Add Zero Trust Architecture documentation based on NIST SP 800-207

[Copilot]

This PR adds comprehensive educational content about Zero Trust Architecture based on the official NIST Special Publication 800-207 framework. The documentation provides authoritative guidance on Zero Trust security principles and implementation strategies directly aligned with the NIST standard.

What was added:

New file: zero-trust-architecture.md

• Complete coverage of NIST SP 800-207 Zero Trust Architecture framework
• Official NIST definitions and seven core Zero Trust principles
• Detailed explanation of logical components (Policy Engine, Policy Administrator, Policy Enforcement Point)
• NIST-defined ZTA models: Enhanced Identity Governance, Micro-segmentation, Network Infrastructure/SDP, Application Sandboxing
• Comprehensive threat analysis and mitigation strategies per NIST guidelines
• NIST deployment scenarios for single/multiple cloud providers and hybrid environments
• Implementation considerations, best practices, and success metrics
• Integration guidance for existing enterprise security components
• References to NIST publications and related standards

Updated: README.md

• Updated description to reflect NIST SP 800-207 basis
• Maintains the repository's educational purpose while highlighting authoritative source

The documentation serves as a complete educational reference for understanding Zero Trust Architecture according to the official NIST framework, covering both theoretical concepts from the standard and practical implementation guidance for enterprise environments.

Fixes #21.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[spShashankGit]

@copilot can you base your article on the original paper from NIST

Link:https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

[spShashankGit]

Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

New model for cybersecurity is called "zero trust" (ZT)

A ZT approach is primarily focused on data and service protection but can and
should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other nonhuman entities that request information from resources).

[spShashankGit]

Definition: A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.

[spShashankGit]

Index:

1. This publication discusses ZTA,
2. Its logical components, possible deployment scenarios, and threats.
3. It also presents a general road map for organizations wishing to migrate to a zero trust design approach and
4. Discusses relevant federal policies that may impact or influence a zero trust architecture.

[Copilot]

@copilot can you base your article on the original paper from NIST

Link:https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

I've restructured the Zero Trust Architecture documentation to be based on NIST SP 800-207. The article now follows the official NIST framework, including their specific definitions, logical components (Policy Engine, Policy Administrator, Policy Enforcement Point), deployment scenarios, threat analysis, and implementation considerations. The content is now aligned with the authoritative NIST standard rather than being a general overview. See commit 5a286c0.

[spShashankGit]

ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level [FIPS199].

[spShashankGit]

Migration to ZT

Transitioning to ZTA is a journey concerning how an organization evaluates
risk in its mission and cannot simply be accomplished with a wholesale replacement of
technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes

[spShashankGit]

History

The concept of zero trust has been present in cybersecurity since before the term “zero trust” was coined. The Defense Information Systems Agency (DISA) and the Department of Defense published their work on a more secure enterprise strategy dubbed “black core” [BCORE]. Black core involved moving from a perimeter-based security model to one that focused on the security of individual transactions.

The work of the Jericho Forum in 2004 publicized the idea of deperimeterization—limiting implicit trust based on network location and the limitations of relying
on single, static defenses over a large network segment [JERICHO].

This starts the question: What is de-militarisation zone in computer science #76

[spShashankGit]

Definition

Zero trust (ZT) provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in
information systems and services in the face of a network viewed as compromised. Zero
trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust
concepts and encompasses component relationships, workflow planning, and access
policies. Therefore, a zero trust enterprise is the network infrastructure (physical and
virtual) and operational policies that are in place for an enterprise as a product of a zero
trust architecture plan.

This definition focuses on the crux of the issue, which is the goal to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.

The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.
Traditionally, agencies (and enterprise networks in general) have
focused on perimeter defense and authenticated subjects are given authorized access to a broad collection of resources once on the internal network. As a result, unauthorized lateral movement within the environment has been one of the biggest challenges for federal agencies.

[spShashankGit]

PDP - Policy Decision Point
PEP - Policy Enforcement Point

The PDP/PEP passes proper judgment to allow the subject to access the resource. This implies that zero trust applies to two basic areas: authentication and authorization.

Questions to answer before granting access to the subject:

1. What is the level of confidence about the subject’s identity for this unique request?
2. Is access to the resource allowable given the level of confidence in the subject’s identity?
3. Does the device used for the request have the proper security posture?
4. Are there other factors that should be considered and that change the confidence level (e.g., time, location of subject, subject’s security posture)?

Overall, enterprises need to develop and maintain dynamic risk-based policies for resource access and set up a system to ensure that these policies are enforced correctly and consistently for individual resource access requests.

[spShashankGit]

The idea is to reduce the "implicit trust zone"

Zero trust provides a set of principles and concepts around moving the PDP/PEPs closer to the resource. The idea is to explicitly authenticate and authorize all subjects, assets and workflows that make up the enterprise.