Research proposal

Evaluating the Effectiveness of Zero-Trust Architecture (ZTA) in Enterprise Networks

CET351 Research - Project Plan

<Student’s Name>
<Student’s Registration Number>
<The name of the degree you are studying>
< Centre (if off campus)>
<Title of Proposed Project>
Word count <number of words>

pg. 1
 Research proposal

1) Justification of the Research Proposed

Background and Context
Enterprise network security has traditionally relied on perimeter-based models, such as firewalls
and VPNs, that assume the internal network is inherently trustworthy. However, with the rise of
hybrid cloud adoption, remote work, SaaS applications, and increasingly sophisticated
cyber-attacks, this assumption is no longer valid. Once an attacker breaches the perimeter, they
can often move laterally within networks, escalating privileges and compromising sensitive
systems. This has led to devastating incidents of ransomware, insider threats, and advanced
persistent threats (APTs) (Rose et al., 2020).

Zero-Trust Architecture (ZTA) shifts security away from perimeter defense to continuous
verification: never trust, always verify. It requires all access requests to be authenticated,
authorized, and continuously validated regardless of where they originate. Key principles include
enforcing least privilege, monitoring all traffic, and micro-segmenting networks to minimize
lateral movement opportunities (Kindervag, 2010).

Governments and industry bodies have pushed strongly for Zero Trust adoption. The U.S. federal
government mandated agencies to transition toward ZTA by 2024 (OMB M-22-09), while the
Cybersecurity and Infrastructure Security Agency (CISA) released its Zero Trust Maturity Model
(ZMM) to guide organizations across identity, devices, networks, applications, and data (CISA,
2023). The UK’s National Cyber Security Centre (NCSC) has also defined practical principles
for Zero Trust deployment.

Despite these frameworks, there is limited empirical research evaluating ZTA’s effectiveness in
real-world enterprise networks. Many studies describe ZTA conceptually but do not quantify
outcomes such as reduced lateral movement, minimized attack surface, or improved mean time

pg. 2
 Research proposal

to detect/respond (MTTD/MTTR). There is also insufficient evidence regarding trade-offs: e.g.,

does micro segmentation hinder performance.

Problem Statement
While ZTA is widely promoted, enterprises lack systematic, evidence-driven evaluation
frameworks to measure how effectively ZTA reduces risks compared to traditional models.
Vendors claim benefits, but scientific research quantifying those outcomes remains sparse. There
is a pressing need to:

 Measure ZTA’s actual impact on security outcomes in enterprise contexts.

 Compare baseline (perimeter trust) models against ZTA-enabled designs.

 Identify trade-offs (performance, complexity, usability).

Rationale and Significance

This research is significant because it seeks to operationalize Zero Trust into measurable
outcomes, helping enterprises make informed decisions. Contributions will:

 Provide evidence-driven metrics for evaluating ZTA effectiveness.

 Bridge the gap between theoretical models and practical implementation.

 Offer insights into trade-offs, enabling organizations to prioritize investments.

pg. 3
 Research proposal

 Align with widely recognized frameworks (NIST SP 800-207, CISA ZTMM, NCSC
principles).

Literature Positioning

 Kindervag (2010) introduced the Zero Trust model.

 NIST SP 800-207 (Rose et al., 2020) formalized ZTA principles.

 CISA (2023) Zero Trust Maturity Model provides practical adoption stages.

 Recent surveys review challenges in deploying ZTA in hybrid environments but highlight
a gap in quantifying effectiveness.

2) Project Aim:

The aim of this project is to evaluate the effectiveness of Zero-Trust Architecture in enterprise
networks by systematically analyzing its impact on security outcomes such as lateral-movement
resistance, incident-response efficiency, and asset exposure reduction compared with traditional
perimeter-based models.

3) Project Objectives

pg. 4
 Research proposal

1. Conduct a systematic literature review on Zero-Trust principles, frameworks, and prior

evaluations.

2. Identify measurable security outcomes relevant to enterprise networks (e.g., blast radius,
MTTD/MTTR, privilege escalation probability).

3. Develop an evaluation framework to compare baseline (perimeter trust) vs. ZTA models.

4. Simulate enterprise scenarios (hybrid cloud, on-premises, remote access) and apply ZTA
controls such as MFA and micro segmentation.

5. Analyze the effectiveness of ZTA controls in reducing risks like lateral movement and
unauthorized access.

4) Contributions

This research will contribute:

 A practical evaluation framework to measure ZTA effectiveness using reproducible

metrics.

 Empirical analysis of ZTA’s security benefits vs. traditional perimeter defenses.

 Guidelines for practitioners on prioritizing ZTA controls based on trade-offs.

 Academic contribution by extending the literature with comparative data and measurable
outcomes.

5) Scientific Justification:

This project is rooted in rigorous scientific principles:

pg. 5
 Research proposal

 Hypothesis: Implementing Zero-Trust controls significantly reduces attack surface

and lateral movement opportunities compared to perimeter-based models.

 Testability: The hypothesis will be tested using controlled simulations, measurable

metrics, and repeatable methods.

 Reproducibility: Experiments will use open-source tools and documented setups to

ensure results can be replicated.

 Objectivity and Validity: Security outcomes (e.g., blast radius, MTTD/MTTR) are
objective, quantifiable metrics, reducing subjective bias.

 Reliability: Multiple test runs will ensure consistency.

6) Ethical Justification:

This research involves no human participants, thus minimizing ethical concerns. However, the
study must:

 Comply with ESRC Framework for Research Ethics, ensuring data integrity and
transparency.

 Avoid misuse: results will be presented responsibly to prevent adversaries from

exploiting weaknesses.

 Respect intellectual property: only publicly available research will be used.

 Consider social impact: by improving network resilience, this research benefits society by
reducing data breaches and critical infrastructure risks.

pg. 6
 Research proposal

7) Proposed Research Framework/Methodology:

The methodology follows a systematic literature survey + experimental evaluation:

1. Systematic Literature Review

 Databases: IEEE Xplore, ACM Digital Library, SpringerLink, ScienceDirect.

 Keywords: "Zero Trust Architecture", "ZTA effectiveness", "microsegmentation",

"enterprise security", "lateral movement".

 Screening: Title/abstract review, inclusion of peer-reviewed studies, exclusion of opinion

pieces.

2. Evaluation Framework Development

 Identify measurable metrics: attack path length, privilege escalation probability, asset
exposure.

 Map ZTA controls to metrics.

3. Simulation Setup

 Build representative enterprise networks in a lab (hybrid cloud + legacy systems).

 Apply baseline (perimeter) and ZTA (micro segmentation, MFA, device posture).

4. Testing & Data Collection

pg. 7
 Research proposal

 Run attack simulations (e.g., lateral movement, phishing entry).

 Collect metrics on risk reduction and operational impact.

5. Analysis

 Compare baseline vs. ZTA scenarios.

 Analyze effectiveness and trade-offs.

6. Documentation

 Present results in structured research report.

8) Research Materials Selection Process:

Steps:

1. Keyword compilation: “Zero Trust Architecture,” “ZTA evaluation,”

“microsegmentation,” “identity-centric security,” “lateral movement mitigation.”

2. Database search: IEEE Xplore, ACM DL, Springer, Elsevier, Google Scholar.

3. Screening criteria: Inclusion:

 Peer-reviewed papers (2010–2024), technical reports (CISA, NIST, NCSC).
 Exclusion: Vendor blogs, non-peer-reviewed sources.

4. Filtering: Review abstracts to ensure relevance.

5. Storage: Papers stored in Mendeley/Zotero

pg. 8
 Research proposal

9) References (Harvard Style):

CISA (2023) Zero Trust Maturity Model v2.0. Cybersecurity and Infrastructure Security Agency.

Kindervag, J. (2010) No More Chewy Centers: Introducing the Zero Trust Model of Information
Security. Forrester Research.

NCSC (n.d.) Zero Trust Architecture Principles. National Cyber Security Centre.

Rose, S., Borchert, O., Mitchell, S., Connelly, S. (2020) Zero Trust Architecture. NIST SP
800-207. National Institute of Standards and Technology.

U.S. Office of Management and Budget (2022) M-22-09: Federal Zero Trust Strategy. OMB.

pg. 9
 Research proposal

10) Schedule (10 weeks, 35-40 hours per week):

ID Task Title Effort Planned Planned Deliverable

(hrs) Start End

1 Identify published 32 01/09/24 06/09/24 List of selected

papers papers

1. Compile 2 01/09/24 01/09/24 Keyword list

1 keywords/phrases

1. Search databases 5 01/09/24 02/09/24 Reference list

2
1. Abstract screening 20 02/09/24 05/09/24 Curated paper set
3
1. Final filtering 5 06/09/24 06/09/24 Stored library
4
2 Detailed paper 72 07/09/24 27/09/24 Notes/analyses
reading

3 Framework 40 28/09/24 04/10/24 Evaluation

development framework
4 Simulation setup 60 05/10/24 18/10/24 Lab environment
5 Testing & data 80 19/10/24 01/11/24 Dataset
collection
6 Data analysis 50 02/11/24 08/11/24 Results report
7 Drafting final report 70 09/11/24 22/11/24 Draft report
8 Final editing & 40 23/11/24 29/11/24 Final report
submission

Total: 444 hours (37 hrs/week).

pg. 10
 Research proposal

11) Gantt Chart (Simplified):

pg. 11