The 12 Dimensions of a Zero Trust Solution

Nine23’s Chief Technology Officer and Chief Information Security Officer, Adam Gwinnett has outlined the 12 Dimensions of a Zero Trust Solution.

Zero Trust Fundamentals

Zero Trust is a design ethos for data access. It seeks to remove assumed trust and establish verification at each stage of the data access journey. Its fundamental basis is in establishing policy-based access to assets describing the acceptable conditions for their use and revoking access to protect the information if any of those conditions fail to be met.

12 Dimensions

A Zero Trust access model is typically going to consider all of the following dimensions:

  • The User (Person)
  • Identity
  • Device
  • Network / Connectivity
  • Host
  • Application
  • Data
  • Monitoring
  • Session / State
  • Location
  • Time
  • Policy

A Zero Trust solution may not consider all of these dimensions, but the policies and mechanisms surrounding it will typically be considering these. The exclusion of any dimension will typically reduce the effectiveness and granularity of control achievable but can also reduce the volume of datapoints being stored and processed and reduce the complexity of the implementation. All of these considerations should be balanced when deciding upon a solution.

The User

The majority of access control models are based around allowing a known individual with a right to access information to be provided with it, based upon their role, organisation and needs. Mechanisms such as identity verification help reinforce this space, but outside of biometric access (which is growing in popularity for this very reason) there are notable limitations on linking system access to whomever has “hands on keys”.


One of the maxims for Zero Trust is that “identity is the perimeter”. The majority of access control solutions start at the identity record (and the credentials and permissions associated with it), which is a collection of roles, permissions and memberships to provide access to organisation controlled assets. Individuals can have multiple identity records associated with them (common where a user has administrative or privileged access for sensitive assets, for example) but access is fundamentally controlled at an identity level, even where several records may relate to the same physical person.


Access to organisation-controlled data is enabled via a device. This typically refers to laptops, smartphones, tablets and other End User Devices (EUD) but in the age of Internet of Things (IoT) devices there are increasingly assets that have inherent rights to access data networks, be that a GPS device, an IP-enabled camera, sensors, kiosks or other smart devices. Zero Trust typically looks for the association between a user (person), identity and device. Devices can also be controlled via things like device certificates to help identify corporate issued (or approved assets) and controls such as MDM platforms (For example, Intune).

Network / Connectivity

Many Zero Trust have focused around Zero Trust Network Access (ZTNA) as the initial (and sometimes only) factor of control. This provides a model for applying policies at the point that access to a resource is attempted, but once established is seldom further inspected or interrupted. The Connectivity dimension will look at the network over which a device seeks to connect (such as the Internet or a corporate WAN), the mode of access (from known office Wi-Fi, coffee-shop Wi-Fi or over a mobile connection, for example) and whether connections are secured (such as via a VPN) or “in the clear”.


Services all reside upon a host, be it a server, network node, container, or other runtime. A Zero Trust solution should understand the rules for accessing a host, the resource groups it is within and the tiering of solutions to ensure that access is only following approved paths and does not allow enumeration of hosts by allowing unauthenticated or inappropriate access to them.


The majority of sensitive information resides within applications, be this a CRM system or an information management platform such as SharePoint. The application typically handles fine-grained access to functions and records within it and so provides a fundamental point of control in the Zero Trust access journey. Be it through the application itself or via an API, conditions for access and identification of suspicious queries and activities must be enforced. Models such as Zero Trust Application Gateways (ZTAG) or Secure Access Service Edge (SASE) solutions can augment application controls in this space.


Aside from the systems and services themselves, the primary interest for Zero trust access is in the information that the model seeks to protect. Even within single applications there are typically information sets of varying sensitivity and of multiple types, some of which may be far more significant than others. Being able to apply controls and access granularly across these datasets offers significant value and this is where approaches such as data tokenization tend to come into play.


Most Zero Trust controls operate at the point of initial connection. It is essential to achieve a true Zero Trust solution to monitor not only the status and effectiveness of the controls themselves but also the ongoing status of the activity within the systems so that changes in activity and more subtle indicators of compromise can be identified and responded to.

Session / State

Zero Trust solutions will look for changes in behavior and conditions during sessions to look for unusual patterns of activity that may suggest a compromised account or malicious user behavior. By managing the session, the Zero Trust solution can interrupt or revoke sessions to revoke access to an application or service and thereby protect the information from further exposure.


Zero Trust solutions can utilize the device location (network or GPS depending on need) to impose geofencing of access (limiting access to approved locations) and to match to usual working patterns. This model also allows for detection of multiple logons, miracle travel and other indicators of potential compromise.


Zero Trust access control models will consider time as a potential factor for establishing legitimacy of access – Does the request fall within normal working hours for the user? Does the device timezone match the usual pattern of access or acceptable usage? Are request patterns in line with human patterns of behavior?


At the fundamental base layer of any Zero Trust solution is policy. Policy defines the “rules of play” and provides the framework of rules and conditions that access, and services must meet in order for secure access to be granted. Policy Enforcement Points (PEPs) are the enforcers of this model and should be deployed at key points in the architecture to allow for the effective operation of decision-making, risk-based access and enforcement.

Leave a comment