Zero Trust: The Architect's Lens
Before you design anything, you need to think like a cybersecurity architect. Learn the Zero Trust principles and technology pillars that shape every security decision on the SC-100 exam.
What is Zero Trust?
Imagine a building where every door checks your badge — even the internal ones.
Old security was like a castle with a moat. Once you crossed the drawbridge (the VPN), you were trusted everywhere inside. But if an attacker got past the moat, they had free reign.
Zero Trust flips this. Every door — every resource, every app, every data store — checks who you are, what device you’re using, and whether you should be there. No one gets a free pass just because they’re “inside the network.”
As a cybersecurity architect, Zero Trust isn’t a product you buy. It’s a design philosophy that shapes every decision you make. Every architecture choice on the SC-100 exam flows through this lens.
The three core principles
Every Zero Trust decision comes back to these three ideas:
| Principle | What It Means | Architect’s Question |
|---|---|---|
| Verify explicitly | Always authenticate and authorise based on all available data points — identity, location, device health, service, data classification, anomalies | ”Am I using enough signals to make this access decision?” |
| Use least privilege access | Limit access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection | ”Does this design give more access than needed?” |
| Assume breach | Minimise blast radius, segment access, verify end-to-end encryption, use analytics to detect threats and improve defences | ”If this component is compromised, what’s the damage?” |
Exam tip: The 'assume breach' trap
Many exam questions test whether you default to assume breach thinking. When two designs both “work,” the correct answer is usually the one that limits blast radius — microsegmentation over flat networks, JIT over standing access, separate admin accounts over shared credentials.
If a question asks “what should you recommend first?” and one option prevents the attack while another detects it — the exam usually favours prevention (verify explicitly) over detection (assume breach). But when prevention isn’t possible, detection with blast radius reduction wins.
The six technology pillars
Zero Trust isn’t just about identity. Microsoft defines six technology areas where Zero Trust must be applied:
| Pillar | What It Covers | Key Microsoft Technologies |
|---|---|---|
| Identity | Users, service accounts, workload identities | Microsoft Entra ID, Conditional Access, PIM |
| Endpoints | Devices — laptops, phones, servers, IoT | Microsoft Intune, Defender for Endpoint |
| Data | Classification, labelling, encryption, DLP | Microsoft Purview, Information Protection |
| Applications | SaaS, custom, legacy, shadow IT | Defender for Cloud Apps, App Proxy, Entra ID |
| Infrastructure | Servers, VMs, containers, serverless | Defender for Cloud, Azure Policy, Arc |
| Network | Segmentation, encryption, monitoring | NSGs, Azure Firewall, Entra Internet/Private Access |
🌐 Scenario: Elena's Zero Trust assessment
Dr. Elena Vasquez, CISO at Meridian Global Industries, just joined the company after a competitor suffered a devastating ransomware attack. The board wants assurance that Meridian’s security is solid.
Elena’s first action isn’t buying a new product. She runs a Zero Trust maturity assessment across all six pillars. Her findings:
- Identity: Strong (Conditional Access deployed, MFA enforced)
- Endpoints: Moderate (Intune for corporate devices, but BYOD has gaps)
- Data: Weak (no sensitivity labels, no DLP policies)
- Applications: Moderate (SSO for SaaS, but legacy apps bypass Entra)
- Infrastructure: Weak (flat network, minimal segmentation in Azure)
- Network: Weak (traditional VPN, no microsegmentation)
Elena now has a prioritised roadmap. She starts with data classification and network segmentation — the weakest pillars with the highest business risk. Marcus Chen, the board chair, wants a single KPI: “What percentage of our environment is Zero Trust?” Elena explains that maturity is measured per pillar — and shows a radar chart with six spokes. The board immediately sees the gaps.
Thinking like a cybersecurity architect
The SC-100 exam doesn’t ask you to configure products. It asks you to design solutions and evaluate trade-offs. That’s a fundamentally different skill.
The architect’s decision framework
When you face a “Design a solution for…” question, run through this mental model:
- What’s the business requirement? — Compliance, cost, performance, user experience, risk tolerance
- Which Zero Trust pillars are involved? — Usually 2-3 pillars overlap
- What Microsoft capabilities align? — Map to specific products and features
- What are the trade-offs? — Cost vs security, usability vs protection, complexity vs coverage
- Which framework validates the choice? — MCRA, MCSB, CAF, WAF (covered in later modules)
| Thinking Style | Security Engineer | Cybersecurity Architect |
|---|---|---|
| Typical question | How do I configure Conditional Access? | Should we use Conditional Access, network segmentation, or both — and why? |
| Scope | Single product or feature | Multiple products across pillars |
| Decision driver | Technical capability | Business risk and trade-offs |
| Success metric | Feature works as configured | Organisation's security posture improves |
| Stakeholders | IT operations team | CISO, board, compliance, business units |
| Exam language | Configure, implement, deploy | Design, recommend, evaluate, justify |
Zero Trust maturity model
Microsoft defines three maturity stages for each pillar. The architect’s job is to assess where the organisation is and design the path forward:
| Stage | What It Looks Like | Architect’s Role |
|---|---|---|
| Traditional | Perimeter-based, on-prem focused, manual processes, limited visibility | Assess gaps, build the business case for transformation |
| Advanced | Cloud identity, device management, some automation, partial segmentation | Optimise coverage, close gaps between pillars, automate responses |
| Optimal | Fully integrated, real-time signals, automated response, microsegmentation | Maintain posture, adapt to new threats, extend to new workloads (AI, IoT) |
Most organisations sit at Advanced for some pillars and Traditional for others. The architect designs the journey from current state to target state — and this is exactly what SC-100 tests.
Real-world insight: Why 'optimal' isn't always the goal
Not every organisation needs every pillar at Optimal maturity. A small startup with no on-premises infrastructure might skip network segmentation entirely and focus on identity and data. A manufacturing company with OT systems might accept Traditional maturity for IoT while pushing Identity and Data to Optimal.
The architect’s job is to match security investment to business risk — not to chase a perfect score on every pillar.
☁️ Scenario: Rajan advises a startup vs an enterprise
Rajan Krishnamurthy from Skyline Security Consulting works with two very different clients in the same week.
Client A — a 50-person SaaS startup (cloud-native):
- No on-premises footprint, everything is SaaS or PaaS
- Rajan recommends focusing on Identity (Optimal) and Data (Advanced) — these are the pillars where their risk lives
- Network pillar? Barely relevant — there’s no corporate network to segment
- Priya Anand, his junior architect, asks “Shouldn’t we get all pillars to Optimal?” Rajan explains: “You match security investment to where the risk actually is.”
Client B — a 10,000-person manufacturer:
- Large on-prem footprint, OT/SCADA systems, legacy apps
- Every pillar matters. Network segmentation is critical for OT isolation
- Rajan designs a 2-year roadmap: Identity and Endpoints first (biggest quick wins), then Data and Network (biggest risk), then Infrastructure and Applications (hardest to change)
Zero Trust and the rest of SC-100
Every domain in this exam builds on Zero Trust:
| Domain | How Zero Trust Applies |
|---|---|
| D1: Best Practices | Zero Trust IS the best practice. MCRA, MCSB, CAF, WAF all reference Zero Trust as foundational |
| D2: Operations & Identity | SOC detects breaches (assume breach). Identity is the primary control plane (verify explicitly). PIM enforces least privilege |
| D3: Infrastructure | Network segmentation (assume breach), endpoint verification (verify explicitly), posture management (continuous assessment) |
| D4: Apps & Data | Application access control (verify explicitly), data classification (least privilege on data), AI workload governance (new pillar) |
This is why Zero Trust is Module 1 — everything that follows is an application of these principles.
🎬 Video coming soon
Key takeaways
Knowledge check
Dr. Elena Vasquez assesses Meridian Global's Zero Trust maturity and finds that Identity is Advanced, but Network and Data are Traditional. She has budget for one improvement. Following Zero Trust principles, which should she prioritise?
A security architect is reviewing two proposed designs for remote access. Design A uses a traditional VPN with network-level access to all internal resources. Design B uses Conditional Access with per-app access, device compliance checks, and session controls. Which Zero Trust principles does Design B address that Design A does not?
Which of the following is NOT one of the six technology pillars of Microsoft's Zero Trust model?
Next up: CAF and WAF: Designing Secure Azure Foundations — the frameworks that turn Zero Trust principles into structured architecture decisions.