Identify all critical resources requiring protection (data, applications, services, etc.). These resources may reside in various locations, including on-premises data centres, cloud environments, and SaaS platforms.

Understand how data flows between users, devices, applications, and resources. Map all data movement paths within the organisation, considering access routes from multiple locations such as headquarters, branch offices, remote working environments, public networks, data centres, and VPN connections.

Establish security policies defining who can access which resources, under what conditions, and from where. These policies are managed by the Policy Administration component and must be sufficiently stringent to enforce the principle of least privilege and continuous validation.

Build a Policy Engine that evaluates access requests against predefined policies. This engine makes reasoned access decisions using inputs such as data access policies, Public Key Infrastructure (PKI), identity management, SIEM, CDM, industry regulatory compliance requirements, threat intelligence, and activity logs.

Implement the Policy Enforcement Point (PEP) that actually executes the decisions made by the Policy Engine. This component sits between the user/device and the resource, ensuring only verified and authorised requests reach the resource.

Continuously monitor all user and device activity. Update and refine policies based on data gathered from threat intelligence and activity logs, enabling adaptation to new threats and behavioural patterns.

All communications on the data plane must be encrypted, and no implicit trust is granted to any network segment or device. (The blue dotted line "No Implicit Trust" in the image illustrates this)

Security policies are continuously reviewed and updated to respond to new threats and the organisation's evolving requirements. Regular audits and regulatory compliance reviews ensure the effective maintenance of the Zero Trust framework.