Today, there are several ways your organization can implement a Zero Trust Architecture (ZTA). Each method varies in its components and organizational policy rules, resulting in a distinct architecture. The National Institute of Standards and Technology (NIST) guidelines identify three main approaches to ZTA:
- Micro-segmentation
- Software-defined perimeters
- Enhanced Identity Governance
- Nothing is implicitly trusted.
- All data sources and computing services are considered resources.
- All communication should be secured regardless of network location.
- Dynamic, contextual policy determines access to resources.
Each of these methods is grounded in the Zero Trust definition and its core principles, though some are better suited for specific use cases. They offer distinct advantages and can work together to strengthen your security posture. If your organization is building a Zero Trust Architecture (ZTA) for enterprise applications, this approach represents the next-generation gold standard. As traditional network perimeters become less relevant, ZTA helps reinforce identity governance and access management (IAM). Exploring micro-segmentation and software-defined perimeters shows how these strategies can further support your organization's identity governance goals.
ZTA and Micro-segmentation
For many years, micro-segmentation has been the go-to model in Zero Trust Architecture. Its long-standing use gives it credibility as a well-established approach. With this method, your organization isolates individual resources or groups of resources into separate network segments, each protected by a gateway security component. To work effectively, micro-segmentation relies on some form of access controls.
This strategy tends to perform best in smaller, more static network environments. In larger organizations with dynamic and complex infrastructures, managing them can become expensive and difficult. In a Zero Trust maturity model that moves away from traditional perimeters, creating new internal perimeters may even feel counterintuitive.
Micro-segmentation is often used to protect legacy systems that have limited integration options. However, a more effective approach may be to implement an identity and access management (IAM) solution that provides native, encrypted connectivity to older systems, such as mainframes. In today’s SaaS-driven landscape, where enterprises have limited control over the application layer, micro-segmentation becomes even more challenging to apply.
ZTA and Software-Defined Perimeters
This approach enables your organization and policy administrators to restrict network access and deliver secure, customized connectivity through a policy engine managed by a software-defined perimeter. Access is granted based on a need-to-know model, requiring verification of each device and user identity before allowing entry beyond the network perimeter. Like micro-segmentation, software-defined perimeters rely on traditional IT boundaries and work best in environments where those structures are still in place. But as more of your technology stack moves to the cloud, these perimeter-based models are becoming less relevant.
ZTA, Identity Governance, and IAM
Perimeters and by extension, both micro-segmentation and software-defined perimeters are becoming increasingly outdated. According to the 2021 and 2025 editions of the Verizon Data Breach Investigations Report, the threat landscape has remained largely unchanged. In 2021, 80% of breaches were linked to external actors, while 20% came from internal sources. By 2025, those numbers shifted only slightly: 81% of breaches were caused by external actors, 18% by internal actors, and the rest involved partners or multiple sources. But here’s the critical insight: most external attackers gain access by
acquiring valid credentials on the dark web or through social engineering tactics like phishing. So even when the threat appears to come from outside, it often involves legitimate internal credentials, making it, in effect, an insider threat. Relying solely on perimeter defenses, whether through micro-segmentation or software-defined policies, is no longer enough. Your organization needs to be ready to detect and respond to threats that occur inside the network. That’s where identity and access management (IAM) shines. Beyond its flexibility and ease of deployment, IAM offers single sign-on and federated access across on-premises, remote, and cloud environments. It enables a Zero Trust network that doesn’t rely on traditional boundaries but still delivers strong, modern security. Most external breaches stem from hacking and social engineering. But a Zero Trust Architecture built on IAM uses automated provisioning and de-provisioning, workflow approvals, and just-in-time access to grant access based on the principles of least privilege. As deperimeterization accelerates, your organization will need a Zero Trust Architecture that’s dynamic, scalable, and elastic, one that adapts as the lines between systems continue to blur. Because IAM isn’t bound by traditional borders, it stands out as a powerful, next-generation approach to ZTA.
Beginning Your Zero Trust Journey
Beginning your Zero Trust journey with an access management solution requires an outlined and finessed approach. To start, you’ll want to work towards Zero Trust by initiating Reduced Trust. Discover this formative first step and more of the ZT transformation by downloading our eBook: Zero Trust and Access Management: A Journey, Not a Destination.
