Zero trust implementation in the emerging technologies era: a survey

1. INTRODUCTION

In recent years, several phenomena have been observed in which their interactions lead to the proliferation of the Zero Trust (ZT) approach. The first is an increase in the number of devices connected to the network, such as Internet of Things (IoTs)^[1]. The second is poised emerging technologies, such as Artificial Intelligence (AI), Generative AI (GenAI), and quantum computing. The third is the rapid growth of cyberattacks, attack surfaces, and sophistication levels of attacks^[2]. In addition, the COVID-19 pandemic has accelerated the adoption of cloud-based technologies and technologies that enable workers to work from anywhere they would like to. In addition, the White House Executive Order (WHEO) published definitions and migration steps for ZT to agencies^[3].

In this paper, we focus on recent technological developments in ZT. The paper will focus on the influences of emerging technologies such as AI, and quantum computing on ZT implementation, elucidating their effects on the formulation of tailored ZT strategies. Additionally, we elaborate on their impact on ZT automation orchestration and migration in the context of new emerging technologies. To the best of our knowledge, only a few ZT survey papers relate to this aspect^[4] and this is the first time that the combination between them has been surveyed.

This paper presents the challenges, approaches, and implementation of ZT for Detection and Response (DR) layers, such as Endpoint DR (EDR), eXtended DR (XDR), and Network DR (NDR) also known as Network Traffic Analysis (NTA). As can be learned from its name, DR has two purposes: detecting and responding to security incidents that aim to bypass the End Point Protection Platforms (EPP). ZT is a crucial framework for EDR as it is one of the most exposed points to cyberspace.

The paper is organized as follows: First, we introduce ZT, discussing its history and evolution over the years. Next, we elaborate on the ZT policy and its principles. In the subsequent section, we explore the challenges that ZT faces. Following that, we delve into discussions on ZT implementation methods. Subsequently, we address the integration of ZT with cutting-edge technologies such as AI, chaos theory, and quantum computing, as well as cybersecurity. We also discuss approaches for evaluating ZT. Finally, we conclude by summarizing the main issues and outlining future directions.

While dealing with defense approaches, it is important to bear in mind that while the attack can be considered a success story, even after many failures, the defense must always be successful. Hence, defense capabilities must be better than potential attacks. Cybersecurity experts claim that an attack will eventually occur, and practically, the chances of 100% are only theoretical^[5]. Risk can be mitigated by early detection and response to an attack when it occurs. ZT is expected to solve this gap. Since ZT plays a practical role in many organizations, we find in the literature design principles such as designing architecture from the inside out, determination of the access needs at a preliminary stage, focusing on the required organizational outcomes, and using the EDR as a source for inspecting the log traffic^[6].

The ZT can help protect against Operational Technology (OT) attacks. OT attacks are designed to exploit systems that are directly on the plant floor^[7]. ZT can be applied to Industrial Control Systems (ICS) to ensure that only authorized devices and users can access the system^[8,9]. For example, in the case of the 2017 NotPetya attack^[10], which caused millions of dollars in damage to industrial sites, ZT principles could have prevented the spread of malware by limiting lateral movement between systems. In addition, ZT can improve Remote Access Security (RAS) by enforcing strict authentication and access control policies^[11,12]. ZT can help protect against supply chain attacks by limiting third-party vendors’ access to critical systems and data. It can also help protect against IoT-based attacks by ensuring that only authorized devices can access the network^[13,14].

Finally, OT attacks using open Application Programming Interface (API) can pose a serious threat to industrial control systems, allowing attackers to gain unauthorized access to OT systems and data^[15]. ZT model includes strict access control and authentication policies, network segmentation, and security measures that specifically target open APIs, such as using API gateways to enforce authentication and access control policies. The implementation of a ZT can effectively complement Digital Twin (DT) configurations. DTs create a virtual representation of a physical system, facilitating various purposes such as monitoring, optimization, planning, and decision-making^[16,17].

By replicating key aspects of physical objects or systems using sensors and real-time data, DT enables modeling, analysis, and testing of changes prior to real-world implementation. To ensure the protection and segmentation of DT, the application of ZT principles is essential, encompassing strong authentication, authorization, microsegmentation of sensitive data, and centralized monitoring of logs and events^[18]. Using DT can increase integration of real-time data and, as a result, ensure robust security measures. This can lead to mitigation of the risks associated with tampering and cyberattacks. ZT principles guarantee that only authorized access is granted, enhancing the security, resilience, and effectiveness of information technology (IT) and operational systems by integrating virtual models with granular, context-aware access controls and monitoring mechanisms^[19]. The integration between the two can serve as a valuable test bed for simulating cyberattacks and evaluating the effectiveness of ZT in handling such threats.

1.1. Zero trust history and evolution

The phrase "Zero Trust" was coined by Stephen Paul Marsh in 1994^[20]. The next step occurred approximately a decade later in 2003. The Jericho Forum consortium defined de-perimeterization^[21]. They claimed that ZT can be used as a security strategy for de-perimeterization. De-perimeterization is practically the removal of a boundary between an organization and the outside world. Only six years later, in 2009, Google implemented ZT architecture BeyondCorp and published it in 2014^[22]. BeyondCorp uses an authentication-based combination of the device and the user. Thus, it eliminates the need for privileged corporate networks.

In 2010, Kindervag et al. from Forrester used ZT for access control^[23,24]. In their report, Forrester claimed that firewalls are not sufficient in the endeavor effort to cope with cyber attacks^[24]. In addition, they coined one of the main premise principles of ZT: “never trust, always verify"^[24]. In 2015, ZT analysts reported augmentation in the adaptation of ZT by technology vendors^[25,26].

In 2017, Forrester and Gartner published the ZT frameworks: Zero Trust eXtended (ZTX) ecosystem^[27] and Continuous Adaptive Risk and Trust Assessment (CARTA)^[28] respectively. ZTX is a framework that maps ZT to organizational applications. CARTA is considered a strategic framework that enables organizations to continuously assess their risk of cyberattacks. CARTA also enables the assessment of the trust level of organizational systems. In 2018, the National Institute of Standards and Technology (NIST) and National Cybersecurity Center of Excellence (NCCoE) published the cornerstone paper SP800-207. It defines cybersecurity metrics with a focus on ZT components and principles. In this way, it helps abstractly design the organizational network architecture in the light of ZT without drilling into a specific implementation^[29]. In 2019, Gartner introduced the terms Zero-Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) to describe new defenses considered part of the emerging ZT framework^[30]. These new models added available layers of protection beyond the traditional network perimeter.

In 2020, the COVID-19 pandemic accelerated widespread adoption of remote work, increasing the need for ZT approaches to secure hybrid workforces^[30]. NIST published updated guidance on applying ZT principles in Federal networks in Special Publication 800-207.

In 2021, a Microsoft report found 96% of organizations saw ZT as critical to success due to security and compliance needs^[30]. Meanwhile, federal orders and strategies laid the groundwork for public sector adoption to strengthen national cyber defenses and transition to ZT.

In early 2022, the U.S. government accelerated its adoption of ZT frameworks^[30]. United States Office of Management and Budget (OMB) released details of the federal ZT strategy and set requirements for agencies to meet five security goals by September 2024. Acting Director Young issued a memorandum stressing defenses against evolving threats. Additionally, Cybersecurity and Infrastructure Security Agency (CISA) published an expanded Cloud Security Technical Reference Architecture in June 2022, co-authored with two other agencies to guide adoption of ZT in cloud environments. Such proactive government efforts, combined with initiatives worldwide, indicated public sector leaders in ZT according to an Okta (company) report. It found that 72% of surveyed government organizations had active or planned ZT programs compared to 55% of private companies.

By 2023, OKTA reported ZT had gone mainstream^[31], with adoption more than doubling in two years and 61% of organizations reporting a defined initiative. Another 35% planned to implement one soon, showing over 90% recognized its importance. The swift rise underscored how ZT strategies delivered stronger security as hybrid work became standard.

By 2024, ZT security reached a critical stage^[32]. Adopting comprehensive Zero Trust Architecture (ZTA) became recommended to align defenses with evolving threats. ZT transformed from isolated tools to a foundational change, moving beyond legacy perimeter views. Full ZTA verified all users, assets and applications continuously, strengthening protections while boosting productivity as risks grew distributed and dynamic.

In Figure 1, we present the history and evolution of ZT.

Figure 1. Zero trust timeline.

Currently, ZT is widespread and has growing market potential. It is implemented in organizations worldwide that use different architectures and systems on both premise and cloud architectures. It has a prospect of 60.7 billion dollars by 2027, with an annual growth of 17.3%^[33]. This is evident in the growth of ZT implementation and usage - horizontally all over the world and vertically - in many market segments and technologies. We can observe the invasion of ZT into 5G networks for healthcare devices^[34].

2. ZERO TRUST POLICY AND PRINCIPLES

The ZT policy is a security framework that aims to protect organizations from cyberattacks. As a result, it encompasses all the organizational systems' users, regardless of their physical location. ZT continually validates the system security configuration, as well as authentication and authorization processes^[35,36].

ZT changed the architecture of separation between different levels of security zones such as the Internet, DeMilitarized Zone (DMZ), and Trusted and Privileged zones to a controlled architecture^[37,38]. ZT employs a Control Plane (CP) to effectively classify and distinguish between trusted and untrusted clients. When the CP acknowledges the client, it accepts the traffic. Typically, ZT uses an encrypted tunnel based on temporary one-time credentials to communicate with a trusted client. ZT transferred the traditional perimeter model and removed the borders between the different zones while maintaining secured communication only with trusted clients.

The CISA proposed the ZT Maturity Model^[39] which divides ZT into eight pillars: users, infrastructure, devices, data, applications, networks, visibility and analytics, and orchestration and automation. The model relates to human factors, devices, and data usage. Each pillar indicates an identification process implemented before accessing the data or required services. ZT relates to both the static aspect of security that resides as data in devices and infrastructure, and to the dynamic aspect of data streams in networks and applications.

To achieve the ZT policy, the organization must relate to the security and authentication aspects of each pillar. Missing one of the pillars' security aspects might influence the ZT policy and, hence, breach the organizational security level. The first and most fundamental stage of ZT is user identification. This stage is critical because most breaches use compromised identities, which are difficult to detect^[40].

This stage is implemented before accessing organizational resources. ZT defines a ZTNA policy that defines which of the remote workers are eligible to connect to specific resources. In recent years, the commonly used technique for identification has been based on Multi-Factor Authentication (MFA), such as Passkey. MFA is based on asking the user for two or more pieces of evidence for authentication.

ZT defines authorized devices and infrastructure only after going through a compliance process that stands under the Compliance Management (CM) spec. Thus, ZT ensures that the organization aligns with the required industrial cybersecurity regulations. To protect organizational data from exfiltration threats, ZT usually recommends encrypting data and using access control regulation policies, such as least privilege. ZT policy applies to applications in several ways such as legitimacy of the application, authorized user access to the application, and the environment in which the application can run. NIST defines the regulations for the ZT Application workload. Workload is a resource that supports application capability. ZT obligates organizations to define which resources are essential for each application and how they work in the most secure way.

To protect the network, ZT uses techniques such as explicit policies or variable trust. The variable trust uses a score to define the trust of the transferred data when an action is required. An additional ZT pillar involves visibility and analytics^[36]. Visibility and analytics focuses on users and network traffic. To enable analytics and visibility, ZT guides organizations to enable network traffic inspection and store the history of logged users, asset logs, and actions. NIST ZT regulations advise the division of on-premise data centers and cloud, as well as workloads to traffic segments. Thus, ZT prevents lateral movement. In this way, the organization can investigate attacks and detect them online.

The eighth pillar of ZT in our list is orchestration and automation^[41]. Automation and orchestration are the upper levels of ZT. They aim to deploy and apply ZT security policy. Automation focuses on making a process run without human intervention. It usually includes pipelines and scheduling parts, such as coordinating endpoint security. Orchestration adds optimization to automation. Orchestration usually includes AI components for each pillar. It helps in detecting attacks, identifying users, and responding to cyberattacks. To the best of our knowledge, orchestration has the highest level of ZT technology.

2.1. From legacy policies and models to zero trust

ZT is considered a new approach compared to other policies and models that have been used for many years in the industry. This section discusses the relationship between them and ZT. One of the main characteristics of the ZT is its trustworthiness. To achieve this, ZT uses the Forrester's paradigm "never trust, always verify"^[42]. The journey for achieving trustworthiness from security systems started many years ago by enforcing policies and access control. Access control techniques can be divided into Attribute Based Access Control (ABAC), Role Based Access Control (RBAC), and Fine Grained Access Control (FGAC)^[43]. The main difference between the first approaches is whether the access control depends on the access user's attributes or organizational roles. Typically, RBAC is more popular because the same user can have several organizational roles. On the other hand, FGAC uses conditions or entitlements for user access confirmation.

The most popular and well-known models for enforcing access control in industry are the Bell-LaPadula (BLP) and Biba. Both Biba and BLP relate to the Confidentiality, Integrity and Availability (CIA) model. CIA is designed to guide policies for information security within an organization. Biba's main strength is to ensure the integrity of data in an organization, where BLP ensures confidentiality. In order to achieve it, Biba enforces two main rules: “no write up, no read down”^[44] while BLP enforces “write up, read down" (WURD) or “no read up, no write down". In this way, Biba's principles prevent data modification by unauthorized objects, while the BLP's rules prevent the leakage of information. To enforce the required results, both models must be implemented as Mandatory Access Control (MAC) or Mandatory Integrity Control (MIC). However, in practice, it is a challenging task to enforce the models because many situations are considered grey zones. To solve these issues, Tidjon et al. proposed a ZT model that relied on and combined Biba and BLP^[42]. The authors attached trust scores to each object (such as servers, files, and data channels). The scores use weights for each object based on Biba's integrity and BLP's confidentiality levels. ZT can rely on old models and can be implemented as a top layer in organizations that have already used these approaches.

2.1.1. Zero Trust in comparison to legacy policies and models

As mentioned before, ZT is based on solid grounds of legacy policies. The adoption of ZT dictates changes in the concepts and cybersecurity worldviews. Some of the main changes are summarized in Figure 2. The main differences are based on the following points: role-based vs. least privilege, trust vs. verification, static policies vs. dynamic policies, perimeter-based vs. data-centric, authenticate once vs. continuous authentication, simple network segmentation vs. microsegmentation, reactive incident response vs. continuous monitoring, and centralized control vs. distributed enforcement^[4,45,46].

Figure 2. Legacy vs. Zero trust approaches.

Legacy access control systems often rely on static roles and groups, implementing a role-based approach rather than a least-privileged one. ZT follows the principle of “least privilege", granting only the minimum access required for a specific task or context. Legacy models typically adopt an initial “trust but verify" approach, where devices and users are granted trust by default within the perimeter. ZT starts with “never trust, always verify" and requires continuous validation.

Legacy policies are typically static and undergo infrequent updates, in contrast to dynamic policies that adapt and evolve more frequently. On the other hand, ZT policies are more dynamic and situation-aware, changing based on context, such as location, task, and risk level. Legacy models primarily prioritize securing the network perimeter, in contrast to data-centric approaches that emphasize safeguarding the data itself. Instead, ZT focuses on securing individual data assets and granting only the necessary access on a per-request basis.

In legacy models, users are typically authenticated once and remain trusted until they log out, as opposed to continuous authentication methods that maintain ongoing verification throughout user sessions. ZT requires the continuous authentication and re-validation of access rights. Legacy network approaches often exhibit coarse segmentation, with simple network segmentation practices in place, as opposed to the more granular and precise microsegmentation methods. ZT leverages fine-grained microsegmentation-based methods, for example, on data, applications, users, and tasks.

Legacy security practices typically rely on reactive incident response strategies that address threats after they have been detected, in contrast to the proactive and continuous monitoring approaches that provide real-time threat awareness and prevention. ZT enables proactive threat detection and containment through continuous monitoring. Legacy security models typically depend on centralized control for policy enforcement, as opposed to distributed enforcement mechanisms that distribute policy enforcement throughout the network. ZT distributes enforcement points, such as EDR, across the full technology stack for increased resilience.

3. ZERO TRUST CHALLENGES

ZT challenges stem from continual changes in the organizational environment. These changes can be endogenous or exogenous. Organizational management decides on internal changes and reacts to environmental changes.

These decisions and other factors cause organizations to constantly change workers’ positions and, as a result, their roles in the computational systems are changed. Worker status also changed on a frequent basis. New workers join organizations where others leave. In addition, each worker usually uses more than one device for his work and connects it to the organizational network. Moreover, in each device, several installed applications were used by their owners. The overall number of applications and devices is growing. An additional trend that has been evident in recent decades is data and service distributions. Organizational data and services are distributed in a wide variety of places. Some of them are located in the cloud, whereas others are on-premise.

The implementation of ZT in organizations is a phased project. Each phase depends on the previous phase, and the final prospective results can be achieved only after years^[47]. During the implementation of the ZT project, the environment constantly changes. New technologies are added, and source allocation is changed. In addition, there are many changes in budget allocations in the organization, as well as in projects and ZT levels.

An additional aspect of project implementation is its impact on organizational policy. As ZT is a cornerstone in organizational security, it is supposed to influence its security policy. Consequently, it can cause a domino effect on other computational and security systems, as well as attack surfaces. ZT also influences organizational standards and procedures. It is necessary to close the gap between the pre and post-implementation stages of ZT. One of the main approaches for closing this gap requires integration between departments, teams of workers, products, and legacy systems. This is usually supported by new standards and procedures. A common solution for such an integration is the creation of an organizational repository that integrates the relevant information and helps coordinate between ZT project users and leaders.

The ZT project requires inspecting both inside and outside the perimeter of an organization. Since ZT is based on the continual inspection of organizational security, continual inspection of the relevant network components is required. It requires defining tools and metrics to monitor the security status. It also has an impact on organizational risk management. Last but not least, it requires a thorough inspection of network edges such as EDR, Internet Service Provider (ISP) components, organizational IoTs, and employees’ applications and devices under the Bring Your Own Device (BYOD) policy. The challenges of ZT require not only an overall inspection of the current organizational systems but also looking outside the perimeter of an organization. It involves not only systems but also organizational workers and management, as well as every entity that works with the organization.

Emerging network attack techniques present key challenges to current ZT frameworks. Side-channel attacks exploit implementation vulnerabilities, bypassing authentication and encryption safeguards, undermining the principle of verifying every request^[48]. Addressing novel side-channel risks is crucial. Password guessing attacks, stemming from compromised credentials, necessitate robust credential policies and passwordless authentication for mitigation^[49,50].

There is a unique solution for authentication that provides a strong defense against account compromise such as Attribute-Based Password Authenticated Key Exchange (AB-PAKE) protocol, ensuring that only two legitimate users with desired attributes and correct passwords can establish a shared session key. However, ZT may not fully resolve issues in initial credential management. Techniques such as deepfakes pose detection challenges for existing methods such as behavioral analytics, requiring ZT strategies to identify manipulated requests. Distributed and encrypted threats obscure network visibility, demanding enhanced endpoint data for accurate risk identification. To combat the rapid pace of new attacks, ZT must blend segmentation for resilience with rapid threat containment strategies based on user behaviors.

Blockchain technology can serve several vital roles in supporting ZT architectures^[51]. It excels in identity management by offering a decentralized approach to handling digital identities and credentials, mitigating single points of failure and enabling identity verification without central authority reliance. Through smart contracts, blockchain can enforce detailed, dynamic access control policies, including context-based rules and trust attestations. The immutable ledger of blockchain ensures data integrity, aiding in detecting unauthorized changes and anomalies within a ZT framework.

Moreover, blockchain facilitates trust establishment through transparent cryptographic verification, aligning with ZT's principle of verifying access trust without internal system visibility. By encoding ownership and lifecycle details on blockchain, asset management gains enhanced visibility into device identities, postures, and authorization levels for informed access decisions. Smart contracts also streamline policy enforcement, automating complex access policies in alignment with business rules stored on blockchain, ensuring consistent policy application in decentralized business environments.

The impact of ZT on operational overhead varies based on organizational implementation^[52]. Initial setup and policy configuration may demand substantial effort initially, but ongoing operations typically do not impose significant overhead once established. While granular access controls and asset visibility add processing and storage requirements, these costs are balanced by long-term breach mitigation and enhanced access management efficiency.

Leveraging existing infrastructure minimizes additional hardware/software expenses, and automation through APIs and policy engines reduces manual workload. Workload segmentation and least privilege access optimize resource usage, while enhancing organizational agility and enabling secure cloud/remote access. Although there are upfront costs, a well-designed ZT approach focused on automation and efficient access management generally does not result in intolerable ongoing operational burdens at scale, emphasizing the importance of strategic resource planning.

In the next subsections, we divide the most fundamental ZT challenges into migration, automation, and orchestration. For each challenge, we will explain how emerging technologies, such as AI, can help organizations fulfill the challenge.

4. ZERO TRUST STRATEGY AND APPROACHES

In this section, we describe several common ZT approaches that organizations can adopt, including the strategies and technologies they employ as part of a comprehensive ZT approach. The first approach is identity-based access control^[69,70], which grants access based on verified user or device identities rather than network location, using MFA and strong identity management systems.

The second method was microsegmentation^[71,72], which isolates the systems, workloads, and data within the network to minimize lateral movement if one asset is compromised. This method enforces strict control of network traffic. Additionally, the least-privileged access approach ensures that users and services only have the minimal access rights necessary to perform their assigned tasks. Privileges are granted on a just-in-time and as-needed basis. An additional relevant access approach is adaptive access^[73,74], which dynamically adjusts access privileges based on real-time factors such as location, device health, and authentication strength, applying more stringent access controls for high-risk situations.

While minimizing access to entities, it is necessary to continuously monitor organizational systems and networks. Continuous monitoring and analytics enables this feature^[35], as it constantly monitors network traffic, assets, and user behavior for anomalies that could indicate threats. AI and ML were used to detect deviations from normal patterns. To continually monitor organizational data traffic, gateways and service edges must be secured and monitored. Secure service edges enable the strict control of access to APIs and other external touchpoints^[34,35]. The identity, permissions, and context of each request should be verified. In addition to implementing continuous monitoring, the organization can implement User and Entity Behavior Analytics (UEBA)^[29,75]. It plays an important role in continuous monitoring. UEBA solutions can detect anomalies and deviations in things, such as user login and access patterns, device usage and communication patterns, privileged account activity API, and application usage. The other security aspect is related to data.

ZT requires data encryption^[4,76]. Encrypting data at rest and in transit to prevent unauthorized access, even if the system is compromised. Therefore, key management and robust policies are critical. In recent years, there has been a transformation from an on-premise infrastructure and services to the cloud. ZT strategy involves securing a cloud workload^[35,38,77]. ZT principles are applied to Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), including verifying managed identities, encrypting data, and enabling activity monitoring.

The aforementioned common approaches and technologies are part of a comprehensive, general ZT strategy. It is important to implement multiple types of controls instead of relying on a single technique in isolation. An additional approach to ZT involves the training and education of teams and users. Training and education are crucial for creating ZT environments^[78]. Users must understand why policies have changed and how their workflows may have been impacted. This could reduce friction and encourage adoption. From the perspective of implementation and project management, the organization must consider that ZT extends beyond technology. It also requires changes in processes, governance, and organizational culture. These include establishing a ZT Center of Excellence (ZTX CoE) and creating a ZT roadmap and milestones^[29,35]. This section described some of the common strategies and technologies that organizations employ as part of a comprehensive ZT approach. Implementing multiple types of control instead of relying on any single technique in isolation is crucial. Moreover, it is essential to remember that ZT is an ongoing journey rather than a final destination. Organizations must consistently evaluate and optimize their ZT posture in response to evolving threats and improving security maturity.

5. ZERO TRUST IMPLEMENTATION BEST PRACTICE

Earlier, we described the ZT migration. ZT implementation establishes a ZT posture from the start of a new environment. ZT migration transitions from an existing traditional security model to ZT architecture over time.

Organizations can make a smooth transition to ZT security over time by using several principles. To successfully adopt a ZT model, organizations should begin with small-scale pilots to gain experience, validate the value proposition, and troubleshoot any issues before gradually expanding^{[28,29,79,80]}. The management and leading team should conduct a comprehensive inventory of all assets, including users, applications, devices, and data, to establish visibility and a baseline for the ZT model.

Several success stories illustrate the impact of ZT on the organization. Airbus^[81], Capital One^[82], and NASA^[83] successfully implemented models for enhanced security and operational efficiency. Airbus witnessed that ZT was extended to corporate data across email, collaborative applications, and custom-built solutions while maintaining a balance between security and productivity. Mobile endpoints were securely protected from cyber threats through proactive visibility, detection, and remediation of potential issues from a cloud-based platform that enabled smooth, simple deployment to over 100, 000 corporate devices. An easy-to-use, non-intrusive interface allowed field workers to remain productive while accessing resources with the confidence of robust protection everywhere.

Capital One's adoption of ZT reflects an IT security approach mandating thorough identity validation for all users and devices attempting to access network assets, irrespective of their location within or beyond the network perimeter, showcasing the importance of such measures in bolstering overall network security. Additionally, ZTNA serves as a critical facet within the SASE framework, emphasizing the significance of adaptive security protocols within contemporary network architectures.

NASA adopted ZT principles to securely enable hybrid workforces to collaborate from anywhere, using any device at any time as guided by its Future of Work strategy. Well-implemented ZT architectures streamlined cybersecurity efforts by providing consistent security controls and user experiences regardless of location. As a guiding principle for security architectures aimed at improving security posture and increasing cyber resilience, ZT both reduced risks from malware infections and minimized potential impacts of attacks. Partial ZT deployments within NASA nonetheless yielded dramatic security enhancements by guiding more secure cloud computing through identity-based adaptive controls and demonstrating that perfect implementations should not preclude considerable improvements from good progress toward a ZT model.

While success stories illuminate the path for some ZT projects, a different narrative emerges when considering the potential pitfalls that could lead to failure in US federal agencies, as predicted by Gartner^[84]. Gartner Predicts 75% of U.S. Federal Agencies Will Fail to Implement ZT Security Policies Through 2026. These pitfalls include funding shortfalls causing implementation delays, a cybersecurity skills shortage impeding recruitment efforts, struggles to meet policy deadlines amidst budget constraints, limited progress reporting complicating transparency, and the looming risk of incomplete ZT adoption leaving agencies vulnerable to threats, potentially resulting in service disruptions or costly data breaches.

To achieve the desired end state, a clear vision and roadmap should be articulated and broken down into manageable phases and priorities. It is equally important to focus on changes in security policies, procedures, and people, as it is on technologies to ensure buy-in from all stakeholders. Automation should be used wherever possible to minimize manual effort and human error, starting with easy wins to build momentum and validate the concept^[39].

Incorporating API-based access for applications can help minimize fragile and centralized components. A risk-based approach should be adopted, prioritizing high-risk users, assets, and access for initial ZT implementations to maximize the impact^[85]. Careful planning and testing should be performed when integrating various zero-trust solutions to avoid these issues. A clear change management plan should be developed, communicating changes to employees, predicting impacts, and formulating a plan to minimize disruptions while providing adequate training^[86,87].

A governance model should be created, defining roles, processes, policies, and guidelines around ZT to manage and maintain it in the long term. Regular progress measurement using metrics can help evaluate the effectiveness and identify areas for improvement, allowing for necessary adjustments. Finally, a multi-year roadmap should be developed to guide ZT implementation and achieve the desired end state over time^[80].

In addition, it is always beneficial to follow the best practice guidelines that have already been tried in other organizations. The first principle is to start small but think big. It is recommended to begin with small-scale pilots to prove value and address any issues before gradually expanding to the entire organization. Conducting a full inventory of all assets, users, devices, applications, networks, and data provides visibility and a baseline for ZT models.

Creating a clear vision and roadmap for the desired end state, and breaking it down into actionable phases and priorities, helps organizations achieve their goals and minimizes risk and complexity.

6. AI AS A SUPPORTIVE SOLUTION FOR ZERO TRUST CHALLENGES

In this section, we will explore the primary ZT challenges of migration, automation, and orchestration. We will discuss and demonstrate how AI can enhance the solutions for these challenges.

7. ZERO TRUST AND CYBERSECURITY TECHNOLOGIES FOR DETECTION, PREVENTION, AND RESPONSE

In the previous sections, we mentioned algorithms and an AI approach for supporting the ZT response to attacks. In this section, we discuss the interaction between ZT and technologies, tools, and approaches that provide security solutions for detection, prevention, and response to cyber-attacks. ZT uses and dictates policy for tools and technologies that help organizations interact with the outside world. The definition of ZT provides a comprehensive approach to cybersecurity, helping organizations protect their critical systems and data from cyber threats. By implementing strict access controls, continuous monitoring, and risk-based authentication, organizations can reduce the attack surface and better protect themselves against potential threats. Additionally, the use of detection, prevention, and response tools can provide early warnings of potential threats and enable organizations to respond quickly and effectively to security incidents.

This section provides insight into the interaction between ZT and technologies and solutions such as XDR, EDR, NDR/NTA, Security Orchestration Automation and Response (SOAR) and SIEM^[115,116]. The section explains why the aforementioned technologies can work synergistically with ZT and enhance the organizational security level.

The combination of XDR can countermeasure attacks, such as Living Off The Land (LOTL)^[117]. XDR is a security approach that aims to integrate multiple security solutions, such as EDR, NDR/NTA, and SIEM, into a unified platform^[116].

AI can be a meaningful tool for enhancing XDR and ZT. XDR is based on large volumes of backlogs. Even a small proportion of false alarms can cause tedious and intensive work for users. An ML-based system can decrease the human labor involved in analyzing a large amount of data. In addition, ML systems can increase the level of accuracy and, hence, decrease the number of false alarms. Combining the ZT policy with the XDR can practically decrease the number of logs by constantly verifying the endpoint online. However, constant verification can slow down the system response^[118]. Practically, there is a need to determine the optimal point between the response time and the required threat level. This is a practical compromise between absolute never trust, ZT policy, and organizational needs.

Because there is a high probability that an organization will become a target for cyberattacks, one of the effective ways to handle it is detecting it as soon as possible^[5]. Once an attack is detected, a rapid response is required. The effectiveness of an organization in handling an attack is one of the crucial parameters for its success in countermeasuring the attack. Detecting an attack at the endpoints usually indicates the early stage of the attack. Hence, implementing ZT in endpoint devices helps the organization cope with severe stages of attack.

XDR tools are currently attempting to bring together all the relevant security solutions. These are intended to unify multiple security capabilities into a single solution that offers automated analysis, remediation, monitoring, and detection. The organization aims to maximize the detection accuracy while increasing the security operations and remediation efficiency^[119]. The benefits of XDR are deemed to be so broad that Gartner called XDR the top security trend to emerge out of 2020. XDR plays a central role in advancing ZT architecture when used together with more targeted Identity and Access Management (IAM)^[80]. XDR solutions offer in-depth security monitoring via flexible as-a-service delivery, which addresses identity and data monitoring^[119].

As part of XDR, NDR/NTA technologies play a crucial role in monitoring and analyzing network traffic, providing insights into potential threats, and enabling rapid responses within a ZT framework. Another important technology on which XDR relies is EDR. This refers to a category of cybersecurity solutions designed to detect, investigate, and respond to threats at the endpoint level. As part of the ZT architecture, EDR can significantly enhance the security of endpoints and strengthen the overall effectiveness of the ZT model.

An additional solution that enhances the ZT functionality is SOAR. SOAR is a security solution that uses automation and orchestration to streamline security operations and improve the incident response times^[115,116]. In the previous section, we elaborated on the relation between ZT and automation and orchestration. By combining ZT and SOAR, organizations can implement a more effective and efficient cybersecurity strategy. ZT provides a strong security foundation by limiting access to critical systems and data and continuously monitoring potential threats. SOAR then builds on this foundation by automating security operations and incident responses, enabling faster and more effective responses to security incidents. For example, a ZT model may limit access to a critical system to only authorized users and devices, and continuously monitor the system for potential threats. If a threat is detected, SOAR can automatically trigger a response, such as isolating the system or blocking access until the threat is resolved. This automated response can significantly reduce incident response times and minimize the impact of potential security breaches.

An additional solution commonly used in the organizational security suitcase is the SIEM. The SIEM is a security solution that collects and analyzes security events from the IT environment to identify potential threats. By combining ZT and SIEM, organizations can implement a more effective and efficient cybersecurity strategy^[120]. ZT establishes a robust security foundation by restricting access to critical systems and data while continuously tracking potential threats^[115]. SIEM then builds on this foundation by collecting and analyzing security events across the IT environment, providing early warnings of potential threats. For example, a ZT model may limit access to a critical system to only authorized users and devices, and continuously monitor that system for potential threats. If a threat is detected, the SIEM can alert the security teams and provide detailed information about the threat, enabling faster and more effective responses to security incidents.

8. ZERO TRUST AND CHAOS THEORY

Chaos theory has been used in cybersecurity applications to detect cyberattacks. It is a branch of mathematics that studies the behavior of dynamic systems that are highly sensitive to initial conditions, meaning that small changes in the initial conditions can lead to vastly different outcomes.

In the context of cybersecurity, chaos theory can be used similarly to AI to analyze network traffic and detect anomalous patterns that may indicate the presence of a cyberattack^[121]. By analyzing the behavior of network traffic over time, chaos theory-based algorithms can detect patterns that deviate from the expected behavior of the system, indicating that cyberattacks may be in progress^[122]. An additional approach is to use chaos theory-based algorithms to analyze the behavior of individual network packets and detect anomalous patterns that may indicate the presence of a cyberattack^[123].

Moreover, chaos theory can be used to compare the different states of an organization's systems and transferred data. The analysis can indicate a deviation from the normal behavior of the system, and might indicate a cyberattack^[124]. The analyzed data can be obtained from various sources, such as logs, EDRs, networks, computers, and every device that is connected to the organization systems.

While chaos theory-based approaches to cyberattack detection are still in the early stages of development and are not widely used in practice, they have shown promise in detecting certain types of cyberattacks such as Distributed Denial-of-Service (DDoS) attacks. However, these approaches also have limitations such as the potential for false positives and the need for extensive training data to develop accurate models. ZT and chaos theory can be used to enhance an organization's security posture. By combining ZT and chaos theory, organizations can implement a more effective and efficient cybersecurity strategy. As explained, by enforcing access control to critical systems and data and maintaining continuous monitoring for potential threats, the ZT approach offers a solid security foundation. Chaos theory analysis can be used to analyze network traffic and detect anomalous patterns that may indicate the presence of a cyberattack, providing an early warning of potential threats.

9. HOW DOES QUANTUM COMPUTING AFFECT ZERO TRUST

Akin to AI, which took many years from its inception to its ubiquitous presence, quantum technology is taking its first steps in general and in the cybersecurity world and has the potential to impact ZT^[125]. Although several quantum algorithms, such as Shor's algorithm for integer factorization^[126], Grover's algorithm for database search^{[127,128,129]}, Quantum Fourier transform^[130,131] and quantum counting algorithms^[132], offer promising exponential or quadratic speedups in asymptotic terms, achieving practical speedup on physical quantum computers still encounters significant technological challenges. However, these algorithms do give us a glimpse of the possibilities of overcoming these challenges. As mentioned above, quantum computing remains a speculative technology.

Despite this, it has the potential to revolutionize cybersecurity in several ways. For example, it can strengthen and enable future ZT security models by providing quantum-safe cryptography, scalable policy enforcement, enhanced visibility, accelerated automation, new sensing capabilities, and more resilient network properties that are more difficult to compromise^[133]. However, it will likely be many years before these potentials are fully realized. The following are ways in which quantum computing could help strengthen and enable ZT security models in the future.

A quantum can contribute to safe cryptography. Quantum-resistant algorithms are essential for ZT solutions to withstand future attacks by quantum computers^[134]. Technologies, such as quantum key distributions, can also enhance trust.

A quantum can enable the detection of anomalies. The pattern-matching and optimization capabilities of quantum computers may accelerate the detection of anomalies within ZT environments. This could help with continuous trust evaluation. Additionally, quantum computing can enhance the visibility of organizational security systems. The massively parallel processing power of quantum computers could potentially provide unprecedented levels of visibility in ZT networks, users, devices, applications, and data. Moreover, quantum technology has the potential to scale policy enforcement. In theory, quantum machines may be able to enforce fine-grained access policies required by ZT at a scale that classical computers cannot match. However, this was impossible for many years.

Existing access control strategies must adapt to the emerging threats and challenges posed by quantum computing^[135]. Encryption algorithms such as RSA, built on the complexity of factoring large numbers, face vulnerability to Shor's algorithm on quantum computers, necessitating the evaluation and deployment of post-quantum encryption schemes^[136]. Similarly, hash-based signatures such as Elliptic Curve Digital Signature Algorithm (ECDSA) are at risk of being compromised, prompting the adoption of quantum-resistant signature schemes. While symmetric cryptography offers more resilience compared to asymmetric methods, future quantum computers could potentially breach these defenses, underscoring the importance of larger key sizes for enhanced protection.

Access control policies that hinge solely on confidentiality of secrets may require reevaluation to anticipate decryption capabilities, urging the integration of multiple authenticators for fortified security measures. The adequacy of authentication factors, such as passwords and cryptographic one-time passwords, is called into question, urging the adoption of multifactor authentication incorporating physical and behavioral elements for heightened resistance.

Key management strategies must prepare for potential compromise of current keys, necessitating secure transitions as post-quantum alternatives come into play. Vigilance in monitoring for attacks is paramount, with a focus on identifying anomalies and unusual access patterns that could signify early cryptanalysis attempts in the landscape of quantum computing.

An important aspect of quantum technology is its ability to accelerate automation. The futuristic ability of quantum computers to rapidly process vast amounts of data could potentially be leveraged to automate complex ZT tasks such as continuous monitoring, threat detection, and response. When focusing on the EDR, quantum technology can be leveraged to develop sensors. New types of quantum sensors may be able to continuously monitor parameters, such as magnetic fields, vibrations, and temperatures, to help detect threats and anomalies within ZT environments.

Quantum has the potential to strengthen layered defenses. Quantum technologies could augment existing layers of ZT defenses, such as physical security and network segmentation, to make the overall model more resilient against threats. Finally, quantum systems are more difficult to compromise. The quantum properties of superposition and entanglement render quantum systems inherently harder to wiretap or eavesdrop on, potentially enhancing trust within ZT networks.

The advent of quantum computing necessitates fundamental adjustments to access control strategies within a ZT framework^[137,138]. Quantum computers pose a threat to current encryption algorithms, demanding the adoption of post-quantum cryptography for secure data protection in transit and at rest. Upgrading cryptographic protocols, deploying quantum-resistant algorithms, and exploring new authentication methods are crucial steps to safeguard against potential quantum threats. Ensuring the integrity of blockchain-based access control systems also requires quantum-resistant cryptographic foundations. Companies must consider the risk of encrypted data compromise in the future and implement preemptive measures to mitigate quantum computing vulnerabilities.

Exploring quantum components and advanced quantum communication protocols within Zero Trust for Wireless Networks (ZTWN) represents a proactive approach to fortify security against potential cryptographic vulnerabilities posed by quantum computing advancements^[137]. These quantum solutions, including Quantum Machine Learning (QML) algorithms and identity authentication techniques, enhance the long-term security objectives of ZTWN by leveraging quantum properties to ensure secure communication and thwart potential attacks.

Quantum computing has the potential to transform cybersecurity through quantum-safe cryptography, scalable policy enforcement, enhanced visibility, accelerated automation, new sensing capabilities, and harder-to-compromise network properties.

10. ZERO TRUST EVALUATION

A crucial aspect of implementing ZT is to compare the organization's security state prior to and after the adoption of ZT principles. Moreover, any change in the ZT policy or architecture affects the organization. An evaluation process is required to assess the impact of these changes. The evaluation process uses metrics as a compass that enables management to understand the changes and progress while using the ZT. In this section, we present several approaches and metrics to evaluate the effectiveness of the organizational ZT security model.

ZT consists of several components and their integration leads to a holistic solution. As shown in Figure 3, the main components are policy enforcement, authentication, authorization, segmentation, monitoring, and response to threats^[73,139]. Policy enforcement plays a pivotal role in defining, distributing, and enforcing access policies. It is crucial to strive for consistency across identity management, authorization, and policy control points. In addition, it is important to evaluate how the ZT system enforces a least-privileged access policy for different users. Moreover, ZT uses posture checks to evaluate and continuously verify the health of the devices accessing the network and its applications^[35]. These checks also fall into the category of XDR tools.

Figure 3. Example for zero trust evaluation approaches and metrics.

An important way for ZT to enforce its policy is to use an optimal authentication process. The evaluation of authentication must relate to all entities, such as users, devices, and applications^[35,86]. Relevant metrics, such as MFA adoption, can be obtained by investigating the number of users utilizing the MFA. An additional metric relevant for authentication is privileged access usage, which can be calculated by the number of access attempts with elevated privileges. Access policy coverage can be used to identify the roles of defined access policies. In addition, access policy violations can be used to calculate violations of defined access policies. An example of a metric is policy coverage, which measures the number of assets with defined access to configuration policies. The policy compliance metric measures assets compliant with defined access and configuration policies. An additional metric that falls in the policy category is Posture, which checks the failure rate and assesses the number of posture checks that failed to indicate non-compliance.

The next step in the evaluation process is authorization. One of the foundation stones is continuous authorization. The evaluation has to relate to authorization aspects such as continuity and revalidating access permissions over time. This evaluation can predict the ability of ZT to catch privilege escalations and changes.

An additional evaluation aspect of ZT focuses on network segmentation. This evaluation indicates how the network is segmented to restrict lateral movement^[140]. Microsegmentation techniques based on application, roles, and environmental configurations can be considered. The relevant metrics for this category include microsegmentation adoption as an indication of the number of applications using microsegmentation and its complementary metric, unmanaged devices, which indicates the number of devices connected without proper registration. An additional metric is a vulnerable device that assesses the number of devices with vulnerabilities identified through the posture checks mentioned above.

Furthermore, the ZT evaluation category relates to the logging and monitoring of organizational systems. This evaluation consists of assessing organizational logs, event monitoring, and SIEM solutions. A high level of performance in this category ensures quick detection of anomalous behaviors. The metrics that can be used for evaluating the logging and monitoring categories are the mean time to detect threats and the average time to detect security incidents. The additional proposed metric is the mean time to contain threats, that is, the average time to isolate and contain security incidents. Another useful metric is event correlation effectiveness, which calculates the percentage of correlated events out of the total events.

The last category in our ZT evaluation process is response capabilities. It measures how quickly an organization responds to threats, revoke access, and remediate incidents. It also evaluates tabletop and red team penetration tests. Incident response metrics include the incident response time, which calculates the average time to begin the incident response after detection^[141]. Another relevant metric is the containment time, which calculates the average time required to contain security incidents after detection. Finally, the remediation time metric calculates the average time required to fully remediate the security incidents after containment.

Additional qualitative metrics such as stakeholder satisfaction surveys, security assessments, and red team penetration test results can also provide valuable insights into the effectiveness of ZT initiatives. This section provides an overview of the main ZT evaluation categories and their metrics. By evaluating these key ZT capabilities, an organization can identify gaps, weaknesses, and areas for improvement to strengthen its overall security posture. Over time, it can track progress and measure the maturity and efficacy of the ZT model.

11. CONCLUSIONS AND FUTURE DIRECTIONS

This paper presents the main ZT issues relevant to the current era of evolving technologies. It also provides an overview of the main events that affect the ZT evolution. This study also compares the traditional ZT approaches with the current ones. In addition, it shows how organizations can implement emerging technologies and algorithms such as AI, quantum computation, and chaos theory, and how they affect the ZT strategy and implementation. Moreover, this study discusses the best practices and main issues in ZT challenges, such as migration, automation, and orchestration. Finally, this paper provides evaluation metrics and approaches for measuring the impact of ZT security on business operations, user experience, and overall security posture.

Future challenges and development directions for ZT architectures include extending policies to edge computing and IoT devices, advancing identity verification with blockchain and passive biometrics, implementing adaptive access authorization through machine learning, integrating ZT into supply chains, emphasizing API security, establishing continuous authorization practices, converging network and security infrastructure, adapting ZT for cloud and serverless applications, and transitioning to quantum-resilient cryptography for enhanced data protection against potential quantum computing threats.

Looking ahead, we predict that the persistent and significant challenges of verification and compliance assurance will continue to evolve alongside ZT architecture. As we delve deeper into the future of ZT security, several critical research and development areas warrant focused attention. These include safeguarding and securing AI and ML workloads, establishing unified access policies across multiple domains, and implementing privacy-preserving access controls. Further, the seamless integration of ZT with DevOps processes and practices represents another promising and essential direction for future exploration and development.

DECLARATIONS