🔍
Home Architecture Zero Trust Architecture
Architecture · Lane 1 — Banking & Finance

Zero Trust Architecture: What the Network Actually Looks Like

The principles of Zero Trust are straightforward. The architecture is where organisations struggle — and where vendors simplify in ways that obscure the real implementation work. This page maps the Zero Trust architecture from first principles, based on NIST SP 800-207, applied to a banking network.

17 Apr 2026 · 10 min read · Architecture
Part 2 of 2 ← Start with the principles first

The Architecture in One Diagram

Before decomposing the components, the diagram below maps the complete Zero Trust architecture as it applies to a banking environment. Four functional layers. Four segmentation zones. One feedback loop. Every vendor product you will encounter sits somewhere inside this structure.

SUBJECTS 👤 Remote Worker 🏢 Office User 🤝 Partner / Third Party ⚙️ Service Account 🔌 API Consumer IDENTITY & POLICY PLANE Identity Provider / MFA 🔑 Authentication · SSO · MFA Single source of identity truth Policy Engine ⚙ Evaluates: Identity + Device + Context + Risk Score The decision brain Policy Enforcement Point (PEP) 🚪 The gate at the resource boundary SWIFT ZONE SWIFT Interface Payment Switch Transaction DB SWIFT Connector Highest sensitivity CSCF v2025 Click for controls 🔒 PCI DSS CDE Payment App Card Data DB Tokenisation Engine HSM PCI DSS v4.0.1 scoped No direct internet access Click for controls 🛡️ CORE BANKING Core System Customer DB Batch Processing Legacy Apps Legacy Micro-Perimeter Jump server + PAM access GENERAL IT / CLOUD Office Applications SaaS Services Cloud Workloads DevOps / CI/CD Standard ZT Policy Device health + conditional access MONITORING & RESPONSE PLANE — ASSUME BREACH SIEM / Log Aggregation Centralised event collection 📊 All zones feed here Threat Detection UEBA · Anomaly detection 🔍 Behavioural baselines Incident Response Automated playbooks ⚡ Contain · Eradicate · Recover Risk signals

Zero Trust architecture in a banking environment — identity and policy plane, microsegmentation zones, and continuous monitoring plane. Based on NIST SP 800-207.

The Three Planes: Identity, Policy, and Data

Every Zero Trust architecture operates across three functional planes. Understanding the separation is what distinguishes a genuine ZT architecture from a product marketing claim.

The Identity and Policy Plane is the decision layer. It answers one question: should this subject, on this device, in this context, at this moment, be permitted to access this resource? The policy engine receives signals — identity assertion, device health, session context, threat intelligence — and makes a binary decision. The policy enforcement point executes that decision at the resource boundary. This plane must function before any data access occurs. It cannot be bypassed.

The Data Plane is where actual work happens — where the user runs the application, where the application queries the database, where the transaction processes. In a perimeter model, the data plane was implicitly trusted once a subject was inside the network. In Zero Trust, the data plane has no implicit trust. Access to each resource requires a fresh decision from the policy engine. A user with legitimate access to the payment application has no implied access to the transaction database — even if both systems sit in the same data centre.

The Monitoring Plane is what makes "assume breach" operational rather than aspirational. It collects signals from the data plane — who accessed what, when, from where, how — and feeds those signals back to the policy engine as dynamic risk scores. A user whose behaviour deviates from their established baseline generates a risk signal. The policy engine receives that signal. Access is adjusted in real time. Without the monitoring plane, the policy engine is making decisions with incomplete information. The feedback loop is the architecture.

💡
ARCHITECTURE NOTE

The most common architecture mistake: buying a ZTNA product (which handles the policy enforcement point) without building the policy engine or the monitoring plane. A gate with no gatekeeper and no security camera is not Zero Trust. It's a gate.

NIST 800-207 Logical Components

NIST's architecture definition identifies seven logical components. Every vendor's "Zero Trust solution" implements some subset of these — rarely all of them. The gap between what a product covers and what the architecture requires is where most ZT programmes stall.

Component Plain-Language Function
Policy Engine (PE) The brain. Makes the access decision based on policy and signals. Every access request runs through the PE before being permitted or denied.
Policy Administrator (PA) Executes the PE's decision — creates or tears down sessions. Communicates the decision to the PEP. The PA is the operational bridge between decision and enforcement.
Policy Enforcement Point (PEP) The gate. Enforces the access decision at the resource boundary. The PEP is the component most ZTNA products actually implement.
Identity Provider Manages who the user is — authentication, MFA, SSO. The IdP feeds the PE with identity assertions. Without a robust IdP, the PE has no reliable signal.
Device Trust Assesses device health and compliance before granting access. A valid credential on an unmanaged or compromised device should not receive the same access decision as the same credential on a compliant corporate device.
SIEM / Threat Intelligence Feed Feeds risk signals into the Policy Engine dynamically. This closes the monitoring-to-policy feedback loop. Without SIEM integration, the PE cannot make risk-adjusted decisions.
Data Access Policy Defines what data each subject can access, in what context. The policy library that the PE evaluates against. Must be maintained as a living document, not a one-time configuration.

Source: NIST Special Publication 800-207 — Zero Trust Architecture (2020). No live link — reference directly at csrc.nist.gov.

⚠️
COMMON MISTAKE

Disabling monitoring during a maintenance window — the same mistake described in the CIA Triad article — is architecturally significant in a Zero Trust model. The monitoring plane feeds the policy engine. If monitoring is suspended, the policy engine is flying blind. Even a brief monitoring gap during a high-privilege operation should be documented, compensated for, and reviewed post-window.

The Banking Network: Segmentation Zones

A banking network is not a generic enterprise network. It operates under multiple overlapping regulatory frameworks, each of which defines specific boundaries and access requirements. The segmentation zones in the diagram above are not arbitrary. Each zone corresponds to a specific regulatory scope, a specific sensitivity level, and a specific set of controls.

The zones do not trust each other. A service in the SWIFT zone that requires data from the core banking zone must authenticate and authorise that specific access — it does not inherit trust from being in an adjacent zone. This is the operational definition of microsegmentation.

Highest Sensitivity

SWIFT / Payment Zone

CSCF Controls
  • 1.1 — SWIFT Environment Protection (zone boundary)
  • 1.2 — Operator Session Confidentiality & Integrity
  • 2.9 — Transaction Business Controls (monitoring)
  • 6.1 — Operator Access Control (PAM mandatory)
Access Requirements

PAM mandatory. All sessions recorded. All traffic logged. Real-time transaction monitoring.

Who can access: Named privileged accounts only. No shared credentials.

PCI DSS Scoped

PCI DSS Cardholder Data Environment

PCI DSS v4.0.1 Requirements
  • Req 1.2 — Network security controls (boundary enforcement)
  • Req 7.2 — Access control system configuration
  • Req 8.4 — MFA mandatory for all access into CDE
  • Req 10.2 — Audit log implementation
Access Requirements

MFA mandatory. Network boundary enforced — no direct internet. All access via authorised pathways only.

Who can access: CDE-scoped roles only. Access requires documented business justification.

Legacy Micro-Perimeter

Core Banking / Legacy Systems

Architectural Approach

Cannot modify legacy system natively. Wrap in Zero Trust controls externally — the micro-perimeter approach defined in NIST 800-207.

Compensating Controls
  • Network segmentation at perimeter
  • Jump server / bastion host for all access
  • Full session recording via PAM
  • SIEM monitoring for all activity

Who can access: Named application accounts and DBAs only, via PAM.

Standard ZT Policy

General IT / Cloud

Applied Controls
  • Device health check before access (MDM/EDR)
  • MFA enforced for all services
  • Conditional access policies active
  • SaaS access governed by IdP SSO
Key Point

All employees access this zone — but access is per explicit ZT policy, not implicit network membership.

Who can access: All employees — subject to device and identity verification.

The key principle: zones are not trusted by each other. Lateral movement between zones requires the same authentication and authorisation as external access. There is no "inside" from which trust flows automatically.

How Traffic Flows: Normal vs. Compromised

The architecture diagram shows the structural components. The flow below shows how traffic moves through them — and how Zero Trust stops a compromised credential from becoming a full compromise.

See How Traffic Flows

In a perimeter model, a compromised credential = access to everything. In Zero Trust, a compromised credential = access to one resource, with every subsequent move requiring re-verification.

Where PCI DSS Lands in the Architecture

PCI DSS defines the CDE as a network boundary — a segmentation zone with explicit, enforced, monitored controls. The requirements map directly to the Zero Trust architecture components:

  • Requirement 1 (Network Security Controls) = Policy Enforcement Point at the CDE boundary. Every ingress and egress flow must be defined, authorised, and enforced. This is not a firewall rule. It is a microsegmentation policy administered by the PEP.
  • Requirement 7 (Least Privilege Access) = Data Access Policy in the policy engine. Access to CDE systems must be justified by business need, documented, and enforced — not assumed from group membership.
  • Requirement 8 (Identity and Authentication) = Identity Provider enforcing MFA. Every user, every service account, every system account must authenticate with MFA before reaching the PEP at the CDE boundary.
  • Requirement 10 (Logging and Monitoring) = The monitoring plane as applied to the CDE. All access, all activity, all anomalies must flow to SIEM and be retained for 12 months with 3 months immediately available.

The CDE segmentation requirement in PCI DSS is not a compliance formality. It is a microsegmentation zone boundary with explicit, enforced, monitored controls — which is precisely what the Zero Trust architecture mandates. If you are building a PCI DSS-compliant CDE, you are building a Zero Trust zone whether or not you use the terminology.

Your PCI DSS scope is not just a list of systems. It is a segmentation zone with explicit, enforced, monitored boundaries.

Where SWIFT CSCF Lands in the Architecture

The SWIFT infrastructure zone is the highest sensitivity zone in any banking network. SWIFT Customer Security Controls Framework (CSCF) v2025 defines the controls that govern this zone. The architecture mapping is direct:

  • Control 1.1 (SWIFT Environment Protection) = Zone boundary definition and enforcement. The SWIFT environment must be physically and logically separated from the rest of the infrastructure. This is a microsegmentation zone with a defined boundary enforced at the PEP.
  • Control 1.2 (Privileged Account Control) = Identity plane with session verification. All operator access to the SWIFT environment requires PAM, session recording, and verification at each step — not implicit trust from network location.
  • Control 2.9 (Transaction Business Controls) = Monitoring plane applied to transactions. Real-time transaction monitoring is required — which means SIEM feeds specifically covering SWIFT transaction activity, anomaly detection for volumes and patterns, and an active response capability. This is assume-breach applied to financial transactions.
  • Control 6.1 (Operator Access Control) = Data Access Policy governing the SWIFT zone. Named operators only. Least privilege enforced. All access justified by business need and documented. No standing access to the SWIFT interface operator console.

SWIFT assessors reviewing CSP compliance are, in effect, verifying that the Zero Trust architecture is correctly implemented for the SWIFT zone. The terminology differs. The architecture requirement does not.

The Legacy System Problem: Micro-Perimeters

Core banking systems — mainframes, legacy transaction processors, systems that predate modern authentication protocols — cannot natively participate in a Zero Trust architecture. They cannot speak to a policy engine. They cannot consume dynamic access tokens. They cannot verify device health.

The NIST 800-207 answer to this is the micro-perimeter: wrap the legacy system in a Zero Trust control layer externally, even if the system itself cannot be modified. The system remains a risk. The micro-perimeter limits that risk to the smallest possible blast radius and ensures that any compromise is detectable.

Practical controls for legacy system micro-perimeters:

  • Network segmentation: Place the legacy system in an isolated network segment. No traffic in or out except explicitly authorised flows. Enforce at the PEP/firewall boundary.
  • Jump server / bastion host: All access to the legacy system routes through a managed jump server. No direct access. The jump server enforces MFA and session recording.
  • Session recording via PAM: Privileged Access Management covers all sessions on the legacy system. All keystrokes, all commands, all screen activity recorded and retained.
  • SIEM monitoring: Legacy system logs forwarded to SIEM in real time. Anomaly detection applied. Alert thresholds set for unusual access patterns, off-hours activity, bulk data queries.
  • Application accounts: Legacy system application accounts inventoried, least-privilege applied at the account level, no shared credentials, regular access review.

The legacy system remains a risk. The micro-perimeter limits that risk to the smallest possible blast radius and ensures that any compromise is detectable.

Implementation Phases

Zero Trust is not a product deployment. It is an architectural transformation. Organisations that treat it as a procurement decision consistently fail. The phases below reflect the sequence that works: identity first, then network, then application, then continuous optimisation.

Goal: No implicit trust on identity. Every subject — human and non-human — is verified before access is permitted.
Actions
  • Deploy MFA across all systems and all users — no exceptions
  • Implement RBAC across all systems — access by role, justified by business need
  • Deploy Privileged Access Management (PAM) for all privileged accounts
  • Audit and remediate over-privileged service accounts — eliminate standing access
  • Establish Identity Provider as single source of identity truth — all systems federated
Compliance touchpoints: PCI DSS Req 7 + 8 · ISO 27001 A.5.15–A.5.18 · SWIFT CSCF 6.1
Milestone: Every user, every system, every service account is inventoried and access is justified by documented business need.
Goal: No implicit trust on device or network location. Being inside the network confers no access.
Actions
  • Deploy device health check, MDM, and EDR — integrate device posture with access decisions
  • Implement network microsegmentation — define zones and enforce boundaries at the PEP
  • Replace or wrap legacy VPN access with ZTNA — eliminate implicit network trust
  • Define and enforce data classification policies — where data lives, who can access it
  • Map all authorised network flows — every legitimate path documented and enforced
Compliance touchpoints: PCI DSS Req 1 · ISO 27001 A.8.20 + A.8.22 · SWIFT CSCF 1.1
Milestone: Can you enumerate every authorised network flow? If not, this phase is not done.
Goal: Application-level access control. Data moves only as intended. No standing access to sensitive data.
Actions
  • Implement application-level authentication — separate from network access grants
  • Deploy DLP for sensitive data — enforce data movement policies technically
  • Integrate SIEM with access control — monitoring plane feeding policy engine
  • Implement just-in-time (JIT) access for all privileged operations
  • Apply ZT principles to third-party and API access — no implicit partner trust
Compliance touchpoints: PCI DSS Req 3 + 6 · ISO 27001 A.8.1 + A.8.26 · SWIFT CSCF 2.6 + 6.2
Milestone: No user or service has standing access to sensitive data. All access is time-limited, justified, and logged.
Goal: Dynamic, risk-based policy. Automated response. Continuous improvement cycle operational.
Actions
  • Deploy UEBA — automated anomaly detection feeding the policy engine as risk signals
  • Automate access policy response to risk signals — dynamic access adjustment
  • Implement continuous monitoring and control testing — not annual reviews
  • Apply Zero Trust principles to supply chain and third-party software access
  • Annual ZT maturity assessment against CISA Zero Trust Maturity Model (ZTMM)
Compliance touchpoints: All frameworks — this phase is the continuous improvement cycle required by every major framework.
Milestone: The Policy Engine receives real-time risk signals and adjusts access dynamically. You can demonstrate this in an audit.

Common Architecture Mistakes

Mistake 1: Zone segmentation without policy enforcement. Drawing network zones on a diagram is not microsegmentation. Microsegmentation requires a Policy Enforcement Point at the boundary of each zone — actively inspecting, authenticating, and authorising every session. Organisations that define zones in a network diagram but implement them with firewall rules that trust internal-to-internal traffic have not achieved segmentation. They have achieved the appearance of segmentation.

Mistake 2: MFA without device health check. Requiring MFA is necessary but not sufficient. A valid MFA response on a compromised, unmanaged, or non-compliant device should not generate the same access decision as MFA on a fully managed, health-checked corporate device. The Identity Provider handles authentication. Device trust is a separate signal to the Policy Engine. Conflating them is the most common gap in early-stage ZT programmes.

Mistake 3: Buying the Policy Enforcement Point without building the Policy Engine. ZTNA products enforce decisions. They do not make decisions. The product implements the PEP. The organisation must build or deploy the Policy Engine — the component that evaluates identity, device, context, and risk and produces the access decision. Without a functioning Policy Engine, the PEP will enforce whatever default policy was configured at installation, which is typically more permissive than intended.

Mistake 4: Monitoring without response capability. SIEM without a response function is expensive logging. The monitoring plane feeds the Policy Engine with risk signals. Those signals must trigger a response — automated where possible, human-escalated where necessary. An organisation that can detect an anomaly in 30 seconds but requires a 4-hour change management process to adjust access is not operating a Zero Trust architecture. Detection and response must be designed together, not procured separately.

Part 1 of 2

Start with the Principles

The architecture makes more sense once the three principles are clear. If you came here first — the fundamentals page maps Zero Trust to PCI DSS, ISO 27001, and SWIFT CSCF without a single vendor recommendation.

← Read Zero Trust Principles

Related Reference Pages

Fundamentals
Zero Trust — Principles and Framework Crosswalk
Frameworks
PCI DSS v4 Requirements — Full Reference
Frameworks
SWIFT CSCF v2025 Controls Reference
Frameworks
ISO 27001 Annex A Controls Library
Architecture
DMZ Architecture — How It Relates to Zero Trust
ThreatManifest

Real-world cybersecurity — for professionals and people. From the assessment floor, not the textbook.

Professional
Security
Behind the Firewall
Learn
About
Credentials & Affiliations
SWIFT CSP Assessor CISA CEH ISO 27001 Lead Implementer CC (ISC2) 35 ISO 27001 Engagements 27+ PCI DSS ROCs
Affiliate Disclosure

Some articles on this site contain affiliate links. If you purchase a product through one of these links, Threat Manifest may earn a small commission — at no extra cost to you. We only recommend tools and services we have independently evaluated. Read full disclosure.

Privacy Policy Terms of Use Disclaimer Affiliate Disclosure Content Policy Accessibility
© 2026 Threat Manifest. All rights reserved.