sub{color:#2a3f58;}\nbody.light .sb-logo{color:#005f8a;}\nbody.light .ngl{color:var(--cyan);border-bottom-color:var(--border2);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);color:#0a111e;}\nbody.light .fsize-label{color:#2a3f58;}\nbody.light .fsz{color:#0a111e;border-color:var(--border2);}\nbody.light .theme-btn{color:#0a111e;border-color:var(--border2);}\nbody.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light h3{color:#0a111e;}\nbody.light .card{background:var(--surf);border-color:var(--border);}\nbody.light .ctitle{color:#0a111e;}\nbody.light .sn{color:#0a111e;}\nbody.light .ol{color:#0a111e;}\nbody.light .ibt{color:#0a111e;}\nbody.light .pbname{color:#0a111e;}\nbody.light .dt{color:#0a111e;}\nbody.light .diag{background:var(--surf);}\nbody.light .pb{background:var(--surf);}\nbody.light table td:first-child{color:#1a2535;}\nbody.light .or.grant{background:rgba(0,122,64,.06);}\nbody.light .or.deny{background:rgba(192,32,42,.06);}\nbody.light .or.step{background:rgba(192,112,0,.06);}\nbody.light .ib{background:var(--surf);}\nbody.light .prose code{background:rgba(0,119,170,.1);}\nbody.light .fsz,.body.light .theme-btn{background:var(--surf2);border-color:var(--border2);}\n\n\/* \u2500\u2500 HAMBURGER BUTTON \u2500\u2500 *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\nbody.light .hamburger{background:#fff;border-color:var(--border);}\nbody.light .hamburger span{background:var(--cyan);}\n\n\/* \u2500\u2500 SIDEBAR OVERLAY (mobile) \u2500\u2500 *\/\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n\/* \u2500\u2500 TABLE SCROLL WRAPPER \u2500\u2500 *\/\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n\n\/* \u2500\u2500 RESPONSIVE: TABLET (\u2264 900px) \u2500\u2500 *\/\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;box-shadow:none;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3{grid-template-columns:1fr 1fr;}\n .pg{grid-template-columns:1fr;}\n .diag{padding:12px;overflow-x:auto;-webkit-overflow-scrolling:touch;}\n}\n\n\/* \u2500\u2500 RESPONSIVE: PHONE (\u2264 560px) \u2500\u2500 *\/\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .p-sub{font-size:14px;margin-bottom:18px;}\n h3{font-size:16px;}\n .prose{font-size:12.5px;}\n .cg2,.cg3{grid-template-columns:1fr;}\n .pg{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;font-size:11px;}\n .diag{padding:8px;margin-bottom:12px;}\n .diag svg{min-width:600px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n .related{margin-top:22px;}\n .rl{font-size:10.5px;padding:4px 8px;}\n .sb-fsize{flex-wrap:wrap;gap:6px;}\n .card{padding:12px;}\n .ib{padding:10px 12px;}\n}\n<\/style>\n<\/head>\n<body>\n<div class=\"app\">\n\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST SP 800-207<\/div>\n <div class=\"sb-title\">Zero Trust<br>Architecture<\/div>\n <div class=\"sb-sub\">Interactive reference<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\" title=\"Decrease font size\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\" title=\"Reset font size\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\" title=\"Increase font size\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\" title=\"Toggle dark\/light mode\">\u2600 Light<\/button>\n <\/div>\n <nav>\n <div class=\"ng\"><div class=\"ngl\">Architecture<\/div>\n <div class=\"ni active\" onclick=\"nav('overview')\"><span class=\"nd\"><\/span>Overview Diagram<\/div>\n <div class=\"ni\" onclick=\"nav('subject')\"><span class=\"nd\"><\/span>Subject<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><span class=\"nd\"><\/span>Policy Engine<\/div>\n <div class=\"ni\" onclick=\"nav('pa')\"><span class=\"nd\"><\/span>Policy Administrator<\/div>\n <div class=\"ni\" onclick=\"nav('pep')\"><span class=\"nd\"><\/span>Policy Enforcement Point<\/div>\n <div class=\"ni\" onclick=\"nav('resource')\"><span class=\"nd\"><\/span>Enterprise Resource<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Infrastructure<\/div>\n <div class=\"ni\" onclick=\"nav('idms')\"><span class=\"nd\"><\/span>IDMS & PKI<\/div>\n <div class=\"ni\" onclick=\"nav('cdm')\"><span class=\"nd\"><\/span>CDM System<\/div>\n <div class=\"ni\" onclick=\"nav('threat')\"><span class=\"nd\"><\/span>Threat Intelligence<\/div>\n <div class=\"ni\" onclick=\"nav('actlog')\"><span class=\"nd\"><\/span>Activity Log<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Diagrams<\/div>\n <div class=\"ni\" onclick=\"nav('logical')\"><span class=\"nd\"><\/span>Logical Architecture<\/div>\n <div class=\"ni\" onclick=\"nav('dataflow')\"><span class=\"nd\"><\/span>Access Request Data Flow<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Concepts<\/div>\n <div class=\"ni\" onclick=\"nav('tenets')\"><span class=\"nd\"><\/span>Seven Tenets<\/div>\n <div class=\"ni\" onclick=\"nav('trust')\"><span class=\"nd\"><\/span>Trust Algorithm<\/div>\n <div class=\"ni\" onclick=\"nav('planes')\"><span class=\"nd\"><\/span>Control & Data Planes<\/div>\n <div class=\"ni\" onclick=\"nav('deploy')\"><span class=\"nd\"><\/span>Deployment Models<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Source<\/div>\n <div class=\"ni ni-doc\" onclick=\"openNIST()\"><span class=\"nd-ext\">\u2197<\/span>NIST SP 800-207 PDF<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">2026 Steve Hatch<\/div>\n<\/aside>\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-overview\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0<\/div>\n <div class=\"p-title\">Zero Trust <span>Architecture<\/span><\/div>\n <div class=\"p-sub\">Logical component model \u2014 click any node to explore<\/div>\n <div class=\"diag\">\n <svg width=\"100%\" viewBox=\"0 0 680 470\" style=\"display:block\">\n <defs><marker id=\"arr\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"6\" markerHeight=\"6\" orient=\"auto-start-reverse\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"context-stroke\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker><\/defs>\n <rect x=\"6\" y=\"6\" width=\"668\" height=\"268\" rx=\"3\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"20\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00d8f0\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">CONTROL PLANE<\/text>\n <rect x=\"6\" y=\"282\" width=\"668\" height=\"158\" rx=\"3\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"296\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">DATA PLANE<\/text>\n <g class=\"an\" onclick=\"nav('cdm')\"><rect x=\"16\" y=\"26\" width=\"138\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/><rect x=\"16\" y=\"26\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".7\"\/><text x=\"85\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">CDM system<\/text><text x=\"85\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Device posture<\/text><\/g>\n <g class=\"an\" onclick=\"nav('idms')\"><rect x=\"170\" y=\"26\" width=\"138\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/><rect x=\"170\" y=\"26\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".7\"\/><text x=\"239\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">IDMS \u00b7 PKI<\/text><text x=\"239\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Identity \u00b7 credentials<\/text><\/g>\n <g class=\"an\" onclick=\"nav('threat')\"><rect x=\"330\" y=\"26\" width=\"164\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/><rect x=\"330\" y=\"26\" width=\"164\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/><text x=\"412\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">Threat intel<\/text><text x=\"412\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Feeds \u00b7 SIEM \u00b7 SOC<\/text><\/g>\n <g class=\"an\" onclick=\"nav('actlog')\"><rect x=\"516\" y=\"26\" width=\"150\" height=\"56\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/><rect x=\"516\" y=\"26\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/><text x=\"591\" y=\"52\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">Activity log<\/text><text x=\"591\" y=\"70\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Audit \u00b7 analytics<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pe')\"><rect x=\"210\" y=\"104\" width=\"260\" height=\"68\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/><rect x=\"210\" y=\"104\" width=\"260\" height=\"5\" rx=\"2\" fill=\"#1a7fd4\"\/><text x=\"340\" y=\"132\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy engine<\/text><text x=\"340\" y=\"149\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\" letter-spacing=\"1\">PE<\/text><text x=\"340\" y=\"163\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Trust algorithm \u00b7 access decisions<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pa')\"><rect x=\"210\" y=\"190\" width=\"260\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/><rect x=\"210\" y=\"190\" width=\"260\" height=\"5\" rx=\"2\" fill=\"#8866ff\" opacity=\".8\"\/><text x=\"340\" y=\"218\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy administrator<\/text><text x=\"340\" y=\"234\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\" letter-spacing=\"1\">PA<\/text><text x=\"340\" y=\"247\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Session tokens \u00b7 PEP commands<\/text><\/g>\n <g class=\"an\" onclick=\"nav('subject')\"><rect x=\"14\" y=\"304\" width=\"148\" height=\"80\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/><text x=\"88\" y=\"332\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Subject<\/text><text x=\"88\" y=\"350\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">User + device<\/text><text x=\"88\" y=\"366\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">ZT agent<\/text><\/g>\n <g class=\"an\" onclick=\"nav('pep')\"><rect x=\"226\" y=\"298\" width=\"228\" height=\"92\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.4\"\/><rect x=\"226\" y=\"298\" width=\"228\" height=\"5\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/><text x=\"340\" y=\"328\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Policy enforcement point<\/text><text x=\"340\" y=\"345\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\" letter-spacing=\"1\">PEP<\/text><text x=\"340\" y=\"362\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Inline session gateway<\/text><text x=\"340\" y=\"378\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">cannot be bypassed<\/text><\/g>\n <g class=\"an\" onclick=\"nav('resource')\"><rect x=\"516\" y=\"304\" width=\"150\" height=\"80\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/><text x=\"591\" y=\"332\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Resource<\/text><text x=\"591\" y=\"350\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Apps \u00b7 data<\/text><text x=\"591\" y=\"366\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Services \u00b7 APIs<\/text><\/g>\n \n \n <path d=\"M85,82 L85,138 L210,138\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M239,82 L239,96 L290,96 L290,104\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M412,82 L412,96 L390,96 L390,104\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n \n <path d=\"M591,82 L591,138 L470,138\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n\n \n <line x1=\"340\" y1=\"172\" x2=\"340\" y2=\"190\" stroke=\"#1a7fd4\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"316\" y=\"174\" width=\"48\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"340\" y=\"183\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#1a7fd4\">decision<\/text>\n\n \n <line x1=\"340\" y1=\"254\" x2=\"340\" y2=\"298\" stroke=\"#8866ff\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"298\" y=\"268\" width=\"84\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"340\" y=\"277\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#b39dff\">enable \/ revoke<\/text>\n\n \n <line x1=\"162\" y1=\"344\" x2=\"226\" y2=\"344\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"172\" y=\"333\" width=\"44\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"194\" y=\"342\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#00cc70\">request<\/text>\n\n \n <line x1=\"454\" y1=\"344\" x2=\"516\" y2=\"344\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <rect x=\"455\" y=\"333\" width=\"60\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"485\" y=\"342\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#00cc70\">authorized<\/text>\n\n \n <path d=\"M88,304 L88,282 L5,282 L5,223 L210,223\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.2\" stroke-dasharray=\"4,2\" marker-end=\"url(#arr)\" opacity=\".75\"\/>\n <rect x=\"30\" y=\"215\" width=\"30\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"45\" y=\"224\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#4d6780\">auth<\/text>\n\n \n <path d=\"M454,320 L490,320 L490,54 L516,54\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.2\" stroke-dasharray=\"4,2\" marker-end=\"url(#arr)\" opacity=\".65\"\/>\n <rect x=\"468\" y=\"181\" width=\"58\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"497\" y=\"190\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#4d6780\">telemetry<\/text>\n <line x1=\"16\" y1=\"452\" x2=\"40\" y2=\"452\" stroke=\"#00cc70\" stroke-width=\"2\"\/>\n <text x=\"46\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">authorized flow<\/text>\n <line x1=\"190\" y1=\"452\" x2=\"214\" y2=\"452\" stroke=\"#1a7fd4\" stroke-width=\"2\"\/>\n <text x=\"220\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PE decision<\/text>\n <line x1=\"330\" y1=\"452\" x2=\"354\" y2=\"452\" stroke=\"#8866ff\" stroke-width=\"2\"\/>\n <text x=\"360\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PA command<\/text>\n <line x1=\"472\" y1=\"452\" x2=\"496\" y2=\"452\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\"\/>\n <text x=\"502\" y=\"456\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">telemetry \/ auth<\/text>\n <\/svg>\n <div class=\"dcap\">Click any component to navigate to its detail page \u00b7 NIST SP 800-207 \u00a73.0 logical architecture<\/div>\n <\/div>\n <div class=\"prose\">Zero Trust Architecture defines a paradigm where <strong>no implicit trust is ever granted<\/strong> based on network location or asset ownership. Every access request is authenticated, authorized, and continuously evaluated. The three core enforcement components \u2014 Policy Engine, Policy Administrator, and Policy Enforcement Point \u2014 form the decision and enforcement pipeline. Supporting infrastructure (IDMS, PKI, CDM, Threat Intel, Activity Log) feeds the trust algorithm with real-time signals.<\/div>\n <div class=\"related\"><div class=\"rlab\">Start exploring<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-tenets\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a72.1<\/div>\n <div class=\"p-title\">Seven <span>Tenets<\/span><\/div>\n <div class=\"p-sub\">The foundational principles \u2014 all seven must be satisfied by a ZTA implementation<\/div>\n <div class=\"cg\" style=\"grid-template-columns:repeat(auto-fill,minmax(240px,1fr))\">\n <div class=\"card tc\"><div class=\"cnum\">T-01<\/div><div class=\"ctitle\">All data sources & services are resources<\/div><div class=\"ctext\">Every network-connected device and data source qualifies as a resource \u2014 regardless of form factor, ownership, or physical location. Personal devices qualify as resources.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-02<\/div><div class=\"ctitle\">All communication secured regardless of location<\/div><div class=\"ctext\">Network location alone does not imply trust. All communication \u2014 internal or external \u2014 must be authenticated, authorized, and encrypted. Being on the LAN grants nothing.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-03<\/div><div class=\"ctitle\">Access to resources granted per-session<\/div><div class=\"ctext\">Access is granted on a per-session basis with least-privilege principles. Trust is evaluated before access is granted and is not persistent \u2014 it does not carry over between sessions.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-04<\/div><div class=\"ctitle\">Access determined by dynamic policy<\/div><div class=\"ctext\">Resource access policy is dynamic, enforced in real time using identity, device health, behavioral data, and environmental attributes such as time of day, location, and threat intelligence.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-05<\/div><div class=\"ctitle\">Enterprise monitors & measures all asset integrity<\/div><div class=\"ctext\">The enterprise monitors the security posture of all owned and associated assets continuously. No device is trusted based on prior authentication state \u2014 posture is re-evaluated constantly.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-06<\/div><div class=\"ctitle\">All auth & authorization is dynamic & strictly enforced<\/div><div class=\"ctext\">Authentication and authorization are strictly enforced before access is allowed. Continuous re-evaluation occurs throughout sessions; anomalies trigger reauthentication or immediate revocation.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">T-07<\/div><div class=\"ctitle\">Collect data to improve security posture<\/div><div class=\"ctext\">The enterprise collects and analyzes behavioral, traffic, and access data to continuously improve authentication strength, access policies, and threat detection capabilities.<\/div><\/div>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"ib\"><div class=\"ibt\">The unifying principle<\/div><div class=\"ibb\">All seven tenets converge on a single premise: <strong>no implicit trust is granted to assets or user accounts based solely on their physical or network location.<\/strong> Authentication and authorization are discrete functions performed before a session is established \u2014 derived from verified signals, not from network adjacency.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PE<\/div>\n <div class=\"p-title\">Policy <span>Engine<\/span><\/div>\n <div class=\"p-sub\">The trust brain \u2014 evaluates all signals and renders the access decision<\/div>\n <div class=\"prose\">The Policy Engine is responsible for the <strong>ultimate decision<\/strong> to grant, deny, or revoke access to a resource for a given subject. It receives input from the enterprise’s supporting infrastructure \u2014 CDM data, identity assertions, threat intelligence, behavioral logs \u2014 processes them against enterprise access policy, and computes a trust score that drives the decision. The PE and PA are logical components that may be co-located or distributed.<\/div>\n <h3>What the PE evaluates<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">Subject identity & credential strength<\/div><div class=\"sd\">IdP-asserted identity, MFA status and factor type, credential freshness, privileged account flags, federated assertions (SAML, OIDC). An MFA assertion 8 hours old carries less weight than one from 5 minutes ago.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device health & posture<\/div><div class=\"sd\">CDM telemetry: patch level, EDR agent status, certificate validity, OS compliance, MDM enrollment, software inventory. A device matching a known IoC from threat intel fails this signal regardless of identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location & context<\/div><div class=\"sd\">Source IP, geolocation, time-of-day, network path characteristics. <strong>Contextual signal only \u2014 never a trust anchor.<\/strong> Per Tenet T-02, location does not imply trust.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Resource sensitivity & access policy<\/div><div class=\"sd\">Data classification, resource criticality, required assurance level. The PE checks the requesting subject’s attributes against the resource’s policy requirements before granting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">Behavioral & threat intelligence<\/div><div class=\"sd\">Historical access patterns, UEBA baseline deviation, threat feed hits (IP\/domain reputation, IoCs, CVE correlation), SIEM correlation output. The continuous signal \u2014 it updates mid-session.<\/div><\/div><\/div>\n <h3>Decision outcomes<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Grant access<\/div><div class=\"oc\">All signals pass policy thresholds. PE instructs PA to issue a session token to the PEP. Access scope is limited to least-privilege per Tenet T-03.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Deny access<\/div><div class=\"oc\">One or more signals fail: unregistered device, failed MFA, anomalous behavior, policy violation, resource classification exceeds clearance. No token issued; traffic blocked at PEP.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Step-up or revoke mid-session<\/div><div class=\"oc\">Risk picture changes during an active session. PE re-evaluates and may require step-up MFA, reduce scope, or instruct PA to revoke the PEP tunnel immediately.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">PE is logical, not physical<\/div><div class=\"ibb\">NIST explicitly states the PE and PA are <strong>logical components<\/strong>. In real deployments they may be a single identity-aware proxy, a ZTNA gateway’s policy service, or distributed microservices. What matters is that the functions are performed \u2014 not how they are packaged.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pa\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PA<\/div>\n <div class=\"p-title\">Policy <span>Administrator<\/span><\/div>\n <div class=\"p-sub\">Executes the Policy Engine’s decisions \u2014 commands the PEP to open or close sessions<\/div>\n <div class=\"prose\">The Policy Administrator is responsible for <strong>establishing and severing communication paths<\/strong> between subjects and enterprise resources. Where the PE decides, the PA acts. It communicates with the PEP on the <strong>control plane<\/strong>, entirely separate from the user’s data traffic. This separation is architectural \u2014 the PA’s commands cannot be observed or tampered with by anything on the data plane.<\/div>\n <h3>What the PA does<\/h3>\n <div class=\"sr\"><span class=\"st tpa\">ENABLE<\/span><div class=\"si\"><div class=\"sn\">Issue session tokens to the PEP<\/div><div class=\"sd\">When the PE grants access, the PA generates a session token scoped to the specific subject, device, and resource. It pushes that token to the PEP, instructing it to permit traffic matching those parameters.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">REVOKE<\/span><div class=\"si\"><div class=\"sn\">Terminate active sessions<\/div><div class=\"sd\">When the PE revokes access \u2014 due to a mid-session anomaly, posture change, or explicit policy \u2014 the PA instructs the PEP to immediately terminate the tunnel. The PEP executes; it does not decide independently.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">SCOPE<\/span><div class=\"si\"><div class=\"sn\">Enforce least-privilege access scope<\/div><div class=\"sd\">Session tokens are scoped to exactly the resource and action the policy permits. The PA issues the minimum required for the requested task, per Tenet T-03 \u2014 not broad-access tokens.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">CHANNEL<\/span><div class=\"si\"><div class=\"sn\">Control plane communication channel<\/div><div class=\"sd\">All PA-to-PEP communications occur out-of-band from user data traffic. This channel must be mutually authenticated and encrypted (TLS 1.3+). A compromised data plane cannot interfere with PA commands.<\/div><\/div><\/div>\n <div class=\"ib p\"><div class=\"ibt\">PA as the enforcement relay<\/div><div class=\"ibb\">The PA is the <strong>operational bridge<\/strong> between policy and enforcement. The PE reasons about trust; the PA operationalizes that reasoning. Neither component alone is sufficient \u2014 a PE without a PA has no means of enforcement, and a PEP without a PA has no policy guidance.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pep\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1 \u00b7 PEP<\/div>\n <div class=\"p-title\">Policy Enforcement <span>Point<\/span><\/div>\n <div class=\"p-sub\">The inline gateway \u2014 the only valid path between a subject and an enterprise resource<\/div>\n <div class=\"prose\">The PEP enables, monitors, and terminates connections between a subject and an enterprise resource. It is the <strong>only valid path<\/strong> to any resource \u2014 no route bypasses it. All data plane traffic flows through it. The PEP doesn’t make access decisions; it executes PA commands and enforces session tokens.<\/div>\n <h3>Architecture<\/h3>\n <div class=\"prose\">The PEP logically splits into two halves. The <strong>subject-side component<\/strong> (a ZT agent on the device, or a clientless proxy) intercepts the access request and initiates the auth flow. The <strong>resource-side component<\/strong> (a gateway or proxy in front of the resource) receives the session token and enforces it for every connection attempt.<\/div>\n <h3>What the PEP enforces<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">GATE<\/span><div class=\"si\"><div class=\"sn\">Session token validation<\/div><div class=\"sd\">The PEP validates that each connection attempt carries a valid session token issued by the PA. No token, no access \u2014 regardless of network origin, protocol, or claimed identity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">SCOPE<\/span><div class=\"si\"><div class=\"sn\">Least-privilege scope enforcement<\/div><div class=\"sd\">The session token specifies the exact resource, port, protocol, and action permitted. The PEP enforces these constraints on every packet and does not permit lateral movement to adjacent resources.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">MONITOR<\/span><div class=\"si\"><div class=\"sn\">Continuous session monitoring<\/div><div class=\"sd\">The PEP watches all traffic for anomalies throughout the session: unusual data volumes, protocol deviations, new destination IPs, suspicious payload patterns. Anomalies are reported to the activity log.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">REVOKE<\/span><div class=\"si\"><div class=\"sn\">Session termination on PA command<\/div><div class=\"sd\">When the PA issues a revoke command, the PEP tears down the session immediately \u2014 mid-transfer if necessary. No grace period.<\/div><\/div><\/div>\n <h3>Telemetry the PEP reports to the activity log<\/h3>\n <div class=\"prose\">Per-session data (identity, device, resource, bytes, duration, termination reason), anomaly indicators (lateral movement patterns, volume spikes, protocol deviations), authentication events (MFA challenges, step-up triggers, failed attempts), and every policy evaluation result it enforces \u2014 grant, deny, and revocation.<\/div>\n <div class=\"ib a\"><div class=\"ibt\">The PEP cannot be bypassed \u2014 by design<\/div><div class=\"ibb\">In an SDP deployment, resources are <strong>dark<\/strong> to unauthenticated subjects \u2014 they don’t respond to port scans or connection attempts that haven’t been authorized by the PA. The PEP isn’t a filter on a known path; it <em>is<\/em> the path.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-subject\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1<\/div>\n <div class=\"p-title\"><span>Subject<\/span><\/div>\n <div class=\"p-sub\">The combination of a user account and the device used to request access<\/div>\n <div class=\"prose\">In ZTA, a <strong>subject<\/strong> is not simply a user. It is the composite of a user account <em>plus<\/em> the specific device being used to access a resource. Neither element is trusted independently. Trust is computed as a function of both, along with session context. A trusted user on an unmanaged device \u2014 or a managed device with a compromised credential \u2014 results in reduced or denied access.<\/div>\n <h3>Subject components<\/h3>\n <div class=\"sr\"><span class=\"st tid\">USER<\/span><div class=\"si\"><div class=\"sn\">User identity<\/div><div class=\"sd\">The IdP-verified identity of the human (or non-person entity) initiating the request. Includes MFA assertions, role memberships, entitlement attributes, and credential freshness. Sourced from IDMS.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device posture<\/div><div class=\"sd\">The health and compliance state of the endpoint. Managed devices carry a device certificate (PKI). CDM telemetry reports patch level, EDR status, OS compliance, and MDM enrollment. Unmanaged devices receive reduced access by policy.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">AGENT<\/span><div class=\"si\"><div class=\"sn\">ZT agent (client-side PEP component)<\/div><div class=\"sd\">Software on the device that intercepts resource access requests, enforces posture checks, communicates with the PEP\/PA for authentication, and routes traffic through the authorized tunnel. Required for full ZTA enforcement on managed devices.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">Non-person entities (NPEs) are subjects too<\/div><div class=\"ibb\">NIST explicitly includes <strong>service accounts, workloads, automated processes, and IoT devices<\/strong> as subjects. Each NPE must authenticate, present posture signals, and obtain session authorization just as a human user would. Service-to-service communication is not exempt from ZTA enforcement.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-resource\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a72.1 T-01<\/div>\n <div class=\"p-title\">Enterprise <span>Resource<\/span><\/div>\n <div class=\"p-sub\">Any data source or service the enterprise protects \u2014 regardless of location or form factor<\/div>\n <div class=\"prose\">Tenet T-01 defines a resource broadly: <strong>any data source or computing service<\/strong> the enterprise cares about protecting qualifies. This includes on-premise applications, cloud services, APIs, databases, file shares, IoT sensors, printers, and personal devices used for enterprise work. The resource is always the destination being protected \u2014 the PEP sits in front of it, and the PE’s policy governs who can access it under what conditions.<\/div>\n <h3>Resource sensitivity classification<\/h3>\n <div class=\"sr\"><span class=\"st tres\">LOW<\/span><div class=\"si\"><div class=\"sn\">Low-sensitivity resources<\/div><div class=\"sd\">General intranet content, read-only reference databases, non-personal productivity tools. May be accessible to managed and unmanaged devices with standard MFA. Session lifetimes can be longer.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">MED<\/span><div class=\"si\"><div class=\"sn\">Medium-sensitivity resources<\/div><div class=\"sd\">Internal collaboration platforms, HR self-service portals, customer data repositories. Requires managed device plus MFA. Behavioral anomalies trigger step-up auth more aggressively.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">HIGH<\/span><div class=\"si\"><div class=\"sn\">High-sensitivity resources<\/div><div class=\"sd\">Financial systems, privileged admin consoles, classified data stores, security tooling. Managed device required, hardware MFA preferred, short session lifetimes, real-time behavioral monitoring mandatory.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">Resources must be dark outside the PEP<\/div><div class=\"ibb\">For ZTA to be effective, resources must not be reachable by any path that bypasses the PEP. In SDP deployments, resources are <strong>not publicly resolvable<\/strong> \u2014 they have no DNS entry or IP accessible outside the authorized tunnel. The PEP is the exclusive path.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-idms\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.1 \u00b7 \u00a73.1.3<\/div>\n <div class=\"p-title\">IDMS <span>& PKI<\/span><\/div>\n <div class=\"p-sub\">Identity management + cryptographic verification \u2014 the two-layer trust anchor for all subject identity<\/div>\n <div class=\"prose\">Two distinct but tightly coupled components that together give the Policy Engine its authoritative answer to <strong>“who is this, and can I verify it cryptographically?”<\/strong> Without them, the PE has no trust anchor for identity \u2014 and in ZTA, unverified identity means no access, regardless of network location.<\/div>\n <h3>Identity Management System (IDMS) \u2014 \u00a73.1.1<\/h3>\n <div class=\"prose\">The IDMS is responsible for <strong>creating, storing, and managing identity information<\/strong> for all subjects. It is what the PE queries to resolve a claimed identity into a verified set of attributes.<\/div>\n <div class=\"sr\"><span class=\"st tid\">IdP<\/span><div class=\"si\"><div class=\"sn\">Identity assertions<\/div><div class=\"sd\">The authoritative binding of a credential to a subject, issued by the Identity Provider. The PE trusts the IdP’s assertion \u2014 not the credential the subject presents directly. Delivered as SAML assertions or OIDC tokens.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">RBAC<\/span><div class=\"si\"><div class=\"sn\">Role and attribute data<\/div><div class=\"sd\">Group memberships, entitlements, job function, clearance level, organizational unit. These map directly to the access policy rules the PE evaluates for each resource request.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">MFA<\/span><div class=\"si\"><div class=\"sn\">MFA status & credential freshness<\/div><div class=\"sd\">Whether the authentication event included a second factor, which factor type was used, and how recently it was completed. An MFA assertion 8 hours old carries less weight than one from 5 minutes ago.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">PAM<\/span><div class=\"si\"><div class=\"sn\">Privileged account flags<\/div><div class=\"sd\">PAM integration surfaces whether a subject is using a privileged account, whether it was checked out from a vault, and whether it has time-bounded access. Privileged sessions are higher-risk by policy regardless of other signals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">FED<\/span><div class=\"si\"><div class=\"sn\">Federated identity<\/div><div class=\"sd\">For global enterprises, subjects may authenticate through partner IdPs or regional directories. IDMS handles federation (SAML, OIDC, SCIM) and presents a normalized assertion to the PE regardless of upstream source.<\/div><\/div><\/div>\n <h3>Public Key Infrastructure (PKI) \u2014 \u00a73.1.3<\/h3>\n <div class=\"prose\">PKI is the <strong>cryptographic verification layer<\/strong> beneath identity assertions. Where IDMS tells the PE <em>who<\/em> a subject claims to be, PKI lets the PE verify that claim is <strong>mathematically unforgeable<\/strong>. ZTA requires mutual authentication \u2014 the subject authenticates to the PE\/PA, and the PE\/PA authenticates back. PKI is the foundation of that mutual authentication.<\/div>\n <div class=\"sr\"><span class=\"st tdev\">CERT<\/span><div class=\"si\"><div class=\"sn\">Device certificates (X.509)<\/div><div class=\"sd\">Every managed device carries an enterprise-issued certificate. The PEP validates this certificate during session establishment. This is the primary mechanism distinguishing managed from unmanaged devices.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">OCSP<\/span><div class=\"si\"><div class=\"sn\">Certificate validity & revocation (OCSP\/CRL)<\/div><div class=\"sd\">The PE queries OCSP responders or checks CRLs in real time. A revoked certificate results in immediate denial regardless of all other signals \u2014 one of the fastest enforcement mechanisms in ZTA.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">mTLS<\/span><div class=\"si\"><div class=\"sn\">Mutual TLS session authentication<\/div><div class=\"sd\">All communication between subjects and the PEP uses mTLS. PKI issues the certificates that make mTLS work. A successful mTLS handshake is part of what the PE considers when determining session integrity.<\/div><\/div><\/div>\n <h3>Combined signal in the trust algorithm<\/h3>\n <table><thead><tr><th>Signal<\/th><th>Source<\/th><th>What the PE learns<\/th><\/tr><\/thead><tbody>\n <tr><td>IdP assertion + MFA<\/td><td>IDMS<\/td><td>Who the user is, how strongly authenticated<\/td><\/tr>\n <tr><td>Role & entitlement<\/td><td>IDMS<\/td><td>What they’re allowed to access by policy<\/td><\/tr>\n <tr><td>Device certificate validity<\/td><td>PKI (OCSP)<\/td><td>Is this a managed, enterprise-issued device?<\/td><\/tr>\n <tr><td>Certificate revocation status<\/td><td>PKI (CRL)<\/td><td>Has this device been removed from trust?<\/td><\/tr>\n <tr><td>mTLS handshake success<\/td><td>PKI<\/td><td>Is the session cryptographically authentic?<\/td><\/tr>\n <tr><td>Credential freshness<\/td><td>IDMS<\/td><td>How recently was identity asserted?<\/td><\/tr>\n <\/tbody><\/table>\n <div class=\"ib r\"><div class=\"ibt\">Valid IdP assertion + revoked device cert = denied<\/div><div class=\"ibb\">The PE requires both signal layers to be clean. A valid identity assertion from a device with a revoked certificate is denied \u2014 the PKI failure overrides the identity assertion. A valid device certificate with a weak identity assertion (no MFA) is blocked for sensitive resources. Neither dimension can compensate for the other.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('subject')\">Subject<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cdm\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.2<\/div>\n <div class=\"p-title\">CDM <span>System<\/span><\/div>\n <div class=\"p-sub\">Continuous Diagnostics & Mitigation \u2014 real-time device posture for the Policy Engine<\/div>\n <div class=\"prose\">The CDM system provides the Policy Engine with <strong>continuous, real-time data about the current state of enterprise assets<\/strong>. Unlike a point-in-time compliance check at login, CDM is an ongoing telemetry stream. If a device’s posture changes mid-session \u2014 a patch becomes uninstalled, an EDR agent stops reporting, a new vulnerability is disclosed \u2014 CDM surfaces that change, and the PE can act on it.<\/div>\n <h3>What CDM feeds to the Policy Engine<\/h3>\n <div class=\"sr\"><span class=\"st tdev\">PATCH<\/span><div class=\"si\"><div class=\"sn\">Software inventory & patch level<\/div><div class=\"sd\">Current installed software versions, outstanding patches, and active CVEs. When a new critical vulnerability is disclosed, CDM correlates it against device software inventories and flags non-compliant devices immediately \u2014 without waiting for the next login.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">EDR<\/span><div class=\"si\"><div class=\"sn\">Endpoint Detection & Response status<\/div><div class=\"sd\">Whether the EDR agent is active and reporting, last scan timestamp, active alerts, and detection events. An EDR agent that goes silent is treated as a posture failure \u2014 the PE reduces trust for that device until it resumes reporting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">MDM<\/span><div class=\"si\"><div class=\"sn\">MDM enrollment & compliance state<\/div><div class=\"sd\">Whether the device is enrolled in MDM, current compliance (screen lock, encryption, approved app list), and MDM-reported health. Unenrolled devices are treated as unmanaged regardless of user identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">CERT<\/span><div class=\"si\"><div class=\"sn\">Certificate & configuration state<\/div><div class=\"sd\">Enterprise certificate presence and validity on the device. Configuration compliance: firewall enabled, disk encryption active, approved browser\/runtime versions, no unauthorized remote access tools.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">IoC<\/span><div class=\"si\"><div class=\"sn\">IoC correlation<\/div><div class=\"sd\">CDM correlates device process, file, and network telemetry against threat intelligence IoC feeds. A device running a process matching a known malware hash, or communicating with a C2 domain, is flagged as compromised immediately.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">CDM is Tenet T-05 in practice<\/div><div class=\"ibb\">Tenet T-05 requires the enterprise to <strong>monitor and measure the integrity of all assets continuously<\/strong> \u2014 not at login time, but throughout the asset lifecycle. CDM is the infrastructure that makes T-05 operational. It transforms the abstract principle of continuous monitoring into a concrete data feed the PE can act on in real time.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('subject')\">Subject<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-threat\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.4<\/div>\n <div class=\"p-title\">Threat <span>Intelligence<\/span><\/div>\n <div class=\"p-sub\">External context that adjusts the Policy Engine’s trust score in real time<\/div>\n <div class=\"prose\">Threat intelligence is one of the external data sources the PE consults <strong>at the moment of access evaluation<\/strong> \u2014 not as a post-incident tool, but as a live signal that shapes the trust score before a session is granted. The PE doesn’t store or generate threat intel; it queries external feeds as part of the trust algorithm alongside CDM, identity, and behavioral data. It is the PE’s window into the <strong>broader threat landscape<\/strong> it couldn’t derive from enterprise telemetry alone.<\/div>\n <h3>What the Policy Engine consumes<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">IP\/DOM<\/span><div class=\"si\"><div class=\"sn\">IP and domain reputation<\/div><div class=\"sd\">If a subject’s observed egress or the resource being requested is associated with known malicious infrastructure, the PE factors that into the trust score. A request from a TOR exit node or recently-flagged ASN raises risk even if identity and device signals are clean.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">IoC<\/span><div class=\"si\"><div class=\"sn\">Indicator-of-compromise feeds<\/div><div class=\"sd\">Hashes, signatures, and behavioral patterns associated with known malware or attack tooling. When combined with a CDM hit (device running matching process), the PE denies or steps down access immediately.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">CVE<\/span><div class=\"si\"><div class=\"sn\">Vulnerability intelligence<\/div><div class=\"sd\">CVE feeds correlated against device software inventory from CDM. A device running an actively-exploited unpatched vulnerability gets reduced trust even if its posture check otherwise passes. PE response scales with CVSS score and exploit availability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">SIEM<\/span><div class=\"si\"><div class=\"sn\">SIEM correlation output<\/div><div class=\"sd\">The most dynamic input. The SIEM aggregates activity log telemetry and correlates against threat patterns in near-real time. When a rule fires \u2014 credential stuffing, impossible travel, lateral movement \u2014 the SIEM surfaces an elevated risk signal to the PE immediately.<\/div><\/div><\/div>\n <h3>Impact on trust score<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">No threat signal<\/div><div class=\"oc\">Neutral weight. Other signals dominate. Access proceeds normally if all other factors pass.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Low-confidence hit<\/div><div class=\"oc\">E.g., shared IP on a blocklist. PE may still grant access but require step-up MFA, or flag the session for enhanced monitoring.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">High-confidence hit<\/div><div class=\"oc\">E.g., device IoC match or SIEM anomaly correlation. PE denies access or revokes an active session; PA commands PEP to terminate the tunnel immediately.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">The continuous feedback loop<\/div><div class=\"ibb\">Threat intelligence isn’t evaluated once at login. The activity log feeds the SIEM, the SIEM correlates against threat feeds, and if the risk picture changes mid-session, that signal flows back to the PE. The PE re-evaluates, the PA issues a revoke command, and the PEP tears down the tunnel \u2014 without waiting for the session to end. This is what makes Tenet T-06’s requirement for “dynamic” authorization operationally meaningful.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-actlog\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1.4<\/div>\n <div class=\"p-title\">Activity <span>Log<\/span><\/div>\n <div class=\"p-sub\">The enterprise’s behavioral memory \u2014 audit, analytics, and Policy Engine feedback<\/div>\n <div class=\"prose\">The activity log is what NIST \u00a73.1.4 describes as the enterprise’s mechanism for collecting and storing all network traffic and access request data \u2014 not as a passive audit trail, but as an <strong>active input to the trust algorithm<\/strong>. The PE’s access decisions improve over time as behavioral baselines accumulate. The activity log is the memory that makes that possible.<\/div>\n <h3>What the PEP reports<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">SESSION<\/span><div class=\"si\"><div class=\"sn\">Per-session telemetry<\/div><div class=\"sd\">Source identity and device, timestamp, resource requested, session token used, bytes transferred, session duration, and termination reason (normal close, revocation, timeout, anomaly). The raw record of every authorized access event.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">ANOMALY<\/span><div class=\"si\"><div class=\"sn\">Anomaly indicators<\/div><div class=\"sd\">Unusual access times, atypical data volumes, lateral movement patterns (single subject hitting many resources in sequence), protocol deviations, new destination IPs mid-session, sudden changes in access velocity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">AUTH<\/span><div class=\"si\"><div class=\"sn\">Authentication events<\/div><div class=\"sd\">MFA challenges issued, step-up auth triggers, failed authentication attempts, and credential anomalies detected mid-session. Critical inputs for UEBA behavioral baseline modeling.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">POLICY<\/span><div class=\"si\"><div class=\"sn\">Policy evaluation results<\/div><div class=\"sd\">Every grant, deny, and revocation the PEP enforces, along with which policy rule triggered it. The audit trail for compliance and the dataset for policy refinement over time.<\/div><\/div><\/div>\n <h3>Where the telemetry flows<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Back to the Policy Engine<\/div><div class=\"oc\">The PE uses historical behavioral data as one of its five trust algorithm inputs. A subject whose access patterns match their historical baseline gets higher trust; anomalies suppress it.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">To SIEM \/ UEBA<\/div><div class=\"oc\">Activity logs are routed to security analytics tools for correlation with threat intelligence. When a SIEM rule fires, the elevated risk signal flows to the PE for re-evaluation \u2014 triggering mid-session revocation if needed.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">Tenet T-07 \u2014 the activity log is its implementation<\/div><div class=\"ibb\">NIST \u00a72.1 T-07 states the enterprise must <strong>“collect as much information as possible about the current state of assets, network infrastructure and communications and use it to improve its security posture.”<\/strong> ZTA isn’t a static gate \u2014 it’s a continuously learning system. The PEP’s telemetry flowing into the activity log closes that loop.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('tenets')\">Seven tenets<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-trust\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.3 \u00b7 \u00a73.4<\/div>\n <div class=\"p-title\">Trust <span>Algorithm<\/span><\/div>\n <div class=\"p-sub\">How the Policy Engine computes a trust score and renders an access decision<\/div>\n <div class=\"prose\">The trust algorithm is the core computational function of the PE. It takes multiple input signals, scores them against access policy thresholds, and produces a confidence level for the subject-device-resource tuple. NIST \u00a73.3 describes this as a function of <strong>observable information about subjects, devices, and the enterprise environment<\/strong> evaluated against policy rules. The result produces a confidence level that maps to grant, deny, or step-up \u2014 not a simple binary.<\/div>\n <h3>Five input signals<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">Subject identity & credentials<\/div><div class=\"sd\">IdP-asserted identity, MFA status and factor type, credential freshness, privileged account flags, federated assertions. The strongest identity signal combines a hardware MFA factor with a recently-issued IdP assertion.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Device health & posture<\/div><div class=\"sd\">CDM telemetry: patch level, EDR status, device certificate validity, OS compliance, MDM enrollment. Often binary in practice \u2014 managed and compliant, or not.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location & context<\/div><div class=\"sd\">Source IP, geolocation, time-of-day, network path. <strong>Contextual signal only.<\/strong> It modulates other signals (anomalous location reduces trust) but cannot on its own grant or deny access.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Resource sensitivity<\/div><div class=\"sd\">Data classification, criticality, required assurance level. A high-sensitivity resource raises the thresholds all other signals must meet. A low-sensitivity resource permits weaker signals to succeed.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">Behavioral & threat intelligence<\/div><div class=\"sd\">UEBA baselines, historical patterns, threat feed hits, SIEM correlation. The dynamic signal \u2014 continuously updated, triggers mid-session re-evaluation when it changes significantly.<\/div><\/div><\/div>\n <h3>Access outcomes<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Grant access<\/div><div class=\"oc\">All signals pass their respective thresholds for the resource requested. PA issues a session token to the PEP. Access scope is limited to the minimum required per Tenet T-03.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Deny access<\/div><div class=\"oc\">One or more signals fail their threshold: unregistered device, missing MFA, anomalous behavior, IoC match, policy violation, or resource classification exceeds subject clearance. No token issued.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Step-up authentication<\/div><div class=\"oc\">Trust score is borderline, or context has changed mid-session. PE requires an additional authentication factor. If the subject satisfies the step-up, access continues. If not, the session is denied or terminated.<\/div><\/div><\/div>\n <h3>Policy constraints \u2014 \u00a73.4<\/h3>\n <div class=\"sr\"><span class=\"st tid\">IDENTITY<\/span><div class=\"si\"><div class=\"sn\">No access without verified MFA-asserted identity<\/div><div class=\"sd\">Access is denied if the subject cannot present a current, IdP-verified assertion with MFA satisfied. Password-only authentication does not meet the threshold for any non-trivial resource.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">DEVICE<\/span><div class=\"si\"><div class=\"sn\">Unmanaged devices receive reduced or no access to sensitive resources<\/div><div class=\"sd\">The device signal is a hard gate for high-sensitivity resources. An unmanaged device cannot satisfy the device threshold regardless of identity strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">NETWORK<\/span><div class=\"si\"><div class=\"sn\">Network location cannot substitute for identity or device trust<\/div><div class=\"sd\">Being on the corporate LAN does not reduce identity or device requirements. No implicit trust from network proximity \u2014 Tenet T-02 is a hard constraint.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">RESOURCE<\/span><div class=\"si\"><div class=\"sn\">Access scope bounded to minimum necessary<\/div><div class=\"sd\">The session token is scoped to the specific resource and action requested. Over-provisioning is a policy violation. Least-privilege is enforced at the token level.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">BEHAVIOR<\/span><div class=\"si\"><div class=\"sn\">All decisions and session activity are logged<\/div><div class=\"sd\">Every grant, deny, and revocation is recorded. Both a compliance requirement and the data that continuously improves the behavioral baseline used in future trust evaluations.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('idms')\">IDMS & PKI<\/span><span class=\"rl\" onclick=\"nav('cdm')\">CDM system<\/span><span class=\"rl\" onclick=\"nav('threat')\">Threat intelligence<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-planes\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0<\/div>\n <div class=\"p-title\">Control <span>& Data<\/span> Planes<\/div>\n <div class=\"p-sub\">The architectural separation that makes ZTA enforcement tamper-resistant<\/div>\n <div class=\"prose\">One of ZTA’s most critical architectural properties is the <strong>strict separation of the control plane from the data plane<\/strong>. The control plane carries policy decisions, session tokens, and revocation commands. The data plane carries user traffic. They share no channel. A compromised subject on the data plane has no visibility into \u2014 and no ability to interfere with \u2014 the control plane signals that govern their own access.<\/div>\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">Control plane<\/div>\n <div class=\"pbn\">Policy & trust signaling<\/div>\n <div class=\"pi\"><strong>PE\u2192PA trust decisions<\/strong> \u2014 computed grants or denials passed from Policy Engine to Policy Administrator<\/div>\n <div class=\"pi\"><strong>PA\u2192PEP command channel<\/strong> \u2014 session establishment and termination commands, out-of-band from all user data<\/div>\n <div class=\"pi\"><strong>Subject authentication flows<\/strong> \u2014 identity verification, MFA challenges, device posture attestation<\/div>\n <div class=\"pi\"><strong>CDM & IDMS feeds<\/strong> \u2014 continuous device telemetry and identity data for dynamic PE re-evaluation<\/div>\n <div class=\"pi\"><strong>Mutually authenticated, TLS 1.3+<\/strong> \u2014 all control plane communications are encrypted and mutually authenticated<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg d\">Data plane<\/div>\n <div class=\"pbn\">Resource access traffic<\/div>\n <div class=\"pi\"><strong>Subject \u2194 Resource traffic<\/strong> \u2014 all application, API, data, and service communication after authorization<\/div>\n <div class=\"pi\"><strong>PEP as the exclusive boundary<\/strong> \u2014 the PEP sits inline; no path to resources exists outside the PEP, regardless of network topology<\/div>\n <div class=\"pi\"><strong>Session tokens enforced<\/strong> \u2014 the PEP validates the PA-issued token for every resource transaction<\/div>\n <div class=\"pi\"><strong>Continuous monitoring<\/strong> \u2014 all data plane traffic is logged; anomalies trigger control plane re-evaluation<\/div>\n <div class=\"pi\"><strong>Encrypted in transit<\/strong> \u2014 network location does not grant trust regardless of underlying encryption state<\/div>\n <\/div>\n <\/div>\n <div class=\"ib\" style=\"margin-top:14px\"><div class=\"ibt\">Why the separation matters<\/div><div class=\"ibb\">If the control and data planes were co-mingled, a compromised session could observe PA commands, replay session tokens, or inject false telemetry into the activity log. The separation ensures that even a fully compromised endpoint can only affect its own session \u2014 and that session can be revoked by the PA the moment the PE detects the compromise from CDM or SIEM signals, because that revocation command travels on a channel the compromised device cannot touch.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pa')\">Policy administrator<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('pe')\">Policy engine<\/span><span class=\"rl\" onclick=\"nav('deploy')\">Deployment models<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-deploy\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.1<\/div>\n <div class=\"p-title\">Deployment <span>Models<\/span><\/div>\n <div class=\"p-sub\">Three NIST-defined approaches \u2014 not mutually exclusive, most mature deployments combine all three<\/div>\n <div class=\"prose\">NIST \u00a73.1 defines three deployment approaches, each emphasizing a different primary enforcement mechanism. The approaches are defined by <strong>where and how the PEP function is implemented<\/strong>, not by vendor. Most enterprises combine elements of all three.<\/div>\n <div class=\"cg cg3\" style=\"margin-top:18px\">\n <div class=\"dc\"><div class=\"di\">\ud83e\udeaa<\/div><div class=\"dt\">Identity-based segmentation<\/div><div class=\"ds\">Enhanced identity governance<\/div><div class=\"dxt\">Access policy based primarily on the identity of the user or service. Network location is insufficient for access decisions. The IdP and PAM system are the primary enforcement infrastructure.<\/div><ul class=\"dl\"><li>Strong IdP, PAM, and MFA enforced universally<\/li><li>Least-privilege assigned per-role, per-session<\/li><li>Service accounts governed identically to users<\/li><li>Federated identity (SAML, OIDC) for external users<\/li><li>Best fit: enterprises with mature IAM programs<\/li><\/ul><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83d\udd2c<\/div><div class=\"dt\">Micro-segmentation<\/div><div class=\"ds\">Workload & network segmentation<\/div><div class=\"dxt\">Individual workloads placed in separate micro-segments with independent security gateways. Each segment enforces access policy independently, limiting blast radius of any single compromise.<\/div><ul class=\"dl\"><li>NGFWs or SDN-based policy enforcement<\/li><li>East-west traffic controlled at workload level<\/li><li>Policy applied at network, OS, and app layers<\/li><li>Eliminates implicit trust from network adjacency<\/li><li>Best fit: data centers and cloud workloads<\/li><\/ul><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83c\udf10<\/div><div class=\"dt\">Software-defined perimeter<\/div><div class=\"ds\">Network-based (SDP \/ ZTNA)<\/div><div class=\"dxt\">Network infrastructure acts as a policy enforcement agent. Dynamic, per-session tunnels connect authenticated subjects to authorized resources only. Resources are dark to unauthenticated subjects.<\/div><ul class=\"dl\"><li>ZTNA overlay replaces traditional VPN perimeter<\/li><li>Resources have no publicly-resolvable presence<\/li><li>Per-session tunnels scoped to identity + device posture<\/li><li>Centralized PE\/PA controls distributed PEPs<\/li><li>Best fit: remote access and multi-cloud environments<\/li><\/ul><\/div>\n <\/div>\n <div class=\"ib a\" style=\"margin-top:14px\"><div class=\"ibt\">Combining all three<\/div><div class=\"ibb\">Most mature ZTA implementations combine all three deployment models. <strong>ZTNA \/ SDP<\/strong> handles north-south remote access, <strong>microsegmentation<\/strong> addresses east-west workload isolation, and <strong>identity governance with application-layer controls<\/strong> enforces fine-grained access policy \u2014 each model targeting a distinct attack surface.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-logical\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0 \u2014 Structural view<\/div>\n <div class=\"p-title\">Logical <span>Architecture<\/span><\/div>\n <div class=\"p-sub\">Component groupings, trust relationships, and plane boundaries<\/div>\n <div class=\"prose\">This diagram organises the NIST \u00a73.0 components into three structural tiers: <strong>supporting infrastructure<\/strong> that feeds signals to the decision engine, the <strong>ZTA core<\/strong> (PE + PA) that computes and dispatches decisions, and the <strong>enforcement path<\/strong> where subjects traverse the PEP to reach resources. Arrows show the direction of authority and data \u2014 not network routing.<\/div>\n\n <div class=\"diag\" style=\"margin-top:20px\">\n <svg width=\"100%\" viewBox=\"0 0 800 560\" style=\"display:block\">\n <defs>\n <marker id=\"a1\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a2\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a3\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a4\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a5\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#ffb300\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"a6\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.6\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <\/defs>\n\n \n <text x=\"10\" y=\"44\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#00b4a8\" letter-spacing=\"2\" opacity=\".7\">TIER 1 \u2014 SUPPORTING INFRASTRUCTURE<\/text>\n <text x=\"10\" y=\"210\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#1a7fd4\" letter-spacing=\"2\" opacity=\".7\">TIER 2 \u2014 ZTA CORE (CONTROL PLANE)<\/text>\n <text x=\"10\" y=\"380\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".7\">TIER 3 \u2014 ENFORCEMENT PATH (DATA PLANE)<\/text>\n\n \n <rect x=\"8\" y=\"50\" width=\"764\" height=\"142\" rx=\"4\" fill=\"rgba(0,180,168,.03)\" stroke=\"#00b4a8\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n <rect x=\"8\" y=\"216\" width=\"764\" height=\"144\" rx=\"4\" fill=\"rgba(26,127,212,.03)\" stroke=\"#1a7fd4\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n <rect x=\"8\" y=\"386\" width=\"764\" height=\"148\" rx=\"4\" fill=\"rgba(0,204,112,.03)\" stroke=\"#00cc70\" stroke-width=\".6\" stroke-dasharray=\"5,3\" opacity=\".5\"\/>\n\n \n \n <g class=\"an\" onclick=\"nav('idms')\">\n <rect x=\"28\" y=\"68\" width=\"160\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"28\" y=\"68\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"108\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">IDMS<\/text>\n <text x=\"108\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Identity management<\/text>\n <text x=\"108\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">IdP assertions \u00b7 RBAC<\/text>\n <text x=\"108\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">MFA status \u00b7 PAM \u00b7 Fed<\/text>\n <text x=\"108\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.1<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('idms')\">\n <rect x=\"204\" y=\"68\" width=\"150\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"204\" y=\"68\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"279\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">PKI<\/text>\n <text x=\"279\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Crypto verification<\/text>\n <text x=\"279\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">X.509 device certs<\/text>\n <text x=\"279\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">OCSP\/CRL \u00b7 mTLS<\/text>\n <text x=\"279\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.3<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('cdm')\">\n <rect x=\"370\" y=\"68\" width=\"150\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"370\" y=\"68\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".8\"\/>\n <text x=\"445\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">CDM<\/text>\n <text x=\"445\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#40d8d0\">Device posture<\/text>\n <text x=\"445\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Patch \u00b7 EDR \u00b7 MDM<\/text>\n <text x=\"445\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Config compliance \u00b7 IoC<\/text>\n <text x=\"445\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.2<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('threat')\">\n <rect x=\"536\" y=\"68\" width=\"156\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"536\" y=\"68\" width=\"156\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"614\" y=\"92\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">Threat intel<\/text>\n <text x=\"614\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#ff8a80\">External feeds<\/text>\n <text x=\"614\" y=\"122\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">IP\/domain rep \u00b7 IoC<\/text>\n <text x=\"614\" y=\"137\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">CVE intel \u00b7 SIEM output<\/text>\n <text x=\"614\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1.4<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('actlog')\">\n <rect x=\"708\" y=\"68\" width=\"56\" height=\"106\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"708\" y=\"68\" width=\"56\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"736\" y=\"94\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#fff\">Activity<\/text>\n <text x=\"736\" y=\"107\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#fff\">log<\/text>\n <text x=\"736\" y=\"123\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Audit<\/text>\n <text x=\"736\" y=\"136\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">UEBA<\/text>\n <text x=\"736\" y=\"152\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#4d6780\">\u00a73.1.4<\/text>\n <\/g>\n\n \n \n <g class=\"an\" onclick=\"nav('pe')\">\n <rect x=\"100\" y=\"234\" width=\"258\" height=\"108\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <rect x=\"100\" y=\"234\" width=\"258\" height=\"5\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"229\" y=\"263\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy engine<\/text>\n <text x=\"229\" y=\"279\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\" letter-spacing=\"1\">PE \u00b7 \u00a73.1<\/text>\n <text x=\"229\" y=\"297\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Evaluates 5 signals \u2192 trust score<\/text>\n <text x=\"229\" y=\"312\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Grant \/ Deny \/ Step-up<\/text>\n <text x=\"229\" y=\"330\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Logical component \u2014 may co-locate with PA<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('pa')\">\n <rect x=\"420\" y=\"234\" width=\"258\" height=\"108\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/>\n <rect x=\"420\" y=\"234\" width=\"258\" height=\"5\" rx=\"2\" fill=\"#8866ff\" opacity=\".85\"\/>\n <text x=\"549\" y=\"263\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"17\" font-weight=\"700\" fill=\"#fff\">Policy administrator<\/text>\n <text x=\"549\" y=\"279\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\" letter-spacing=\"1\">PA \u00b7 \u00a73.1<\/text>\n <text x=\"549\" y=\"297\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Issues \/ revokes session tokens<\/text>\n <text x=\"549\" y=\"312\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Commands PEP via control plane<\/text>\n <text x=\"549\" y=\"330\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Out-of-band from data traffic \u00b7 mTLS<\/text>\n <\/g>\n\n \n \n <g class=\"an\" onclick=\"nav('subject')\">\n <rect x=\"28\" y=\"404\" width=\"148\" height=\"106\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"102\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Subject<\/text>\n <text x=\"102\" y=\"450\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">User + device<\/text>\n <text x=\"102\" y=\"465\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">ZT agent (client PEP)<\/text>\n <text x=\"102\" y=\"482\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">NPEs included<\/text>\n <text x=\"102\" y=\"497\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a73.1<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('pep')\">\n <rect x=\"240\" y=\"396\" width=\"300\" height=\"122\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.5\"\/>\n <rect x=\"240\" y=\"396\" width=\"300\" height=\"5\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"390\" y=\"426\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Policy enforcement point<\/text>\n <text x=\"390\" y=\"442\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\" letter-spacing=\"1\">PEP \u00b7 \u00a73.1<\/text>\n <text x=\"390\" y=\"460\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Inline gateway \u2014 cannot be bypassed<\/text>\n <text x=\"390\" y=\"476\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Validates tokens \u00b7 enforces scope<\/text>\n <text x=\"390\" y=\"492\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Monitors traffic \u00b7 reports to activity log<\/text>\n <text x=\"390\" y=\"508\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Subject-side agent + resource-side gateway<\/text>\n <\/g>\n \n <g class=\"an\" onclick=\"nav('resource')\">\n <rect x=\"604\" y=\"404\" width=\"160\" height=\"106\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"684\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Resource<\/text>\n <text x=\"684\" y=\"450\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Apps \u00b7 APIs \u00b7 Data<\/text>\n <text x=\"684\" y=\"465\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Services \u00b7 Cloud<\/text>\n <text x=\"684\" y=\"482\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">Dark outside PEP<\/text>\n <text x=\"684\" y=\"497\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#4d6780\">\u00a72.1 T-01<\/text>\n <\/g>\n\n \n <line x1=\"108\" y1=\"174\" x2=\"200\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <line x1=\"279\" y1=\"174\" x2=\"252\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <path d=\"M445,174 L445,216 L280,216 L280,234\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n <line x1=\"580\" y1=\"174\" x2=\"330\" y2=\"234\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\"\/>\n \n <path d=\"M708,150 L688,196 L390,196 L390,234\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\" marker-end=\"url(#a1)\" opacity=\".6\"\/>\n\n \n <line x1=\"358\" y1=\"288\" x2=\"420\" y2=\"288\" stroke=\"#1a7fd4\" stroke-width=\"1.5\" marker-end=\"url(#a2)\"\/>\n <text x=\"376\" y=\"282\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#1a7fd4\" opacity=\".8\">decision<\/text>\n\n \n <line x1=\"549\" y1=\"342\" x2=\"430\" y2=\"396\" stroke=\"#8866ff\" stroke-width=\"1.4\" marker-end=\"url(#a3)\"\/>\n <text x=\"507\" y=\"374\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".8\">enable \/ revoke<\/text>\n\n \n <path d=\"M102,404 L102,362 L420,362 L420,342\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#a1)\" opacity=\".6\"\/>\n <text x=\"200\" y=\"356\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\" opacity=\".8\">auth \/ identity assertion<\/text>\n\n \n <line x1=\"176\" y1=\"457\" x2=\"240\" y2=\"457\" stroke=\"#00cc70\" stroke-width=\"1.4\" marker-end=\"url(#a4)\"\/>\n <text x=\"182\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".7\">request<\/text>\n\n \n <line x1=\"540\" y1=\"457\" x2=\"604\" y2=\"457\" stroke=\"#00cc70\" stroke-width=\"1.4\" marker-end=\"url(#a4)\"\/>\n <text x=\"546\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".7\">authorized<\/text>\n\n \n <path d=\"M540,490 L772,490 L772,121 L764,121\" fill=\"none\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#a6)\" opacity=\".4\"\/>\n <text x=\"774\" y=\"340\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".5\" transform=\"rotate(-90,774,340)\">session telemetry<\/text>\n\n \n <line x1=\"10\" y1=\"552\" x2=\"34\" y2=\"552\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"5,3\"\/>\n <text x=\"40\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">signal \/ telemetry feed<\/text>\n <line x1=\"188\" y1=\"552\" x2=\"212\" y2=\"552\" stroke=\"#1a7fd4\" stroke-width=\"1.4\"\/>\n <text x=\"218\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PE decision<\/text>\n <line x1=\"316\" y1=\"552\" x2=\"340\" y2=\"552\" stroke=\"#8866ff\" stroke-width=\"1.4\"\/>\n <text x=\"346\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">PA command<\/text>\n <line x1=\"452\" y1=\"552\" x2=\"476\" y2=\"552\" stroke=\"#00cc70\" stroke-width=\"1.4\"\/>\n <text x=\"482\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">authorized data flow<\/text>\n <line x1=\"618\" y1=\"552\" x2=\"642\" y2=\"552\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\"\/>\n <text x=\"648\" y=\"556\" font-family=\"IBM Plex Mono\" font-size=\"8.5\" fill=\"#4d6780\">telemetry feedback<\/text>\n <\/svg>\n <div class=\"dcap\">Structural hierarchy \u2014 click any component to navigate \u00b7 arrows show authority and data direction, not network routing<\/div>\n <\/div>\n\n <h3>Reading the diagram<\/h3>\n <div class=\"prose\"><strong>Tier 1<\/strong> feeds the Policy Engine with real-time signals \u2014 identity assertions from IDMS\/PKI, device posture from CDM, external threat context, and behavioral feedback from the activity log. None of these components enforce access on their own; they are data providers.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Tier 2<\/strong> is the decision and dispatch layer. The PE evaluates all incoming signals and produces a trust score. It passes its decision to the PA, which operationalizes it by commanding the PEP. The PE and PA share no data-plane visibility \u2014 they operate exclusively on the control plane.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Tier 3<\/strong> is the enforcement path. The Subject’s ZT agent initiates a request; the PEP intercepts, validates the session token issued by the PA, and either routes traffic to the resource or terminates it. The PEP then streams session telemetry back to the Activity Log, closing the feedback loop into Tier 1.<\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('dataflow')\">Access request data flow<\/span><span class=\"rl\" onclick=\"nav('overview')\">Overview diagram<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-dataflow\">\n <div class=\"p-eye\">NIST SP 800-207 \u00a73.0 \u2014 Dynamic view<\/div>\n <div class=\"p-title\">Access Request <span>Data Flow<\/span><\/div>\n <div class=\"p-sub\">Step-by-step lifecycle of a single access request \u2014 from initiation to session or denial<\/div>\n <div class=\"prose\">This diagram traces the full lifecycle of an access request through the ZTA \u2014 from the subject initiating the request through authorization, enforcement, and the continuous monitoring feedback loop that can trigger mid-session revocation. Steps are numbered in sequence. The <strong>control plane<\/strong> (top swim lane) and <strong>data plane<\/strong> (bottom swim lane) are shown separately.<\/div>\n\n <div class=\"diag\" style=\"margin-top:20px\">\n <svg width=\"100%\" viewBox=\"0 0 828 680\" style=\"display:block\">\n <defs>\n <marker id=\"df1\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df2\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df3\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df4\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df5\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#ffb300\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"df6\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <marker id=\"dfg\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"5\" markerHeight=\"5\" orient=\"auto\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker>\n <\/defs>\n\n \n \n <rect x=\"0\" y=\"0\" width=\"828\" height=\"80\" fill=\"rgba(17,27,46,.7)\"\/>\n <text x=\"12\" y=\"17\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1.5\">SUBJECT + ZT AGENT<\/text>\n \n <rect x=\"0\" y=\"80\" width=\"828\" height=\"300\" fill=\"rgba(26,127,212,.03)\"\/>\n <rect x=\"0\" y=\"80\" width=\"3\" height=\"300\" fill=\"#1a7fd4\" opacity=\".35\"\/>\n <text x=\"12\" y=\"97\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#1a7fd4\" letter-spacing=\"1.5\" opacity=\".8\">CONTROL PLANE \u2014 PE \u00b7 PA \u00b7 IDMS \u00b7 CDM \u00b7 THREAT INTEL<\/text>\n \n <rect x=\"0\" y=\"380\" width=\"828\" height=\"300\" fill=\"rgba(0,204,112,.03)\"\/>\n <rect x=\"0\" y=\"380\" width=\"3\" height=\"300\" fill=\"#00cc70\" opacity=\".35\"\/>\n <text x=\"12\" y=\"397\" font-family=\"IBM Plex Mono\" font-size=\"7.5\" font-weight=\"700\" fill=\"#00cc70\" letter-spacing=\"1.5\" opacity=\".8\">DATA PLANE \u2014 PEP \u00b7 RESOURCE \u00b7 ACTIVITY LOG \u00b7 SIEM<\/text>\n \n <line x1=\"0\" y1=\"80\" x2=\"828\" y2=\"80\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <line x1=\"0\" y1=\"380\" x2=\"828\" y2=\"380\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n\n \n\n \n \n <circle cx=\"60\" cy=\"44\" r=\"18\" fill=\"#0d1420\" stroke=\"#00d8f0\" stroke-width=\"1.5\"\/>\n <text x=\"60\" y=\"49\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00d8f0\">1<\/text>\n <text x=\"60\" y=\"72\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Access<\/text>\n <text x=\"60\" y=\"82\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">request<\/text>\n\n \n <circle cx=\"190\" cy=\"44\" r=\"18\" fill=\"#0d1420\" stroke=\"#00d8f0\" stroke-width=\"1.5\"\/>\n <text x=\"190\" y=\"49\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00d8f0\">2<\/text>\n <text x=\"190\" y=\"72\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">ZT agent<\/text>\n <text x=\"190\" y=\"82\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">intercepts<\/text>\n\n \n <circle cx=\"320\" cy=\"130\" r=\"18\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <text x=\"320\" y=\"135\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#60a8f0\">3<\/text>\n <text x=\"320\" y=\"160\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Auth flow<\/text>\n <text x=\"320\" y=\"172\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">to PA<\/text>\n\n \n <circle cx=\"450\" cy=\"130\" r=\"18\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <text x=\"450\" y=\"135\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#60a8f0\">4<\/text>\n <text x=\"450\" y=\"160\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">PA forwards<\/text>\n <text x=\"450\" y=\"172\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">to PE<\/text>\n\n \n <circle cx=\"320\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1.2\"\/>\n <text x=\"320\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#40d8d0\">5a<\/text>\n <text x=\"320\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query IDMS<\/text>\n <text x=\"320\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">identity\/MFA<\/text>\n\n \n <circle cx=\"450\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#00b4a8\" stroke-width=\"1.2\"\/>\n <text x=\"450\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#40d8d0\">5b<\/text>\n <text x=\"450\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query CDM<\/text>\n <text x=\"450\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">device posture<\/text>\n\n \n <circle cx=\"580\" cy=\"240\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"580\" y=\"245\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">5c<\/text>\n <text x=\"580\" y=\"268\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Query threat<\/text>\n <text x=\"580\" y=\"279\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">intel feeds<\/text>\n\n \n <rect x=\"660\" y=\"108\" width=\"138\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.5\"\/>\n <rect x=\"660\" y=\"108\" width=\"138\" height=\"4\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"729\" y=\"130\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">PE decision<\/text>\n <text x=\"729\" y=\"146\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#60a8f0\">Step 6<\/text>\n <text x=\"729\" y=\"161\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Trust score \u2192<\/text>\n <text x=\"729\" y=\"173\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Grant \/ Deny<\/text>\n\n \n <circle cx=\"580\" cy=\"430\" r=\"18\" fill=\"#0a1f14\" stroke=\"#00cc70\" stroke-width=\"1.5\"\/>\n <text x=\"580\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"13\" font-weight=\"700\" fill=\"#00cc70\">7<\/text>\n <text x=\"580\" y=\"458\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">PA issues<\/text>\n <text x=\"580\" y=\"469\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">token \u2192 PEP<\/text>\n\n \n <circle cx=\"700\" cy=\"430\" r=\"18\" fill=\"#1f0a0a\" stroke=\"#e84848\" stroke-width=\"1.5\"\/>\n <text x=\"700\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"10\" font-weight=\"700\" fill=\"#e84848\">\u2715<\/text>\n <text x=\"700\" y=\"458\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Deny \u2014 no<\/text>\n <text x=\"700\" y=\"469\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">token issued<\/text>\n\n \n <rect x=\"200\" y=\"408\" width=\"290\" height=\"64\" rx=\"3\" fill=\"#111b2e\" stroke=\"#ffb300\" stroke-width=\"1.4\"\/>\n <rect x=\"200\" y=\"408\" width=\"290\" height=\"4\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"345\" y=\"432\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"14\" font-weight=\"700\" fill=\"#fff\">PEP enforces session<\/text>\n <text x=\"345\" y=\"447\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\">Step 8<\/text>\n <text x=\"345\" y=\"462\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Validates token \u00b7 enforces scope \u00b7 Subject \u2194 Resource<\/text>\n\n \n <circle cx=\"60\" cy=\"430\" r=\"18\" fill=\"#1f0a0a\" stroke=\"#e84848\" stroke-width=\"1.2\" opacity=\".85\"\/>\n <text x=\"60\" y=\"435\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"10\" font-weight=\"700\" fill=\"#e84848\">\u2715<\/text>\n <text x=\"60\" y=\"456\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">Request<\/text>\n <text x=\"60\" y=\"467\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9.5\" fill=\"#8ba3c0\">blocked<\/text>\n\n \n <circle cx=\"345\" cy=\"560\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"345\" y=\"565\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">9<\/text>\n <text x=\"345\" y=\"585\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">Session telemetry<\/text>\n <text x=\"345\" y=\"596\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">\u2192 Activity log<\/text>\n\n \n <circle cx=\"580\" cy=\"560\" r=\"16\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1.2\"\/>\n <text x=\"580\" y=\"565\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"11\" font-weight=\"700\" fill=\"#ff8a80\">10<\/text>\n <text x=\"580\" y=\"585\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">SIEM anomaly<\/text>\n <text x=\"580\" y=\"596\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\">\u2192 PE re-eval<\/text>\n\n \n <text x=\"680\" y=\"558\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#e84848\" opacity=\".8\">Mid-session<\/text>\n <text x=\"680\" y=\"572\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"11\" font-weight=\"700\" fill=\"#e84848\" opacity=\".8\">revocation<\/text>\n <text x=\"680\" y=\"587\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"9\" fill=\"#8ba3c0\" opacity=\".7\">PA \u2192 PEP teardown<\/text>\n\n \n\n \n <line x1=\"78\" y1=\"44\" x2=\"172\" y2=\"44\" stroke=\"#00d8f0\" stroke-width=\"1.2\" marker-end=\"url(#df1)\"\/>\n\n \n <path d=\"M200,62 L200,80 L260,80 L260,116 L302,116\" fill=\"none\" stroke=\"#00d8f0\" stroke-width=\"1.2\" marker-end=\"url(#df1)\"\/>\n\n \n <line x1=\"338\" y1=\"130\" x2=\"432\" y2=\"130\" stroke=\"#1a7fd4\" stroke-width=\"1.2\" marker-end=\"url(#df2)\"\/>\n\n \n <path d=\"M450,148 L450,200 L320,200 L320,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n <path d=\"M450,148 L450,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n <path d=\"M450,148 L450,200 L580,200 L580,224\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df2)\"\/>\n\n \n <path d=\"M320,256 L320,298 L675,298 L675,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n <path d=\"M450,256 L450,290 L710,290 L710,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n <path d=\"M580,256 L580,282 L745,282 L745,172\" fill=\"none\" stroke=\"#4d6780\" stroke-width=\".9\" stroke-dasharray=\"3,2\" marker-end=\"url(#dfg)\" opacity=\".7\"\/>\n\n \n <path d=\"M680,172 L680,395 L598,395 L598,412\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\"1.3\" marker-end=\"url(#df4)\"\/>\n <text x=\"686\" y=\"330\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\" opacity=\".9\">GRANT<\/text>\n\n \n <path d=\"M798,140 L812,140 L812,395 L718,395 L718,412\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1.3\" marker-end=\"url(#df6)\"\/>\n <text x=\"814\" y=\"300\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".9\" transform=\"rotate(-90,814,300)\">DENY<\/text>\n\n \n <line x1=\"562\" y1=\"430\" x2=\"490\" y2=\"440\" stroke=\"#8866ff\" stroke-width=\"1.3\" marker-end=\"url(#df3)\"\/>\n <text x=\"510\" y=\"424\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".8\">session token<\/text>\n\n \n <path d=\"M700,448 L700,510 L60,510 L60,448\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <line x1=\"345\" y1=\"472\" x2=\"345\" y2=\"544\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <line x1=\"361\" y1=\"560\" x2=\"564\" y2=\"560\" stroke=\"#e84848\" stroke-width=\".9\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\"\/>\n\n \n <path d=\"M596,560 L806,560 L806,160 L798,160\" fill=\"none\" stroke=\"#e84848\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df6)\" opacity=\".6\"\/>\n <text x=\"804\" y=\"450\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#e84848\" opacity=\".6\" transform=\"rotate(-90,804,450)\">re-evaluate<\/text>\n\n \n <path d=\"M660,172 L640,172 L640,360 L480,360 L480,408\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1\" stroke-dasharray=\"4,2\" marker-end=\"url(#df3)\" opacity=\".6\"\/>\n <text x=\"556\" y=\"354\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#8866ff\" opacity=\".6\">revoke<\/text>\n\n \n <rect x=\"10\" y=\"610\" width=\"790\" height=\"64\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <text x=\"22\" y=\"626\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1\">STEP SUMMARY<\/text>\n <text x=\"22\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#00d8f0\">\u2460\u2461<\/tspan> Subject initiates \u00b7 ZT agent intercepts <\/text>\n <text x=\"22\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#1a7fd4\">\u2462\u2463<\/tspan> Auth flow \u2192 PA \u2192 PE <\/text>\n <text x=\"200\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#40d8d0\">\u2464<\/tspan> PE queries IDMS \u00b7 CDM \u00b7 Threat intel (parallel) <\/text>\n <text x=\"200\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#60a8f0\">\u2465<\/tspan> PE computes trust score \u2192 Grant \/ Deny <\/text>\n <text x=\"460\" y=\"642\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#00cc70\">\u2466\u2467<\/tspan> Grant: PA token \u2192 PEP \u00b7 PEP enforces session <\/text>\n <text x=\"460\" y=\"655\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#e84848\">\u2468\u2469<\/tspan> Telemetry \u2192 Activity log \u2192 SIEM \u2192 PE re-eval loop <\/text>\n <\/svg>\n <div class=\"dcap\">Full access request lifecycle \u00b7 control plane (top) separated from data plane (bottom) \u00b7 mid-session revocation shown via feedback loop<\/div>\n <\/div>\n\n <h3>Key flows to note<\/h3>\n <div class=\"prose\"><strong>Steps 1\u20132 (Subject lane):<\/strong> The subject’s ZT agent intercepts the access request before it ever reaches the network. It performs local posture checks and initiates the authentication flow \u2014 the request cannot proceed without this gate.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 3\u20136 (Control plane):<\/strong> The authentication flow goes to the PA, which hands off to the PE. The PE queries IDMS, CDM, and Threat Intel in parallel \u2014 these are concurrent signal lookups, not a sequential chain. The PE then computes a trust score and produces a Grant or Deny decision.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 7\u20138 (Data plane enforcement):<\/strong> A Grant decision causes the PA to issue a session token to the PEP. The PEP validates that token and permits traffic to flow to the resource within the authorized scope. A Deny means no token is issued and the request is blocked at the agent.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Steps 9\u201310 (Feedback loop):<\/strong> Throughout the active session, the PEP streams telemetry to the Activity Log. The SIEM correlates this against threat feeds and behavioral patterns. If an anomaly fires, the signal flows back to the PE for re-evaluation \u2014 which can trigger a Revoke command from the PA to the PEP, tearing down the session immediately. This is what makes ZTA dynamic rather than static.<\/div>\n\n <div class=\"ib r\" style=\"margin-top:18px\"><div class=\"ibt\">Mid-session revocation is architectural, not optional<\/div><div class=\"ibb\">The feedback loop from the PEP through the Activity Log and SIEM to the PE isn’t a nice-to-have \u2014 it’s how ZTA satisfies Tenet T-06’s requirement that <strong>authentication and authorization are “dynamic and strictly enforced.”<\/strong> Without this loop, ZTA grants access once at login and then has no mechanism to respond to changing risk during the session \u2014 which is exactly the failure mode of traditional VPN-based architectures.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('logical')\">Logical architecture<\/span><span class=\"rl\" onclick=\"nav('planes')\">Control & data planes<\/span><span class=\"rl\" onclick=\"nav('trust')\">Trust algorithm<\/span><span class=\"rl\" onclick=\"nav('pep')\">Policy enforcement point<\/span><span class=\"rl\" onclick=\"nav('actlog')\">Activity log<\/span><\/div><\/div>\n<\/div>\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-207<\/span><\/div>\n <div class=\"p-sub\">Zero Trust Architecture \u2014 Final, August 2020<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-207 defines Zero Trust Architecture (ZTA) and provides guidance for federal agencies and enterprises planning a ZTA migration. It establishes the seven tenets of Zero Trust, defines the logical components (PE, PA, PEP), describes supporting infrastructure, and outlines three deployment models. This reference app is based on the Final version published August 2020.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 Open PDF (nvlpubs.nist.gov)\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST CSRC publication page\n <\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Full citation:<\/strong> Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). <em>Zero Trust Architecture<\/em> (NIST Special Publication 800-207). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-207<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction openNIST() {\n nav('nist');\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n \/* Only zoom sidebar on desktop where it's always visible *\/\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n \/* Auto-close sidebar on mobile after navigating *\/\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-207 \u2014 Zero Trust Architecture NIST SP 800-207 Zero TrustArchitecture Interactive reference Size A\u2212 A A+ \u2600 Light Architecture Overview Diagram Subject Policy Engine Policy Administrator Policy Enforcement Point Enterprise Resource Infrastructure IDMS & PKI CDM System Threat Intelligence Activity Log Diagrams Logical Architecture Access Request Data Flow Concepts Seven Tenets Trust Algorithm… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-207\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/landing-page.php","meta":{"footnotes":""},"class_list":["post-66","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":1,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions"}],"predecessor-version":[{"id":67,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions\/67"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}