Zero Trust Architecture: Concepts, Implementation Schemes, Deployment Practices, and Practical Experience

This report, based on the "Zero Trust Practical Whitepaper" and the author’s own understanding, offers a concise summary of zero‑trust concepts and their practical application.

Zero‑Trust Understanding

Zero‑trust addresses security issues caused by over‑trust in traditional perimeter models by continuously monitoring and dynamically adjusting trust and permissions for users, devices, software, and network locations.

Zero‑Trust Architecture

Most companies adopt a Software‑Defined Perimeter (SDP) architecture, which consists of three main components: SDP controller, SDP client, and SDP service provider. The control plane and data plane are separated to ensure scalability.

Implementation Schemes

1. Application‑Layer Proxy (Reverse Proxy / Web‑Protocol Gateway)

Requests are intercepted by an application‑layer proxy gateway, which performs authentication and authorization before forwarding to backend services. This enables fine‑grained, application‑level access control.

User registers and authorizes the device via a Zero‑Trust agent.

The agent enforces security baselines and reports device status.

Authentication combines human factors (2FA/OTP), device health, and software vulnerability status.

Authorization is based on dynamic security assessment, allowing privilege reduction or blocking.

2. Traffic‑Layer Proxy (Four‑Layer Proxy)

The gateway intercepts all traffic (including non‑HTTP) via hooks, virtual NICs, or network‑filter drivers, forwarding it to backend services after authentication and authorization.

Advantages: works for any protocol, supports both B/S and C/S applications, minimal client changes.

Disadvantages: higher decryption cost for encrypted traffic, less fine‑grained control at the application layer.

3. Hybrid Gateway

Combines full‑traffic proxy as a unified entry point with application‑layer modules for specific services (e.g., SSH, RDP, IoT), achieving both broad coverage and fine‑grained control.

Deployment Patterns

1. Internal Office Deployment

The Zero‑Trust gateway is placed in front of internal servers, forcing all user, device, and service traffic to pass through authentication, continuous security assessment, and dynamic authorization before reaching resources.

2. Multi‑Branch / Group Deployment

Branch offices and subsidiaries access central services via the Zero‑Trust gateway, with policies scoped to groups or individual users, ensuring consistent security across distributed locations.

Zero‑Trust in Production Service Inter‑Calls

Although rarely practiced, the model defines workloads (servers/containers), visitors (calling workloads), providers (service workloads), and services (exposed APIs). The same Zero‑Trust principles apply to inter‑service traffic.

Practical Experience

Successful Zero‑Trust rollout requires a dedicated security team, leadership support, clear security goals, sufficient budget, and cooperation from business units and vendors. Implementation steps include scope definition, goal setting, phased planning, execution, and continuous optimization.

Relation to Existing Security Products

Zero‑Trust does not replace existing security tools but integrates them more tightly, using detection, alerting, and protection capabilities to enable continuous, dynamic security assessment and response.

Conclusion

Zero‑Trust is a security mindset and architecture that, when combined with proper deployment, governance, and existing security solutions, can significantly reduce attack surface and improve control over enterprise resources.