Zero Trust architecture definition and on-premise implementation.
Over the past few years, the term Zero Trust has often been used as a marketing buzzword. In this resource, we go back to the principles of Zero Trust and how to deploy them on-premise, for industry and OT.
What is a Zero Trust architecture?
A Zero Trust architecture rests on one premise: the position of a user, a device or a flow inside the network does not grant authorization. The implicit trust given to whatever sits "inside" disappears. Every access request is authenticated, authorized, then continuously verified, regardless of its origin.
This breaks with the perimeter model, which treats anything past the firewall as trusted. On a flat industrial network, that shortcut has a cost: a compromised workstation reaches a PLC or a SCADA server with nothing in its way. Zero Trust removes that path.
Three elements structure the model: identity (who, or what, is requesting access), policy (what is allowed, on a least-privilege basis) and continuous verification (control does not stop at session start).
The principles of Zero Trust
Authenticate & Verify
Every access is authenticated and authorized from all available signals, identity, device and context, not from network position alone.
Least privilege
Each user or system gets only the access its task requires, for a limited time. On an OT network, only the legitimate flows between a supervision station and the equipment it controls are opened.
Assume breach
The architecture is designed assuming part of the network is already compromised. Fine-grained segmentation, logging and containment of lateral movement confine the incident instead of letting it spread.
Zero Trust and the frameworks: ANSSI, the European framework and NIS2
In France, ANSSI is the reference for critical operators. Its recommendations on segmentation, access control and logging overlap with Zero Trust principles, without always using the same vocabulary. The agency remains cautious about packaged "Zero Trust" offerings and recommends a progressive rollout, built on the existing architecture.
At European level, the NIS2 directive mandates risk-management measures, segmentation, access control and traceability, that follow the same logic. For OT, the IEC 62443 standard provides the technical translation through its zones and conduits; ENISA rounds out the good practices.
The most cited architecture model remains NIST SP 800-207. It names the components of a Zero Trust system: a policy decision point (PDP), which rules on each request, and a policy enforcement point (PEP), which applies the decision close to the resource. This PEP/PDP vocabulary has become a common language; it complements the French and European frameworks, it does not replace them.
| Framework | Role with respect to Zero Trust |
|---|---|
ANSSI France · critical operators | Segmentation, access control, logging; progressive rollout |
NIS2 European Union · directive 2022/2555 | Article 21: segmentation, access control, traceability |
IEC 62443 OT/ICS technical standard | Zones and conduits: the technical translation of segmentation |
ENISA EU cybersecurity agency | Good practices for securing industrial systems |
NIST SP 800-207 United States · reference model | PEP/PDP components, micro-segmentation, continuous verification |
Zero Trust on-premise: why industry and OT cannot depend on the cloud
Most Zero Trust offerings route access control through a cloud service. In an industrial environment, that assumption rarely holds: OT networks are segmented, sometimes air-gapped, and production cannot depend on a third-party service.
Three constraints call for an on-premise implementation:
- Sovereignty: the flows and logs of a critical system have no reason to leave the site, or the country.
- Latency: control loops do not tolerate a detour through a remote point of presence.
- Continuity: a site must stay operational even without an internet link.
The on-premise Zero Trust applies the same principles, but the decision point and the enforcement point stay on site, under the operator's control. That is what makes the model applicable to an industrial environment without compromising availability or sovereignty.
Zero Trust, defense in depth and the Purdue model for OT
Zero Trust does not replace defense in depth: it extends it. Defense in depth stacks layers of protection, firewalls, DMZ, hardening, assuming none is infallible. Zero Trust adds a verification at every layer, including inside the perimeter, where defense in depth usually stops.
The Purdue model orders industrial networks into levels, from the physical process (level 0) up to enterprise IT (levels 4 and 5), with the IT/OT boundary at level 3. It served real purposes, but its foundations are under strain, notably because of IP convergence and real-time flows that cross every level.
Many networks look segmented on the diagram and stay flat in practice. Three causes explain it:
- Trust by location: a device is deemed safe because it sits on the right subnet, so an attacker who enters one layer inherits everything that layer allows.
- No device identity: PLCs, RTUs and sensors often communicate in clear text, with no way to prove who they are.
- No visibility below the perimeter: no unified inventory, no session-level audit trail.
Bringing Zero Trust into OT means turning the Purdue levels into trust zones linked by controlled conduits (IEC 62443), blocking lateral movement with micro-segmentation (PVLAN) at the switch, and enforcing policy on the network, agentless on the equipment. The existing IP addressing and hardware are preserved; legacy devices that cannot host an agent are protected just like the newest ones.
How Access Gate implements on-premise Zero Trust
Access Gate deploys alongside the existing network, agentless on the OT equipment and with no production downtime. It applies the four pillars of Zero Trust close to the resources, entirely on-premise.
Authentication
Establish the identity of every user and every system before any access: MFA, access screens, directory integration.
Control
Apply least privilege through explicit rules, between zones, per user and per protocol. Any unexpected flow is denied by default.
Proxy
Broker sessions through a proxy that enforces policy close to the resource, without installing anything on the equipment.
Audit
Log and record every session for a tamper-evident trail, directly usable in an audit.
Zero Trust architecture: the essentials.
Explicit verification, least privilege, assume breach, on-premise
A Zero Trust architecture grants no trust to a user, a device or a flow on the sole basis of its position in the network. Every access is authenticated, restricted to least privilege and continuously verified. It rests on three pillars: identity, a least-privilege access policy and continuous verification.
Yes. The principles of Zero Trust, explicit verification, least privilege and assume breach, do not depend on the cloud. In an industrial environment, the decision point and the enforcement point stay on site, under the operator's control. This is a requirement for segmented or isolated networks, for data sovereignty and for production continuity without an internet link.
Defense in depth stacks layers of protection assuming none is perfect. Zero Trust does not replace it: it extends it by requiring verification at every layer, including inside the perimeter. The two approaches are complementary: Zero Trust fills the implicit trust that remains once the perimeter is crossed.
By treating the Purdue levels as trust zones linked by controlled conduits (IEC 62443): every zone crossing becomes a verification point. Since many OT devices cannot run an agent, control is enforced on the network, without installing anything on the PLCs, HMIs or sensors.
The measures of NIS2 Article 21, segmentation, access control and logging, match what a Zero Trust architecture puts in place. Designing your OT network along these principles is a direct path to NIS2 compliance.