Home · Synthesis · cl-zero-trust-architecture

Zero Trust Architecture — never trust, always verify

CSA CCM v4 ISO 27001 NIST CSF 2.0 RBI CSF SEBI CSCRF NIS2

Primary statement

Zero Trust Architecture per RBI CSF PR.23 (Maturity Level 4) for sensitive access: payment systems, customer data, privileged operations. SEBI CSCRF PR.7 + RBI CSF PR.3 privileged access management with just-in-time, session recording, approval workflows. NIST CSF PR.AA-05 least privilege + separation of duties. CSA IAM-07 third-party cloud access management. Zero Trust is the architectural ceiling for sensitive access governance.

Audit-fatigue payoff

A unified Zero Trust deployment — identity-based authorisation + PAM + JIT + session recording + third-party scoping — satisfies zero-trust requirements across all 6 contributing frameworks. RBI PR.23 + SEBI PR.7 form the audit-defensible specification.

Strictness matrix

Scope

Scope: zero trust for sensitive access — payment systems, customer data systems, privileged operations. Identity-based authorisation, micro-segmentation, continuous verification. Ceiling source: rbi_csf:RBI.PR.23 Rationale: RBI CSF PR.23 specifies the most enumerated zero-trust scope.

Threshold

Threshold: privileged access through PAM with just-in-time (no standing privileges where possible) + session recording + approval workflow. JIT is the binary threshold separating zero-trust from legacy PAM. Ceiling source: rbi_csf:RBI.PR.3 Rationale: RBI CSF PR.3 JIT is the binary zero-trust threshold for privileged access.

Method

Method: identity-based connection authorisation + micro-segmentation + continuous verification + PAM with JIT (RBI PR.3 + SEBI PR.7) + session recording + approval workflow + third-party cloud access scoping (CSA IAM-07) + least privilege + segregation of duties (NIST PR.AA-05). Ceiling source: rbi_csf:RBI.PR.23 Rationale: RBI PR.23 + RBI PR.3 + SEBI PR.7 + CSA IAM-07 combined form the most prescriptive method.

Frequency

Identity verification: continuous (per request). JIT elevation: per access event. PAM session review: weekly minimum. Zero-trust posture review: annual. Ceiling source: rbi_csf:RBI.PR.23 Rationale: Continuous identity verification with per-event JIT is the audit-defensible cadence.

Evidence

Evidence: zero-trust architecture document + PAM deployment + JIT enforcement evidence + session recordings + approval workflow logs + third-party scoping records + identity-based authorisation policies. Ceiling source: rbi_csf:RBI.PR.23 Rationale: RBI CSF PR.23 evidence with JIT + session recording is uniquely strict.

Auditor test pattern

Step 1: Inspect zero-trust architecture document. Step 2: Verify PAM deployment with JIT. Step 3: Sample 3 privileged sessions; verify session recording. Step 4: Verify approval workflow operational. Step 5: For third-party cloud access, verify time-limited + scope-limited.

Common findings

Common findings: (1) Zero trust in policy, not in deployment; (2) PAM deployed but standing privileges remain; (3) JIT theoretical — admins use break-glass; (4) Session recording absent; (5) Third-party access permanent, not time-limited.