A Systematic Literature Review on the Implementation and Challenges of Zero Trust Architecture Across Domains
Abstract
1. Introduction
2. Research Methodology
2.1. Selection Criteria
- The study must focus on Zero Trust Architecture or its direct implementation;
- It must provide an architectural, algorithmic, or framework-level insight;
- The paper must be peer-reviewed or an academically credible thesis;
- The paper must address at least one of the core cybersecurity dimensions (e.g., authentication, access control).
- Only mentioned ZTA without substantive implementation or analysis;
- Were non-peer-reviewed or lacked technical detail;
- Were opinion pieces, tutorials, or grey literature.
2.2. Review Framework and Classification
- Domain of application: IoT, Cloud, AI, Blockchain, Healthcare, Networks, etc.
- Type of contribution: conceptual model, implemented framework, architecture, etc.
- Security coverage: Assessed using nine critical cybersecurity dimensions:
- Authentication
- Authorization
- Access Control
- Cryptography
- Security Gateway
- Environmental Perception
- Network Segmentation
- Audit
- −
- High relevance: directly addressed ZTA with technical implementation;
- −
- Medium relevance: partially addressed ZTA or theoretical framework;
- −
- Low relevance: mentioned ZTA without meaningful technical contribution.
2.3. Data Extraction and Citation Mapping
- Whether it addressed each cybersecurity dimension;
- What technologies and methodologies were used (e.g., Kubernetes, machine learning, service mesh, blockchain);
- Whether the implementation was tested, simulated, or purely conceptual;
- What gaps or limitations were explicitly identified.
2.4. Table Usage Across the Paper
- Section 4: During domain-specific discussions (e.g., IoT, Cloud, AI), where trends such as “missing cryptography” or “lack of orchestration” are highlighted with reference to specific rows in the table.
- Section 5: For a meta-level synthesis where dimensions are compared across domains, the table helps justify which components are under- or over-addressed.
3. Zero Trust Architecture: Concepts and Foundations
3.1. Evolution from Perimeter Security
3.2. NIST ZTA Principles
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual resources is granted per session.
- Dynamic policies determine access decisions based on observable attributes.
- Continuous verification of the security posture of all assets.
- Strict identity verification before granting any access.
- Real-time environmental data collection to support adaptive decisions.
3.3. ZTA Core Components
3.4. ZTA and IoT: A Critical Nexus
- Massive scale (billions of interconnected devices);
- Heterogeneous architectures (varying OS, protocols, and capabilities);
- Limited resources (low power and processing capability);
- Open and untrusted environments (e.g., remote sensors or edge devices).
3.5. Comparison with Traditional Security Models
4. Literature Review by Domain
Sr No | Year | Paper Id | Applications | Authorization | Authentication | Access Control | Cryptography | Security Gateway | Environmental Perception | Network Segmentation | Audit |
---|---|---|---|---|---|---|---|---|---|---|---|
1 | 2024 | Safwa Ameer et al. [3] | IoT use cases | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ |
2 | 2024 | Shahad Al-Tamimi et al. [4] | IoT network security | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
3 | 2024 | Claudio Zanasi et al. [12] | Industrial IoT | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ |
4 | 2024 | Brennan Huber and Farah Kandah [13] | Scalable IoT environments | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ |
5 | 2024 | Zag ElSayed et al. [5] | Healthcare IoT | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
6 | 2025 | Mohammed A [8] | IoT + Blockchain | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
7 | 2024 | Nurun Nahar et al. [14] | 6G Networks | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
8 | 2025 | Asif Ali Laghari et al. [15] | IIoT | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
9 | 2025 | Muhammad Liman Gambo and Ahmad Almulhem [16] | Multiple | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
10 | 2025 | Shruti Kulkarni et al. [17] | Smart devices | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ |
11 | 2025 | Kai Li et al. [9] | IoT + FMs (AI) | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
12 | 2025 | Izhar Ahmed Khan et al. [6] | SDVs + IoT | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
13 | 2025 | Lorenzo Gigli et al. [18] | Blockchain + IoT | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ |
14 | 2025 | Malek Al-Zewairi et al. [19] | IoT + Traditional | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
15 | 2025 | Wilson Leite Rebouças Filho [20] | Cybersecurity IAM | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
16 | 2025 | Xiaokang Zhou et al. [21] | Next-gen network security | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ |
17 | 2025 | Abdelmagid and Diaz [10] | Cyber risk mitigation for SMBs | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
18 | 2021 | Linjiang Xie et al. [22] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
19 | 2020 | Annapurna P Patil et al. [11] | Block chain | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ | ✗ |
20 | 2021 | Na Zhang et al. [23] | Cloud | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ |
21 | 2022 | Dyan Eidle et al. [13] | Cloud | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ |
22 | 2021 | Daniel D’Silva et al. [24] | Cloud | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✓ |
23 | 2020 | Sam Daley [25] | Cloud | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ |
24 | 2021 | Saima Mehraj et al. [26] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
25 | 2018 | Yang tao et al. [27] | Big data | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✓ |
26 | 2020 | Tao Chuan et al. [28] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
27 | 2021 | Yuan Gao et al. [29] | IOT | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
28 | 2019 | Malcolm Shore et al. [2] | Cloud IOT | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
29 | 2020 | Maliha Sultana et al. [30] | Cloud | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ |
30 | 2023 | Jin Wang [31] | IoT | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
31 | 2021 | Anil G. [32] | Cloud IoT | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
32 | 2021 | Lampis Alevisoz [33] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
33 | 2021 | Sudakshina Mandal [34] | Cloud | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✗ |
34 | 2023 | Yizhi Liu [35] | IoT | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
35 | 2018 | John Flanigan [1] | Cloud | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
36 | 2021 | Thiago Melo Stucker do Amaral et al. [36] | Cyber Supply Chain | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
37 | 2021 | Elisa Bertino et al. [37] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
38 | 2020 | Matteo Pace [38] | Cloud | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ |
39 | 2016 | Casimer DeCusatis et al. [39] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ |
40 | 2022 | Jim baker et al. [40] | 5G Networks | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ |
41 | 2021 | Dr. Aniket Deshpande [41] | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ | |
42 | 2020 | Thomas Lukaseder et al. [42] | Campus networks | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
43 | 2022 | Andrew Stern et al. [43] | Commercial System on Chip design | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ |
44 | 2021 | Gbenle [44] | Cloud, microservice architecture | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
45 | 2020 | Walid Rjaibi [45] | Cloud Database services | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ |
46 | 2022 | Keyvan Ramezanpour et al. [7] | Cloud | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✗ |
47 | 2022 | Charalampos Katsis et al. [46] | Cloud, webservices | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
48 | 2022 | Silafu Yiliyaer et al. [47] | Cloud | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
49 | 2017 | Brian lee et al. [48] | IoT | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ |
50 | 2021 | Aniket Deshpande [49] | VANET | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
51 | 2022 | Eslam Samy Hosney et al. [50] | AI | ✗ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ |
52 | 2021 | Qiuqing Jin et al. [51] | network | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ |
53 | 2021 | Xiaopeng TIAN et al. [52] | Access control model | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ |
54 | 2021 | Eric Dean et al. [53] | University environment | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ |
55 | 2022 | Othmane Hireche et al. [54] | Block chain, AI | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
56 | 2020 | Qiqui et al. [55] | Cloud | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ |
57 | 2023 | Jie Wang et al. [56] | Mobile network | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
58 | 2018 | Vivin Krishnan et al. [57] | Mobile, desktop, browser-based applications | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
59 | 2021 | Dongyu Yang et al. [58] | UAV swarm (unmanned aerial vehicle) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ |
60 | 2016 | Andreas Gutmann et al. [59] | Device authentication | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
61 | 2020 | Larry Nace et al. [60] | National Airspace System | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
62 | 2021 | Chafika Benzaïd et al. [61] | 5G networks | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
63 | 2021 | Geir M. Køien [62] | Industrial Control Systems | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
64 | 2022 | Yahuza Bello et al. [63] | Mobile Core Networks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ |
65 | 2018 | Modderkolk et al. [64] | Enterprises | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
66 | 2021 | Ya Guang Wu [65] | Enterprise Network | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
67 | 2024 | Bruno Carneiro da Rocha et al. [66] | LAN networks (with IOT devices connected) | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ |
68 | 2021 | Nakul GHATE et al. [67] | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | |
69 | 2021 | Anita Nair [68] | Microsoft BeyondCorp | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
70 | 2021 | Kemal Bicakci et al. [69] | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | |
71 | 2022 | Wengao Fang et al. [70] | iOS | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
72 | 2022 | Zhiwei Liu et al. [71] | Cloud | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
73 | 2020 | Iftekhar Ahmed et al. [72] | Cloud | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
2023 | Xu Chen et al. [73] | IoT, 6G networks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
4.1. Cloud Computing and ZTA
4.2. Internet of Things (IoT) and ZTA
4.2.1. Environmental Perception and Context-Aware ZTA
4.2.2. Trust Engines in Decentralized IoT Environments
4.2.3. Federated Learning and Edge Intelligence in ZTA-IoT
- Communication overhead for model synchronization;
- Security threats to gradient sharing (e.g., model inversion attacks);
- Lack of integration with orchestration and policy enforcement layers.
4.3. Healthcare Systems and ZTA
4.3.1. ZTA for Secure Patient Data and EHR Systems
- Lack network segmentation at the device or department level;
- Rely heavily on static roles rather than dynamic trust or context;
- Rarely integrate automated orchestration or real-time audit feedback loops.
4.3.2. IoT in Healthcare and Trust Enforcement
- Cryptographic techniques are rarely optimized for low-power medical IoT devices;
- Audit mechanisms are reactive, not proactive or predictive;
- Policy orchestration is often centralized, which hinders emergency responsiveness.
4.3.3. Compliance, Regulation, and Risk Management
- Immutable audit logs
- Granular session-level access
- Data usage monitoring
4.4. Artificial Intelligence (AI/ML) Systems and ZTA
4.4.1. ZTA to Secure AI/ML Environments
4.4.2. AI/ML as Enablers of ZTA
4.5. Blockchain and ZTA
4.5.1. Blockchain as a Trust Anchor in ZTA
4.5.2. Smart Contracts for Policy Enforcement
4.5.3. Challenges of Integrating Blockchain with ZTA
4.6. Industrial and Mobile Networks
4.6.1. ZTA in Smart Manufacturing and IIoT
- Interoperability with legacy systems is limited.
- Real-time orchestration is not consistently embedded.
- Audit logs are often stored off-chain or isolated.
4.6.2. ZTA in Mobile and 5G Networks
- Cryptographic key exchange is often insecure or missing.
- Environmental perception is shallow (e.g., no behavioral profiling).
- Audit capabilities are post hoc rather than real-time.
5. Cross-Domain Analysis and Research Gaps
5.1. Common Strengths Across Domains
5.2. Persistent Cross-Domain Limitations
5.3. Domain-Specific Priorities and Challenges
5.4. Gaps in Literature Survey (From Table 2)
- Orchestration
- Audit logging
- Environmental perception
6. Challenges and Research Gaps
6.1. Orchestration and Policy Management
6.2. Auditing and Accountability
6.3. Cryptographic Limitations
6.4. Scalability and Performance Trade-Offs
6.5. AI Transparency and Trust
6.6. Compliance and Regulatory Integration
6.7. Research Gaps and Future Outlook
- Scalable orchestration for heterogeneous environments.
- Lightweight cryptography tailored for IoT and industrial systems.
- Explainable AI trust engines for transparent decision-making.
- Cross-domain regulatory frameworks integrating technical and legal requirements.
7. Conclusions and Future Work
7.1. Research and Practical Roadmap
- For Researchers: Prioritize explainable AI (XAI) for trust engines, scalable orchestration frameworks, and energy-efficient cryptography for constrained devices.
- For Practitioners: Focus on deployable ZTAs that balance security with latency, cost, and interoperability, ensuring suitability for industrial and enterprise contexts.
- For Policymakers and Regulators: Promote regulatory integration by mandating auditability, lightweight cryptography, and compliance-aligned policy engines in ZTA standards.
7.2. Final Remarks
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Flanigan, J. Zero Trust Network Model; Tufts University: Medford, MA, USA, 2018. [Google Scholar]
- Shore, M.; Zeadally, S.; Keshariya, A. Zero Trust: The What, How, Why, and When; IEEE: New York, NY, USA, 2021. [Google Scholar] [CrossRef]
- Ameer, S.; Lopamudra, P.; Sandhu, R.; Bhatt, S.; Gupta, M. ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control Model. ACM Trans. Priv. Secur. 2024, 27, 1–36. [Google Scholar] [CrossRef]
- Al-Tamimi, S.; Al-Haija, Q.A.; Alrawashdeh, K. Zero-Trust Architecture for Securing Internet of Things (IoT) Networks: A Review. In Proceedings of the 2024 5th International Conference on Communications, Information, Electronic and Energy Systems (CIEES), Veliko Tarnovo, Bulgaria, 20–22 November 2024; pp. 1–6. [Google Scholar] [CrossRef]
- ElSayed, Z.; Elsayed, N.; Bay, S. A Novel Zero-Trust Machine Learning Green Architecture for Healthcare IoT Cybersecurity: Review, Analysis, and Implementation. SoutheastCon 2024, 2024, 686–692. [Google Scholar] [CrossRef]
- Khan, I.A.; Keshk, M.; Hussain, Y.; Pi, D.; Li, B.; Kousar, T.; Ali, B.S. A Context-Aware Zero Trust-Based Hybrid Approach to IoT-Based Self-Driving Vehicles Security. Ad Hoc Netw. 2024, 167, 103694. [Google Scholar] [CrossRef]
- Ramezanpour, K.; Jagannath, J. Intelligent Zero Trust Architecture for 5G/6G Networks: Principles, Challenges, and the Role of Machine Learning in the Context of O-RAN. Comput. Netw. 2022, 217, 109358. [Google Scholar] [CrossRef]
- Aleisa, M.A. Blockchain-Enabled Zero Trust Architecture for Privacy-Preserving Cybersecurity in IoT Environments. IEEE Access 2025, 13, 18660–18676. [Google Scholar] [CrossRef]
- Li, K.; Li, C.; Yuan, X.; Li, S.; Zou, S.; Ahmed, S.S.; Ni, W.; Niyato, D.; Jamalipour, A.; Dressler, F.; et al. Zero-Trust Foundation Models: A New Paradigm for Secure and Collaborative Artificial Intelligence for Internet of Things. Available online: https://arxiv.org/abs/2505.23792 (accessed on 30 July 2025).
- Abdelmagid, A.M.; Diaz, R. Zero Trust Architecture as a Risk Countermeasure in Small–Medium Enterprises and Advanced Technology Systems. In Risk Analysis; Wiley: Hoboken, NJ, USA, 2025; Online. [Google Scholar] [CrossRef]
- Patil, A.P.; Karkal, G.; Wadhwa, J.; Sawood, M.; Dhanush Reddy, K. Design and Implementation of a Consensus Algorithm to Build Zero Trust Model. In Proceedings of the 2020 IEEE 17th India Council International Conference (INDICON), New Delhi, India, 10–13 December 2020; pp. 1–5. [Google Scholar] [CrossRef]
- Zanasi, C.; Russo, S.; Colajanni, M. Flexible Zero Trust Architecture for the Cybersecurity of Industrial IoT Infrastructures. Ad Hoc Netw. 2024, 156, 103414. [Google Scholar] [CrossRef]
- Huber, B.; Kandah, F. Zero Trust+: A Trusted-Based Zero Trust Architecture for IoT at Scale. In Proceedings of the 2024 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 6–8 January 2024. [Google Scholar] [CrossRef]
- Nahar, N.; Andersson, K.; Schelén, O.; Saguna, S. Saguna Saguna A Survey on Zero Trust Architecture: Applications and Challenges of 6G Networks. IEEE Access 2024, 12, 94753–94764. [Google Scholar] [CrossRef]
- Laghari, A.A.; Khan, A.A.; Ksibi, A.; Hajjej, F.; Kryvinska, N.; Almadhor, A.; Mohamed, M.A.; Alsubai, S. A Novel and Secure Artificial Intelligence Enabled Zero Trust Intrusion Detection in Industrial Internet of Things Architecture. Sci. Rep. 2025, 15, 26843. [Google Scholar] [CrossRef]
- Gambo, M.L.; Almulhem, A. Zero Trust Architecture: A Systematic Literature Review. Available online: https://arxiv.org/abs/2503.11659 (accessed on 30 July 2025).
- Kulkarni, S.; Mylonas, A.; Vidalis, S. Using the Zero Trust Five-Step Implementation Process with Smart Environments: State-of-The-Art Review and Future Directions. Future Internet 2025, 17, 313. [Google Scholar] [CrossRef]
- Gigli, L.; Zyrianoff, I.; Montori, F.; Sciullo, L.; Kamienski, C.; Felice, M.D. ZONIA: A Zero-Trust Oracle System for Blockchain IoT Applications. IEEE Internet Things J. 2025, 2025, 1. [Google Scholar] [CrossRef]
- Al-Zewairi, M.; Almajali, S.; Ayyash, M.; Rahouti, M.; Martinez, F.; Quadar, N. Multi-Stage Enhanced Zero Trust Intrusion Detection System for Unknown Attack Detection in Internet of Things and Traditional Networks. ACM Trans. Priv. Secur. 2025, 28, 30. [Google Scholar] [CrossRef]
- Leite, W. The Role of Zero Trust Architecture in Modern Cybersecurity: Integration with IAM and Emerging Technologies. Braz. J. Dev. 2025, 11, e76836. [Google Scholar] [CrossRef]
- Zhou, X.; Liang, W.; Wang, K.I.-K.; Yada, K.; Yada, K.; Yang, L.T.; Ma, J.; Jin, Q. Decentralized Federated Graph Learning with Lightweight Zero Trust Architecture for Next-Generation Networking Security. IEEE J. Sel. Areas Commun. 2025, 43, 1908–1922. [Google Scholar] [CrossRef]
- Xie, L.; Hang, F.; Guo, W.; Lv, Y.; Chen, H. A Micro-Segmentation Protection Scheme Based on Zero Trust Architecture. Available online: https://ieeexplore.ieee.org/abstract/document/9738894 (accessed on 25 June 2025).
- Zhang, N.; Wang, T.; Ji, J. Analysis of the U.S. Military’s Tactical Cloud Application Based on Zero Trust|VDE Conference Publication|IEEE Xplore. Available online: https://ieeexplore.ieee.org/abstract/document/9736734 (accessed on 25 July 2025).
- Silva, D.; Ambawade, D. Building a Zero Trust Architecture Using Kubernetes. In Proceedings of the 2021 6th International Conference for Convergence in Technology (i2ct), Maharashtra, India, 2–4 April 2021. [Google Scholar] [CrossRef]
- Daley, S. Evaluation of Zero Trust Framework for Remote Working Environments Evaluation of Zero Trust Framework for Remote Working Environments View Project. Cybersecur. J. 2022, 12, 3. [Google Scholar]
- Mehraj, S.; Tariq Banday, M. Establishing a Zero Trust Strategy in Cloud Computing Environment. In Proceedings of the 2020 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 22–24 January 2020. [Google Scholar]
- Tao, Y.; Lei, Z.; Ruxiang, P. Fine-Grained Big Data Security Method Based on Zero Trust Model. In Proceedings of the 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), Singapore, 11–13 December 2018. [Google Scholar] [CrossRef]
- Chuan, T.; Lv, Y.; Qi, Z.; Xie, L.; Guo, W. An Implementation Method of Zero-Trust Architecture. J. Phys. Conf. Ser. 2020, 1651, 012010. [Google Scholar] [CrossRef]
- Gao, Y.; Lou, X. Operational Security Analysis and Challenge for IoT Solutions. In Informatik; Wissenschaftszentrum Bonn: Bonn, Germany, 2021. [Google Scholar]
- Sultana, M.; Hossain, A.; Laila, F.; Taher, K.A.; Islam, M.N. Towards Developing a Secure Medical Image Sharing System Based on Zero Trust Principles and Blockchain Technology. BMC Med. Inform. Decis. Mak. 2020, 20, 256. [Google Scholar] [CrossRef] [PubMed]
- Wang, J.; Chen, J.; Xiong, N.; Alfarraj, O.; Tolba, A.; Ren, Y. S-BDS: An Effective Blockchain-Based Data Storage Scheme in Zero-Trust IoT. ACM Trans. Internet Technol. 2023, 23, 1–23. [Google Scholar] [CrossRef]
- Anil, G. (Ed.) A Zero-Trust Security Framework for Granular Insight on Blind Spot and Comprehensive Device Protection in the Enterprise of Internet of Things (E-IOT); BMS Institute of Technology: Karnataka, India, 2021. [Google Scholar] [CrossRef]
- Alevizos, L.; Ta, V.T.; Hashem Eiza, M. Augmenting Zero Trust Architecture to Endpoints Using Blockchain: A State-Of-The-Art Review. Secur. Priv. 2021, 5, e191. [Google Scholar] [CrossRef]
- Mandal, S.; Khan, D.A.; Jain, S. Cloud-Based Zero Trust Access Control Policy: An Approach to Support Work-From-Home Driven by COVID-19 Pandemic. New Gener. Comput. 2021, 39, 599–622. [Google Scholar] [CrossRef] [PubMed]
- Liu, Y.; Hao, X.; Ren, W.; Xiong, R.; Zhu, T.; Choo, K.-K.R.; Min, G. A Blockchain-Based Decentralized, Fair and Authenticated Information Sharing Scheme in Zero Trust Internet-of-Things. IEEE Trans. Comput. 2023, 72, 501–512. [Google Scholar] [CrossRef]
- Do Amaral, T.M.S.; Gondim, J.J.C. Integrating Zero Trust in the Cyber Supply Chain Security. In Proceedings of the 2021 Workshop on Communication Networks and Power Systems (WCNPS), Brasília, Brazil, 18–19 November 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Bertino, E.; Brancik, K. Services for Zero Trust Architectures—A Research Roadmap. In Proceedings of the 2021 IEEE International Conference on Web Services (ICWS), Chicago, IL, USA, 5–10 September 2021. [Google Scholar] [CrossRef]
- Pace, M. Zero Trust Networks with Istio—Webthesis. Polito.it. 2021. Available online: https://webthesis.biblio.polito.it/secure/21170/1/tesi.pdf (accessed on 17 July 2025).
- DeCusatis, C.; Liengtiraphan, P.; Sager, A.; Pinelli, M. Implementing Zero Trust Cloud Networks with Transport Access Control and First Packet Authentication. In Proceedings of the 2016 IEEE International Conference on Smart Cloud (SmartCloud), New York, NY, USA, 18–20 November 2016. [Google Scholar] [CrossRef]
- Baker, J.; Waldron, K. 5G and Zero Trust Networks; R Street Institute: Washington, DC, USA, 2020; Available online: https://www.jstor.org/stable/resrep27016 (accessed on 25 March 2025).
- Deshpande, D.A. Relevance of Zero Trust Network Architecture Amidts and It’s Rapid Adoption Amidts Work from Home Enforced by COVID-19. Psychol. Educ. J. 2021, 58, 5672–5677. [Google Scholar] [CrossRef]
- Lukaseder, T.; Halter, M.; Kargl, F. Context-Based Access Control and Trust Scores in Zero Trust Campus Networks. In Sicherheit; Gesellschaft für Informatik: Bonn, Germany, 2020. [Google Scholar] [CrossRef]
- Stern, A.; Wang, H.; Rahman, F.; Farahmandi, F.; Tehranipoor, M. ACED-IT: Assuring Confidential Electronic Design against Insider Threats in a Zero-Trust Environment. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2022, 41, 3202–3215. [Google Scholar] [CrossRef]
- Gbenle, T.P.; Abayomi, A.A.; Uzoka, A.C.; Ogeawuchi, J.C.; Adanigbo, O.S.; Odofin, O.T. Applying OAuth2 and JWT Protocols in Securing Distributed API Gateways: Best Practices and Case Review. Int. J. Multidiscip. Res. Growth Eval. 2022, 3, 628–634. [Google Scholar] [CrossRef]
- Rjaibi, W. Enhanced Encryption and Fine-Grained Authorization for Database Systems. Ph.D. Thesis, Manchester Metropolitan University, Manchester, UK, 2020. Available online: https://e-space.mmu.ac.uk/626253/ (accessed on 24 March 2025).
- Katsis, C.; Cicala, F.; Thomsen, D.; Ringo, N.; Bertino, E. NEUTRON: A Graph-Based Pipeline for Zero-Trust Network Architectures. In Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, Baltimore, WA, USA, 24–27 April 2022; pp. 167–178. [Google Scholar] [CrossRef]
- Yiliyaer, S.; Kim, Y. Secure Access Service Edge: A Zero Trust Based Framework for Accessing Data Securely. In Proceedings of the 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 26–29 January 2022; pp. 0586–0591. [Google Scholar] [CrossRef]
- Lee, B.; Vanickis, R.; Rogelio, F.; Jacob, P. Situational Awareness Based Risk-Adapatable Access Control in Enterprise Networks. arXiv 2017, arXiv:17109696. [Google Scholar] [CrossRef]
- Deshpande, A. High Performance Zero Trust Secure Vehicular Network for Autonomous Vehicles Design Engineering High Performance Zero Trust Secure Vehicular Network for Autonomous Vehicles. Des. Eng. 2021, 2021, 99–107. [Google Scholar]
- Hosney, E.S.; Halim, I.T.A.; Yousef, A.H. An Artificial Intelligence Approach for Deploying Zero Trust Architecture (ZTA). In Proceedings of the 2022 5th International Conference on Computing and Informatics (ICCI), New Cairo, Egypt, 9–10 March 2022; pp. 343–350. [Google Scholar] [CrossRef]
- Jin, Q.; Wang, L. Zero-Trust Based Distributed Collaborative Dynamic Access Control Scheme with Deep Multi-Agent Reinforcement Learning. ICST Trans. Secur. Saf. 2021, 8, 170246. [Google Scholar] [CrossRef]
- Tian, X.; Song, H. A Zero Trust Method Based on BLP and BIBA Model. Available online: https://ieeexplore.ieee.org/abstract/document/9679285 (accessed on 23 March 2025).
- Dean, E.; Fonyi, S.; Morrell, C.; Lanham, M. Toward a Zero Trust Architecture Implementation in a University Environment. Cyber Def. Rev. 2021, 6, 37–48. [Google Scholar]
- Hireche, O.; Benzaïd, C.; Taleb, T. Deep Data Plane Programming and AI for Zero-Trust Self-Driven Networking in beyond 5G. Comput. Netw. 2022, 203, 108668. [Google Scholar] [CrossRef]
- Yao, Q.; Wang, Q.; Zhang, X.; Fei, J. Dynamic Access Control and Authorization System Based on Zero-Trust Architecture. In Proceedings of the 2020 International Conference on Control, Robotics and Intelligent System, Xiamen, China, 27–29 October 2020; pp. 123–127. [Google Scholar] [CrossRef]
- Wang, J.; Wang, J.; Li, J.; Fu, K.; Qin, Z. Trusted Identity Access Authentication Based on Spa Single Packet Authentication Technology. In Proceedings of the International Conference on Big Data Analytics for Cyber-Physical System in Smart City, Bangkok, Thailand, 16–17 December 2022; pp. 646–654. [Google Scholar] [CrossRef]
- Krishnan, V. Zero Trust-Based Adaptive Authentication Using Composite Attribute Set. In Proceedings of the IEEE 3rd PhD Colloquium on Ethically Driven Innovation and Technology for Society (PhD EDITS), Bangalore, India, 13 November 2021. [Google Scholar]
- Yang, D.; Zhao, Y.; Wu, K.; Guo, X.; Peng, H. An Efficient Authentication Scheme Based on Zero Trust for UAV Swarm. In Proceedings of the 2021 International Conference on Networking and Network Applications (NaNA), Lijiang, China, 29 October–1 November 2021; pp. 356–360. [Google Scholar] [CrossRef]
- Gutmann, A.; Renaud, K.; Maguire, J.; Mayer, P.; Volkamer, M.; Matsuura, K. Jorn Muller-Quade ZeTA-Zero-Trust Authentication: Relying on Innate Human Ability, Not Technology. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Salzburg, Germany, 21–24 March 2016. [Google Scholar] [CrossRef]
- Nace, L. Securing trajectory based operations through a zero trust framework in the NAS. In Proceedings of the 2020 Integrated Communications Navigation and Surveillance Conference (ICNS), Herndon, VA, USA, 8–10 September 2020. [Google Scholar]
- Benzaid, C.; Taleb, T.; Farooqi, M.Z. Trust in 5G and beyond Networks. IEEE Netw. 2021, 35, 212–222. [Google Scholar] [CrossRef]
- Køien, G.M. Zero-Trust Principles for Legacy Components. Wirel. Pers. Commun. 2021, 121, 1169–1186. [Google Scholar] [CrossRef]
- Bello, Y.; Hussein, A.R.; Ulema, M.; Koilpillai, J. On Sustained Zero Trust Conceptualization Security for Mobile Core Networks in 5G and Beyond. IEEE Trans. Netw. Serv. Manag. 2022, 19, 1876–1889. [Google Scholar] [CrossRef]
- Modderkolk, M.G. Zero Trust Maturity Matters: Modeling Cyber Security Focus Areas and Maturity Levels in the Zero Trust Principle. Available online: https://studenttheses.uu.nl/handle/20.500.12932/29189 (accessed on 7 July 2025).
- Wu, Y.G.; Yan, W.H.; Wang, J.Z. Real Identity Based Access Control Technology Under Zero Trust Architecture. 2021. Available online: https://ieeexplore.ieee.org/abstract/document/9616576/ (accessed on 3 June 2025).
- Da Rocha, B.C.; de Melo, L.P.; de Sousa, R.T. Preventing APT Attacks on LAN Networks with Connected IoT Devices Using a Zero Trust Based Security Model. Available online: https://ieeexplore.ieee.org/abstract/document/9626270/ (accessed on 8 March 2024).
- Ghate, N.; Ueda, H. Advanced Zero Trust Architecture for Automating Fine-Grained Access Control with Generalized Attribute Relation Extraction. In IEICE Proceedings Series; IEICE: Tokyo, Japan, 2021. [Google Scholar]
- Nair, A. The Why and How of Adopting Zero Trust Model in Organizations. 2021. Available online: https://www.techrxiv.org/doi/full/10.36227/techrxiv.14184671.v1 (accessed on 18 March 2025). [CrossRef]
- Bicakci, K.; Uzunay, Y.; Khan, M. Towards Zero Trust: The Design and Implementation of a Secure End-Point Device for Remote Working. In Proceedings of the 2021 International Conference on Information Security and Cryptology (ISCTURKEY), Ankara, Turkey, 2–3 December 2021. [Google Scholar] [CrossRef]
- Fang, W.; Guan, X. Research on IOS Remote Security Access Technology Based on Zero Trust. In Proceedings of the 2022 IEEE 6th Information Technology and Mechatronics Engineering Conference (ITOEC), Chongqing, China, 4–6 March 2022. [Google Scholar] [CrossRef]
- Liu, Z.; Li, X.; Mu, D. Data-Driven Zero Trust Key Algorithm. Wirel. Commun. Mob. Comput. 2022, 2022, 8659428. [Google Scholar] [CrossRef]
- Ahmed, I.; Nahar, T.; Urmi, S.S.; Taher, K.A. Protection of Sensitive Data in Zero Trust Model. In Proceedings of the International Conference on Computing Advancements, Dhaka, Bangladesh, 17–18 October 2024. [Google Scholar] [CrossRef]
- Chen, X.; Feng, W.; Ge, N.; Zhang, Y. Zero Trust Architecture for 6G Security. IEEE Netw. 2023, 38, 224–232. [Google Scholar] [CrossRef]
- Eidle, D.; Ni, S.; Decusatis, C.; Sager, A. Autonomic Security for Zero Trust Networks. In Proceedings of the 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA, 19–21 October 2017. [Google Scholar]
Feature | Traditional Perimeter Security | Zero Trust Architecture |
---|---|---|
Trust Model | Trust once inside network | Never trust, always verify |
Access Control | Static, network-level | Dynamic, context-based |
Segmentation | Flat or macro-segmented | Micro-segmentation |
Threat Focus | External attacks | Insider and lateral threats |
Device Awareness | Minimal | Continuous and context-aware |
IoT Compatibility | Weak | Adaptive and decentralized |
Role of AI/ML in ZTA | Description | Key Studies | ZTA Dimensions Impacted | Limitations |
---|---|---|---|---|
1. Behavioral Anomaly Detection | ML models analyze user/device behavior to detect anomalies in access patterns, signaling potential threats. | Zag ElSayed et al. [5], Xing et al. [21] | Authentication, Authorization, Audit | High false positives; limited context awareness |
2. Trust Score Computation | AI/ML assigns dynamic trust levels to users/devices based on historical and contextual data. | Ahmad Almomani et al. [14], Abbas et al. [20] | Access Control, Environmental Perception | Static models may not adapt well; trust decay logic is often missing |
3. Risk-Adaptive Access Control | Access decisions adapt based on risk predictions using AI models (e.g., adaptive MFA or session expiry). | Abbas et al. [20], Xing et al. [21] | Access Control, Orchestration | Requires constant retraining; risk models may be biased |
4. Federated Learning for Threat Prediction | FL allows distributed ZTA systems to train threat detection models without sharing raw data. | Zhang et al. [16], Rahman et al. [17] | Cryptography, Orchestration | FL vulnerable to gradient poisoning; synchronization delays |
5. Policy Adjustment Automation | AI models adjust ZTA policies dynamically, based on system behavior and network context. | Rakhshani et al. [19], Tao et al. [8] | Orchestration, Audit | Lack of explainability; may conflict with static compliance rules |
6. ML-Enhanced Identity Verification | Biometric and behavioral features are analyzed using ML to verify identity under Zero Trust. | Zag ElSayed et al. [5] | Authentication, Environmental Perception | Privacy issues; model spoofing risk |
Domain | Key Focus Areas | Strengths (✓) | Common Limitations (✗) | Representative Studies |
---|---|---|---|---|
Cloud Computing | Microservices, containerization, remote access | ✓ Access control ✓ Identity verification ✓ Network segmentation | ✗ Limited orchestration ✗ Weak auditing ✗ Environmental perception often missing | D’Silva et al. [24], Liu et al. [71], Zhang et al. [23] |
Internet of Things (IoT) | Scalability, resource constraints, edge computing | ✓ Dynamic trust engines ✓ Context-aware access ✓ Network segmentation | ✗ Weak cryptography ✗ Rare use of orchestration ✗ Minimal auditing | Ameer et al. [3], Huber & Kandah [13], Tao et al. [8] |
Healthcare Systems | EHRs, medical IoT, compliance | ✓ Secure remote access ✓ ML-based detection ✓ Attribute-based access control | ✗ Poor device-level segmentation ✗ Limited cryptographic adaptation ✗ Manual orchestration | Alshaikh et al. [62], ElSayed et al. [5] |
AI/ML Systems | Model protection, dynamic policy, autonomous decisions | ✓ Behavioral monitoring ✓ Risk-adaptive access ✓ Identity validation | ✗ Lacks explainability ✗ Vulnerable models ✗ Missing lifecycle audits | Abbas et al. [20], Rakhshani et al. [19], Xing et al. [21] |
Blockchain-based Systems | Decentralized policy enforcement, trust anchors | ✓ Tamper-proof logs ✓ Smart contract enforcement ✓ Identity immutability | ✗ High latency ✗ Off-chain dependency ✗ Privacy trade-offs | Gigli et al. [18], Wu et al. [10] |
Industrial and Mobile Networks | Real-time processing, device mobility, automation | ✓ Strong segmentation ✓ Access enforcement at edge ✓ Trust propagation | ✗ Low orchestration ✗ Legacy system integration ✗ Limited environmental modeling | Xing et al. [21], Fang et al. [10], Jing et al. [15] |
Domain | Strengths | Weaknesses/Challenges |
---|---|---|
IoT | - Lightweight adaptations for constrained devices - Score-based and context-aware access - Integration with ML for anomaly detection | - Limited cryptographic support for low-power devices - Scalability issues - Lack of orchestration across heterogeneous nodes |
Cloud Computing | - Strong integration with identity and access management (IAM) - Effective use of micro-segmentation - Mature vendor support | - Policy configuration complexity - Performance overhead - Vendor lock-in concerns |
Healthcare | - Context-aware trust models for sensitive data - ML-based threat detection - Support for emergency access scenarios | - Compliance integration (HIPAA, GDPR) still superficial - Interoperability across systems - Privacy-preserving cryptography underexplored |
Industrial/Mobile | - Granular access for OT and mobile workers - Resilience against insider threats - Use of edge gateways for ZTA enforcement | - High latency in real-time industrial settings - Limited support for legacy systems - Resource-intensive enforcement mechanisms |
Artificial Intelligence (AI) | - Supports dynamic trust evaluation - Anomaly detection with ML/FL - Adaptive security decisions | - Black-box trust scoring reduces transparency - Explainability of AI-driven engines underdeveloped - Risk of adversarial ML attacks |
Blockchain | - Immutable audit trails - Decentralized identity and access management - Strong non-repudiation guarantees | - Scalability issues with consensus protocols - Integration with real-time ZTA enforcement - High energy/resource costs |
Category | Observed Limitation |
---|---|
Orchestration | Few systems implement automated and dynamic orchestration of access decisions. Many rely on human administrators or static scripts [17,71]. |
Auditing and Logging | Real-time and proactive audit mechanisms are underdeveloped. Audit trails, when present, are mostly passive and post-incident [10,18]. |
Environmental Perception | Only a minority of ZTA models incorporate device state, behavior, or location awareness as factors in trust evaluation [8,56]. |
Cryptographic Adaptation | Resource-constrained environments like IoT and mobile networks often lack optimized cryptographic protocols, weakening confidentiality and integrity [3,73]. |
Compliance Mapping | Few models explicitly address compliance with GDPR, HIPAA, or NIST SP 800-207, limiting their readiness for regulated environments [34,62]. |
Domain | Specific Challenges |
---|---|
Cloud | Need for orchestration of microservice interactions and deeper auditing for compliance. |
IoT | Lightweight cryptography, distributed orchestration, and device-level trust enforcement are needed. |
Healthcare | Requires low-latency ZTA with formal compliance and real-time ML-based detection. |
AI/ML Systems | Protection of models from poisoning/inversion and ensuring explainability of access decisions. |
Blockchain | Scalability, smart contract security, and privacy-preserving mechanisms for audit and access. |
Industrial/Mobile | Integration with legacy systems, real-time orchestration at the edge, and secure handoff protocols. |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mushtaq, S.; Mohsin, M.; Mushtaq, M.M. A Systematic Literature Review on the Implementation and Challenges of Zero Trust Architecture Across Domains. Sensors 2025, 25, 6118. https://doi.org/10.3390/s25196118
Mushtaq S, Mohsin M, Mushtaq MM. A Systematic Literature Review on the Implementation and Challenges of Zero Trust Architecture Across Domains. Sensors. 2025; 25(19):6118. https://doi.org/10.3390/s25196118
Chicago/Turabian StyleMushtaq, Sadaf, Muhammad Mohsin, and Muhammad Mujahid Mushtaq. 2025. "A Systematic Literature Review on the Implementation and Challenges of Zero Trust Architecture Across Domains" Sensors 25, no. 19: 6118. https://doi.org/10.3390/s25196118
APA StyleMushtaq, S., Mohsin, M., & Mushtaq, M. M. (2025). A Systematic Literature Review on the Implementation and Challenges of Zero Trust Architecture Across Domains. Sensors, 25(19), 6118. https://doi.org/10.3390/s25196118