The Five Pillars of Zero Trust
CISA's Zero Trust Maturity Model defines five pillars that together constitute a complete zero trust architecture. Each pillar has its own technology stack, maturity progression, and cost profile. Most organizations start with Identity and expand outward. Updated 26 March 2026.
Identity
30-40%
Device
15-20%
Network
20-30%
Workload
10-15%
Data
10-15%
Identity
Verify every user before granting any access
Identity is the primary security perimeter in zero trust. Every user, service account, and non-human identity must be verified through strong authentication before accessing any resource. Identity context also informs access decisions for all other pillars.
Core Capabilities
- Single Sign-On (SSO) federation across all applications
- Phishing-resistant MFA (FIDO2, hardware tokens, passkeys)
- Privileged Access Management (PAM) for admin accounts
- Identity Governance (lifecycle management, access reviews)
- Conditional access policies based on risk signals
- Service account and non-human identity management
Technology Cost Ranges
Maturity Progression
Traditional
Password-only authentication; shared accounts; no SSO
Initial
MFA on some systems; partial SSO; basic lifecycle management
Advanced
Phishing-resistant MFA everywhere; full SSO; automated provisioning
Optimal
Continuous authentication; risk-based access; passwordless for all
Device
Only trust devices that can prove their health
In zero trust, device health is evaluated before and during every access request. A compromised device is treated as untrusted regardless of the user's identity. Device management and endpoint security are foundational to this pillar.
Core Capabilities
- Mobile Device Management (MDM) for corporate devices
- Endpoint Detection and Response (EDR)
- Device compliance and health attestation
- Certificate-based device authentication
- Patch status and vulnerability validation
- BYOD policy enforcement and app containerization
Technology Cost Ranges
Maturity Progression
Traditional
Basic AV; manual patching; no device compliance enforcement
Initial
MDM deployed; basic compliance policies; EDR on some devices
Advanced
Device health gates access; EDR everywhere; automated patch compliance
Optimal
Real-time device risk scoring; automated quarantine; full BYOD controls
Network
Segment everything, trust nothing implicitly
Zero trust networks operate on the principle that the internal network is as hostile as the internet. Microsegmentation isolates workloads so a breach in one segment cannot spread laterally. ZTNA replaces broad VPN access with application-specific tunnels.
Core Capabilities
- Microsegmentation of workloads and network segments
- Zero Trust Network Access (ZTNA) replacing VPN
- Software-Defined Wide Area Network (SD-WAN)
- DNS filtering and inspection
- Encrypted east-west traffic inspection
- Network Detection and Response (NDR)
Technology Cost Ranges
Maturity Progression
Traditional
Flat network; VPN for remote; perimeter-only controls
Initial
VLAN segmentation; MFA on VPN; basic logging
Advanced
ZTNA deployed; macro-segmentation; encrypted east-west traffic
Optimal
Full microsegmentation; all traffic inspected; automated threat response
Workload
Protect applications and cloud services at the workload level
Workloads (applications, containers, cloud functions, APIs) need their own identities and communication policies. Zero trust for workloads means every service-to-service call is authenticated and authorized, regardless of where in the network it originates.
Core Capabilities
- Workload identity and service mesh (mutual TLS)
- API security and gateway controls
- Container and Kubernetes security
- Cloud Security Posture Management (CSPM)
- Runtime application self-protection (RASP)
- Software supply chain security
Technology Cost Ranges
Maturity Progression
Traditional
Application-level auth only; no service-to-service controls
Initial
API keys and basic auth; CSPM on cloud accounts
Advanced
Service mesh with mTLS; workload identity; CSPM with enforcement
Optimal
Full least-privilege service-to-service; automated supply chain verification
Data
Protect data wherever it lives, moves, and rests
The data pillar ensures that sensitive information is protected regardless of where it resides or moves. This requires understanding what data you have, classifying it, and enforcing policies that travel with the data rather than relying solely on perimeter controls.
Core Capabilities
- Data discovery and classification
- Data Loss Prevention (DLP) across endpoints, email, cloud
- Encryption key management
- Information Rights Management (IRM)
- Data access governance
- Cloud Access Security Broker (CASB)
Technology Cost Ranges
Maturity Progression
Traditional
Encryption of databases only; no classification; reactive DLP
Initial
Basic data classification; email DLP; cloud storage encryption
Advanced
Automated classification; endpoint DLP; CASB for cloud apps
Optimal
Real-time data risk scoring; IRM on sensitive documents; full CASB coverage
Calculate your full zero trust investment
Use the calculator to estimate costs across all five pillars based on your workforce size and architecture.
Open Calculator