Reference Architecture

Zero Trust Architecture

Identity-centric, perimeter-eliminated, encryption-aware. The architecture we deploy in production at enterprise scale — and the migration path to get there from where you actually are today.

The architecture problem

Legacy network security was built for an estate that no longer exists. Zero Trust starts from the assumption it's already breached.

Legacy / Perimeter

  • Trust is location-based: inside the network = trusted
  • VPN extends the corporate LAN to every endpoint
  • TLS 1.3 / QUIC / ECDHE silently break inspection
  • Lateral movement is unconstrained once inside
  • Third-party access is granted at the network layer
  • Compliance evidence depends on perimeter integrity
  • Post-merger network unification takes 2–4 years

Zero Trust

  • Trust is per-request: identity + device + context
  • No network-level access; users connect to apps, not networks
  • Encrypted-traffic visibility through architectural design, not point tools
  • Lateral movement constrained by microsegmentation by default
  • Third-party access scoped to a single app, time-boxed
  • Compliance evidence is generated by the control plane
  • Post-merger unification is a policy operation, not a network rebuild

Reference architecture

The layered stack we deploy. Vendor-agnostic in pattern, opinionated in execution.

Identity

The new perimeter. Single source of truth for users, devices, and workloads with continuous posture evaluation.
Entra IDOktaPingConditional Access

Edge / SASE

Inline traffic control with TLS inspection, DLP, CASB, and threat prevention applied at the cloud edge — not at the branch firewall.
Zscaler ZIAZDXInline DLPCASB

Workforce Access

ZTNA replacing VPN. Users connect to specific applications, not subnets. Third-party and contractor access is scoped per app per session.
Zscaler ZPAApp ConnectorsBrowser Access

Workload & Cloud

AWS and Azure native controls layered with microsegmentation and posture management. Workload identity, not network identity, is the access principle.
AWS Security HubDefender for CloudMicrosegmentation

Endpoint

EDR and posture feed back into the access plane so device health is part of every authorization decision.
CrowdStrike FalconDefender for EndpointPosture API

AI Guardrails

Inline visibility and control for ChatGPT, Copilot, and agent-mode tooling. Prompt-level DLP and exfiltration prevention for the workflows traditional controls don't see.
Inline GenAI DLPAgent-mode guardrailsPrompt visibility

The identity chain

Every access decision evaluates this chain. If any link fails, the decision fails — not just the connection.

01
User
Verified identity from the IdP
02
Device
Health + posture from EDR
03
Context
Location, time, risk score
04
Policy
Conditional access evaluation
05
App
Scoped to one application
06
Audit
Decision logged for compliance

Compliance mapping

The frameworks the architecture is designed against from day one — not retrofitted at audit time.

Healthcare
HIPAA

Security Rule alignment via identity-centric access, audit trail generation, and PHI-aware inline DLP.

Financial
PCI DSS 4.0

Segmentation and scoping reductions, MFA enforcement, and continuous monitoring across the CDE.

Federal / Best practice
NIST CSF 2.0

Core functions mapped to architecture controls, with Zero Trust Maturity Model alignment scoring.

Privacy
GDPR

Data residency, processing visibility, and right-to-erasure workflows supported by the access plane.

Migration path

Five phases. Phase 1 starts producing security value within 30 days.

01
Days 1–30

Assess & baseline

Identity, network, and workload inventory. Current-state architecture diagram. Zero Trust Maturity Model scoring. Compliance gap mapping per framework. Output: a target-state architecture and a sequenced execution plan.

02
Months 1–3

Identity foundation

Consolidate to a single IdP, harden conditional access, deploy MFA at the right strength for each user class, integrate device posture from EDR. Everything that follows depends on this layer being solid.

03
Months 3–6

Edge & workforce access

ZIA inline for internet traffic with TLS inspection, DLP, and CASB. ZPA for private apps replacing the VPN. App Connectors deployed close to workloads, not in a central data center.

04
Months 6–12

Workload, cloud, microsegmentation

Native controls in AWS and Azure layered with microsegmentation. Workload identity wired into the access plane. AI guardrails for GenAI and agent-mode tooling. Third-party access scoped per app.

05
Months 12–18

Decommission legacy

Retire VPN concentrators, flatten legacy firewall complexity, retire the access controls that no longer serve a purpose. Continuous attestation of the new posture for the next audit cycle.

Engage

Want this architecture for your environment?

Tell us about the current state, the constraint, and the deadline. We respond within one business day.

hello@arduwyn.comSee engineering depth