Methodology of network infrastructure analysis as part of migration to zero-trust architecture⋆ Roman Syrotynskyi1,†, Ivan Tyshyk1,†, Orest Kochan1,†, Volodymyr Sokolov2,† and Pavlo Skladannyi2,*,† 1 Lviv Polytechnic National University, 12 Stepana Bandery str., 79000 Lviv, Ukraine 2 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine Abstract The limitations of traditional security models are becoming increasingly apparent in the face of new cyber threats and the growing complexity of the network environment. Traditional security approaches, often based on perimeter defense, heavily rely on the assumption that threats originate outside the network and that internal entities can be trusted. This assumption is no longer valid, as modern threats frequently bypass perimeter defenses and exploit internal vulnerabilities. Moreover, the rise of remote work, cloud computing, and the proliferation of mobile devices have expanded the attack surface, making it difficult to ensure comprehensive protection with traditional models. To further enhance the security level of an enterprise’s network infrastructure, there is a need for a transition to a zero-trust (ZT) architecture, which requires a thorough methodological analysis of the existing network infrastructure and its information assets. There is a noticeable dependence on the implementation of the fundamental principles of ZT and the effective iterative implementation of the new security model on the transparency of the network structure, the assets involved, and the overall implemented information security policy. This paper presents a comprehensive methodology for analyzing an enterprise’s network infrastructure, which is a critically important component in the process of implementing a ZT architecture. The structure of the stages for assessing the security model of the network infrastructure and the enterprise security model has been formed. Approaches and practices for implementing measures aimed at obtaining the necessary information are described, and key data for forming reports and documenting results are proposed. The proposed methodology includes detailed asset identification, mapping data flows, and application inventory, as well as a rigorous assessment of user access and behavior. By systematically evaluating each aspect of the network, organizations can identify vulnerabilities, develop a micro-segmentation strategy, enhance access controls, and align their security policies with ZT principles. Keywords zero-trust architecture, network assessment, NIST, access evaluation, network inventory, least access, data flow, user access, network host1 1. Introduction it provides a detailed overview of the current state of the network, identifies all assets, and maps data flows. Such a In the landscape of modern cybersecurity, the transition to comprehensive assessment helps to pinpoint vulnerabilities a ZT architecture marks a significant turning point in and develop a customized ZT strategy that meets the moving away from traditional network security models. specific needs of the organization. Based on the fundamental principle of “never trust, always The purpose of this study is to create and describe a verify”, ZT architecture inherently trusts no entity inside or methodology for conducting a comprehensive assessment outside its perimeter, requiring verification at every access of the enterprise’s network infrastructure as an integral part point in the network. This approach has gained significant of the migration to the ZT security model. popularity because it systematically makes it harder to The implementation of ZT requires not only implement potential breaches by treating every user, device, technological changes but also cultural changes within the and network flow as a potential threat, regardless of their organization, as security becomes an integral part of all location on or off the network [1]. network operations [2]. By thoroughly assessing the A fundamental step in the transition to a ZT network, organizations can lay a solid foundation for a architecture is to conduct a thorough assessment of the corporate network. This initial assessment is crucial because CSDP-2024: Cyber Security and Data Protection, June 30, 2024, Lviv, 0009-0002-6280-3290 (R. Syrotynskyi); 0000-0003-1465-5342 Ukraine (I. Tyshyk); 0000-0002-3164-3821(O. Kochan); 0000-0002-9349-7946 ∗ Corresponding author. (V. Sokolov); 0000-0002-7775-6039 (P. Skladannyi) † These authors contributed equally. © 2024 Copyright for this paper by its authors. Use permitted under roman.m.syrotynskyi@lpnu.ua (R. Syrotynskyi); Creative Commons License Attribution 4.0 International (CC BY 4.0). ivan.y.tyshyk@lpnu.ua (I. Tyshyk); orest.v.kochan@lpnu.ua (O. Kochan); v.sokolov@kubg.edu.ua (V. Sokolov); p.skladannyi@kubg.edu.ua (P. Skladannyi) CEUR Workshop ceur-ws.org ISSN 1613-0073 97 Proceedings successful transition to a ZT structure, thereby enhancing will be a map of corporate system connections that will allow their ability to defend against sophisticated cyber threats. for the analysis and identification of necessary connections and the planning of appropriate security policies and network 2. Literature review micro-segmentation. Recommendations for conducting an initial analysis of The concept of ZT in network security is gaining increasing corporate assets are widely discussed in contemporary importance as organizations seek to adapt to complex scientific works describing ZT architecture and migration, threats in modern network environments. Traditional confirming the importance of this stage. The granularity perimeter-based network security models are no longer and detail of these approaches are either not disclosed or sufficient, leading to the emergence of ZT, which ensures disclosed superficially, without recommended models for strict identity verification for both internal and external asset classification and data analysis approaches, access to computer network resources [2, 3]. confirming the relevance of research that would highlight Network assessment for ZT involves evaluating all the process of preliminary assessment and infrastructure network aspects to eliminate implicit trust, requiring analysis with recommendations for their implementation. verification at every level and segment. This paradigm shift concerns not only the technology stack but also changes in policies and management to ensure no organization is 3. Problem statement trusted by default [4, 5]. Taking into account the NIST 800-207 recommendations for Implementing ZT models often focuses on network the effective implementation of ZT architecture and the micro-segmentation, dynamic trust policies, and robust need to minimize operational costs associated with identity and access management frameworks to protect incorrect security policy development or insufficiently both data and applications. These models rely on meticulous detailed risk assessments, there arises a necessity to develop real-time threat monitoring and assessment to dynamically approaches that help conduct a qualitative analysis of adjust access controls based on perceived risk levels [6, 7]. corporate network infrastructure, assets, and their access, as Despite the theoretical robustness of ZT, well as an inventory of information resources, applications, implementation challenges include the complexity of and data flows between them. This information is crucial for integrating this model into legacy systems, the need for creating a list of connections that should be implemented continuous improvement of security policies, and the considering the principle of “least privileged access”. resource intensity required to maintain and monitor a ZT Given the above, the relevant task of this work is to define environment. Future research and technological the list of necessary stages for conducting a comprehensive developments will likely focus on making ZT more analysis of the enterprise’s network infrastructure, accessible and manageable, improving the automation of investigate methods for their implementation, and develop a trust decisions, and integrating artificial intelligence to methodology. The application of this methodology will allow support continuous adaptation to emerging threats [8, 9]. for the acquisition of necessary information, which will Phiayura and Teerakanok (2023) propose a detailed subsequently be used for planning stages of network micro- framework for transitioning to ZTA, emphasizing the need segmentation and the overall development of security for a strategic approach to strengthening enterprise policies. This will ensure the correct migration of the existing security. The study identifies crucial steps for initial enterprise security model to a ZT architecture. assessment, including understanding the current security landscape, identifying critical assets, and evaluating 4. Presentation of the main research existing security measures [10]. Teerakanok, Uehara, and Inomata (2021) discuss the material concept of ZT and outline the challenges and considerations Migrating an enterprise security system to a ZT model when transitioning from legacy architectures. The paper means moving from a traditional security model that trusts highlights the importance of initial assessments to identify users and devices in the middle of the network perimeter to potential risks and prepare for the transition [11]. Key steps one that continuously verifies and authenticates all users include assessing the current network infrastructure, and devices, regardless of their location. This involves understanding user behavior, and defining security policies implementing strict access controls, micro-segmentation, based on the principle of least privilege. and constant monitoring to ensure that only authorized An extensive description of enterprise infrastructure users can access certain resources. This approach minimizes components and their application in ZT architecture is the risk of unauthorized access and lateral movement in the provided in the book “ZT Security: An Enterprise Guide” by network. The goal is to improve security by recognizing that Jason Garbis and Jerry W. Chapman [12]; however, the issues threats can exist both inside and outside the network. This of methodology and effective approaches for initial analysis transition requires updating policies, deploying new and assessment are not addressed. technologies, and educating users on new security practices. The authors of “ZT Networks” recommend using The ZT concept involves the application of its main network traffic analysis through network flow generation principles, namely: when planning a migration to ZT architecture. After recording all network flows, the next goal is to classify the  Never trust, always verify. flows based on higher-level system connections. These  The principle of least sufficient privileges. connections should be defined at the logical system level  The assumption is that the intervention has rather than at the individual IP/port level [13]. The result already taken place. 98 Despite the significant efforts that organizations are making firewalls, endpoints, and any IoT devices. It is important to prevent compromise, the reality is that if cybercriminals that this inventory is updated and includes all assets attack a particular organization, they will find a way to connected to the network [16]. infiltrate the internal infrastructure [14]. The primary data source can be the analysis of Planning network segmentation and granular access information in the corporate CMDB system, if available, as control according to the principles of ZT requires detailed well as service documentation describing all elements of a accounting and transparency of the existing infrastructure particular corporate service. As with network nodes, the and all traffic exchange points. To ensure the principle of found information should be verified and supplemented minimum privileges and cut off any excessive access rights, using precise system verification tools, including it is necessary to have a clear understanding of data transfer virtualization tools, network scanning, monitoring system needs and the level of access required for each application analysis, and network traffic analysis. that uses the corporate network for its work. To effectively manage the collected data, it is Scope and Boundaries. The initial stage of analyzing recommended to define mandatory fields for each identified the network infrastructure as the foundation of all corporate asset. Examples of important fields might include asset type, services will be to define its scope and boundaries, as well as asset name, host IP addresses, home network name, service zones of responsibility and control. Due to recent trends, the affiliation, geographical location, and host purpose. When answer to this question may not be straightforward. Remote creating a list of network assets, it is advisable to use the list workforce, cloud computing, and VPN connections with of corporate prefixes to clearly distinguish: “internal,” partner networks blur the lines of responsibility and “external,” and internet addresses. protection. During the identification of hosts, there may be cases At this stage, it is advisable to create or review the where certain hosts are temporarily turned off or have very existing network diagram. Use tools and methods to map out low activity, making them absent from logs, and the ARP the entire network infrastructure, including all devices, table may not show a corresponding entry. In such cases, endpoints, and connections. This includes defining the there is a risk of missing them. Under the traditional geographical and administrative boundaries of the network, security model, these would be categorized as Shadow IT, as well as its logical segments [15]. but under the ZT security model, their network activity will The primary data sources for creating the network either be blocked or significantly limited, leading to an diagram will be existing documentation and corporate incident and requiring additional configurations to restore systems such as the Configuration Management Database their proper functionality. (CMDB). Due to the static nature of the data and the To find such low-activity assets, the “exclusion” method widespread issue of “Shadow IT”, it is not advisable to rely can be applied. The idea is to exclude all already identified solely on documented data from these sources. Instead, assets and analyze what remains. One implementation validate and supplement them with real data obtained using option is manipulating corporate firewall rules with enabled tools from the “Network Inventory” category. A mandatory traffic logging. For example, to filter all identified hosts, step should be manual reconnaissance using tactics such as create an additional rule similar to the existing one, but reviewing network device configurations, identifying instead of specifying a broad network prefix in the Source neighboring connections using appropriate protocols and section, specifically list all known hosts and place it above network device management commands, analyzing the existing rule. monitoring systems, and enabling logging and analysis of Thus, the general (lower) rule will pass the traffic of all network flows. The outcome of this stage will be network missed and not listed in the filtering rule known hosts. diagrams showing all segments and nodes, as well as a Such configurations can be left for a certain period and comprehensive list of network devices. then the logs can be reviewed to see the traffic that appeared Subnet inventory. Since network nodes can aggregate in the general rule, below the “filter” rule. This way, all different logical networks on the same physical links, it is potential assets that were not previously identified for important to identify all corporate network prefixes. Taking various reasons can be “caught”. into account the already-known network topology and its The figures show an example of implementing this segments, all corporate networks (prefixes) should be approach using a Palo Alto firewall, where the existing documented. Sources of this information can include the general rule is “Default-Rule-Permit-From-Network”, and corporate CMDB system, corporate monitoring, as well as the temporary filter rule is “Filter-Rule-For-Known-Hosts.” an analysis of network device configurations. The Analysis of network host access. Another information should include both private and public address fundamental principle of ZT is the “principle of least blocks, and it is also necessary to document client networks privilege”. In the context of its application to network with connectivity that may be established through Site-to- assets, this principle is based on defining the minimal access Site VPN. rights to other resources necessary for the correct operation Network host inventory. To ensure visibility of of the asset or the applications installed on it, while everything interacting with the corporate network and restricting all other access. The assessment and audit of the potentially accessing corporate resources, or being the network at this stage involve analyzing the existing resource accessed, it is necessary to identify assets and network accesses of its assets, inventorying them, and then document all equipment, software, and devices that are part determining the least allowable privileges. of the network. This includes servers, routers, switches, 99 Figure 1: Example of rule application—a filter to exclude known assets Figure 2: Visualization of assets by per rule name logs filtering Due to the perimeter-based security model ideology, accesses to ensure the administrative and operational needs identifying the existing connections of certain hosts is not of the system. These may include: always an easy task. This refers to horizontal connections that are not recorded anywhere or hosts that do not support  Administrative access. the installation of appropriate applications for local traffic  Access for monitoring. analysis [17].  Access for backup. Several approaches can be applied to analyze existing  Access to name resolution services. accesses and determine the minimally required accesses. For  Access to repositories for installing and updating example: system packages.  Access to licensing servers.  Analysis of necessary connections using expert evaluation. After completing the theoretical analysis, to confirm the  Analysis of necessary connections using the collected information, it is recommended to analyze the technical documentation of the network node or existing traffic to and from this system over a certain period its applications. and compare it with the results obtained previously.  Analysis of the technical documentation of the Common network traffic analysis algorithms include: service to which the node belongs.  Analysis of the existing connections of the node in  Using network traffic analyzer programs. the network by capturing and reviewing traffic or  Using tools based on connection logging on analyzing NetFlow-type flows. corporate firewalls.  Analysis of traffic logging when passing through  Using solutions based on network traffic the firewall. accounting protocols. Using just one of the listed approaches will not be Mapping data flows. Understanding data transmission sufficient to obtain objective and comprehensive results. For paths and dependencies is crucial for defining security the highest quality determination of the minimally required policies that align with the ZT model. To map how data privileges, it is advisable to start with researching the moves through the network and determine which documentation of the host or the software product installed applications and services access and process the data, a on the host. Such documentation will give us a typical thorough investigation should be conducted. The key steps description of the ports and protocols used by this solution. in this process include: The next step should be to analyze the configuration and determine which resources this host communicates  Identifying Sources and Destinations of Data with. The information obtained from researching the Flows: Catalog all databases, file servers, cloud manufacturer’s documentation and analyzing the storage services, endpoints, and any other configuration will provide an understanding of the access repositories or sources of data. needs to ensure the main functions of this host or  Inventorying Applications and Services application. However, traditionally, in addition to accesses Interacting with Data: Document all applications to ensure the main function, most hosts require certain and services that interact with the data. 100  Mapping Data Interactions: Track how data moves Common types of user accounts include guest, employee, from one point to another. This includes data at administrative, and service accounts. These can be local on rest (stored data) and data in transit (data moving the systems or global accounts registered in corporate through the network). directory services. Regarding user access methods to the  Determining Data Access Patterns: Recognize network, the following are distinguished: how, when, and by whom data access occurs.  Analyzing Network Segments: Evaluate how data  Local wired access moves through various network segments,  Local wireless access including isolated or restricted zones, to confirm  Remote access from outside the organization’s that segmentation complies with security policies. perimeter.  Identifying External Data Flows: Record data flows Typically, each of these access methods has its security that cross network boundaries. policies that regulate access to corporate resources for Mapping data flows in a ZT environment provides a specific roles or groups of accounts. Analyzing clear vision of how data moves through the network, which authentication and authorization parameters will help is essential for identifying potential vulnerabilities and determine which user groups have certain access [20]. ensuring the effective application of security policies. Understanding who is allowed to connect is essential to Application inventory. The inventory and analysis of determine the target resources they can access. This corporate applications, including proprietary and third- information should also be described in connection policies. party programs, is the next crucial step in network The traffic path from the user to the target resource may assessment as part of the migration to a ZT architecture. The pass through more than one access control point, so to goal is to assess the security status of each application, assess the access level of a specific user or group of users, it understand their data handling practices, and ensure they are is necessary to carefully analyze all access control points, configured to operate securely within a ZT framework. compare the data, and describe a clear list of addresses and The objective is to compile a comprehensive list of ports to which such access is granted. applications used and supported by the corporate To further process the obtained results and determine infrastructure. An effective approach combines automated the minimally acceptable level of access, the existing user discovery tools and manual checks. This includes identifying access list should be additionally analyzed to identify the the names of programs, their versions, and their purposes. following: The next step is to assess the security status of specific  Access Verification: Review access levels and applications. The authors of the publication “Performance permissions for each user. Pay attention to any Analysis of ZT Multi-Cloud” recommend the following discrepancies or excessive permissions that do not practices: conduct security assessments such as vulnerability match their job roles. scans, penetration tests, and code reviews. Look for known vulnerabilities, outdated software versions, and incorrect  Privilege Identification: At this stage, it is configurations [18]. necessary to identify users with elevated It is important to understand how each application privileges and ensure that such access is necessary processes and stores data. Analyzing data flows within and documented. applications will help assess how data is encrypted, All useful information should be reflected in the user transmitted, and stored. This assessment is necessary to inventory report. This should be a comprehensive report ensure compliance with data protection regulations and documenting all user accounts, their types, roles, current adherence to internal security policies. access levels, and any identified issues. Using the obtained Mapping and documenting integration points and information, it is important to conduct a risk assessment: dependencies between applications will provide an and identify potential security risks, such as lost accounts, understanding of integration points with other applications. excessive permissions, and discrepancies in user roles and “Document APIs, data exchange protocols, and network access levels. communications to identify potential security gaps” [3]. Summary of accesses and common policies. Given The evaluation of access control mechanisms for the modern virtualization capabilities and the complexity of corporate applications includes reviewing and analyzing infrastructures, the number of hosts in the network and, access control lists, role-based access control consequently, the number of potentially required rules that configurations, and other security settings required to will describe all possible connections will be significant. The enforce the principle of least privilege. It is important to development and maintenance of numerous security ensure that Multi-Factor Authentication (MFA) and policies is a labor-intensive and costly task not only from continuous monitoring are in place [19]. the perspective of human resources for maintenance but User identification and access. In addition to system also from the standpoint of hardware requirements for inventory, user inventory, and access identification are firewalls that will ensure their operation and enforcement. essential when conducting a network assessment. This To optimize and reduce the number of rules, a good process ensures a comprehensive understanding of all users approach is to use common security policies for similar in the network, their roles, and access levels. access types. In a typical organization, similar access types First, it is necessary to identify the existing types of user might include the following categories: accounts and their access options to network resources. 101  Shared patch management.  Secure connection methods such as VPN or ZT  Shared administrative access. Network Access (ZTNA) solutions are used, and  Shared backup and monitoring access. device authentication mechanisms such as MFA  Similar access to certain resources. are implemented. In such cases, a common rule is used that allows traffic Review of security policies. Reviewing security to pass in one direction using the same services or policies and procedures is necessary to align with the applications for a certain number of different network principles of ZT during the network assessment. The goal is nodes listed in the “source” or “destination” field. to gather all existing security policies and procedures, such Conducting the procedure of categorizing accesses at the as documentation on access control policies, incident stages of evaluating user and network host access allows for response plans, data protection protocols, and other more effective and optimized planning and development of relevant security measures, and ensure that all documents security policies. are up to date and reflect current practices [22]. Reducing the overall number of security policies that To assess the effectiveness of current security policies, describe access to corporate nodes and applications is qualitative and quantitative methods will be effective in worthwhile and necessary, but only if this optimization evaluating how well the policies protect against threats. does not reduce the level of security and does not grant This includes reviewing compliance reports, conducting additional unnecessary accesses. This categorization interviews with key stakeholders, and analyzing incident approach should also be used when analyzing accesses for response records to identify any gaps or weaknesses [23]. similar hosts, such as remote users or identical computing Existing security policies should mandate the use of units. MFA and strong password requirements for all users and Endpoint security. Users access corporate resources devices. User onboarding and off-boarding procedures using their endpoint devices. Analyzing the security status should support timely updates to access controls. of endpoint devices that participate in data exchange with Evaluating the effectiveness of device security policies corporate resources is also part of the comprehensive should highlight mandatory encryption and regular network assessment needed for a successful transition to ZT software updates. Data protection policies should ensure architecture. the encryption of sensitive information both at rest and in To create a complete list of all endpoint devices transit. connected to the network, it is advisable to use automated It is also important to review incident response tools for network scanning and device identification, procedures to ensure they support the rapid detection, including desktop PCs, laptops, mobile devices, and IoT reporting, and mitigation of security incidents [24-25]. devices. Document the details of each device, such as type, Assessing the governance structure is necessary to ensure operating system, and installed software [21]. clear accountability and regular review of security practices. To help classify and supplement the list, analyze Finally, it is essential to document the results of the review corporate monitoring systems, and mobile device and relevant observations of all corporate security policies management tools, and review information registered in the and their effectiveness, considering the current state of their CMDB. communication and enforcement throughout the A crucial aspect is the classification of devices into those organization. under corporate control and those not controlled by corporate security policies. When transitioning to ZT 5. Research results architecture, different levels of access will be applied to The migration of an enterprise’s security model to a ZT corporate and non-corporate endpoint devices. architecture is a complex and costly process that requires For corporate devices, it is necessary to analyze and thorough preparation, an understanding of the security verify the status of security solutions applied to them. The model architecture, a well-developed migration plan, an purpose of this assessment is to ensure that endpoint understanding and agreement on costs, risk management, devices comply with security policies and are adequately and acceptance of the changes that will occur within the protected from threats. The following should be checked organization during and after the migration. and documented: One of the initial stages of migration is conducting an analysis and assessment of the corporate network  All devices comply with corporate security infrastructure. Depending on the thoroughness of this policies, including encryption, password, and assessment, the duration, cost, and risks of the migration software update policies. will vary.  Antivirus software and malware protection The result of this research is a proposed methodology programs are installed and updated. and recommendations for conducting activities to describe  Firewall and intrusion prevention system settings. and inventory the structure of the corporate network, its  Evaluation of the encryption status of sensitive segments and assets, describe and classify accesses and data data both at rest and in transit. flows, document corporate applications, and more. The  The status of patches and updates for operating described approach is based on the recommendations for a systems, applications, and security software, and phased and cyclical approach to implementing ZT ensure that automated patch management tools architecture as outlined in the special publication NIST SP effectively deploy updates. 800-207 [2]. 102 Figure 3: Zero-trust architecture deployment cycle according to NIST SP 800-207 The methodology involves conducting successive stages of a classifying information for documentation and subsequent comprehensive assessment using recommended measures use in building the ZT security model. and techniques for identifying, searching, analyzing, and Table 1 Assessment structure Stage Evaluation algorithm Key data Scope and Boundaries. 1. analysis of existing documentation – network diagram 2. analysis of information in the CMDB – network segments 3. viewing the configuration of network – segment type devices – segment location – network hosts – hostname – host location  host platform Subnet inventory. 1. analysis of information in the CMDB – prefix 2. viewing the configuration of network – network name (if available) devices – network type (assignment: user network, server network, client network, external subnet, etc.) – the device on which this subnet is terminated Network host inventory. 1. analysis of information in the CMDB – hostname 2. analysis of documentation of corporate – host type services – IP address is internal 3. review of information in monitoring – IP address is external systems – the name of the home network 4. viewing information in virtualization – belonging to a certain service tools – host assignment (Production\ 5. analysis of network traffic logging Development\Test\Stage) 6. analysis of ARP tables of network devices – host status 7. generating reports and creating “tenet”— – host owner type policies based on network traffic – host location logging 8. use of network scanning tools Analysis of network host access. 1. study of the technical documentation of – access name the software or hardware product – access category (management, developer operational, working) 2. analysis of accesses of hosts and – access source applications using expert evaluation – assignment of access 3. host configuration analysis – port and protocol 4. Analysis of corporate service – application documentation – access context 5. network traffic analysis by various – description of access means: – traffic logging on the firewall – analysis of mirrored traffic – analysis of “NetFlow” type streams User identification and access. 1. analysis of user registration and their – Account access to the CMDB – account type – identity provider name 103 2. analysis of entry points and user traffic – list of authentication and connection paths on the network diagram points 3. analysis of authentication and – the list of access privileges in detail (IP, authorization parameters at network port, application, context) access points – description of access contexts and their 4. analysis of the configuration of network access levels devices and determination of address pools 5. analysis of user roles and their access levels 6. analysis of sources of identity Mapping data flows. 1. network diagram analysis – data flow diagrams 2. analysis of network segments and hosts – sources and destinations of data 3. analysis of the location of data stores streams 4. analysis of documentation of corporate – applications and services that interact services that interact with data with data 5. analysis of data flows using peer review – data at rest – data in transit – data access model – data movement within the network – moving data outside the network Application inventory. 1. analysis of documentation of corporate – the name of the application services – application version 2. analysis of the results of the inventory of – purpose of the application networks and network assets – integration points and dependencies 3. analysis of application security settings between programs 4. scanning of application vulnerabilities – internal\external publication 5. application penetration testing – access control Endpoint security. 1. analysis of means of inventory of – inventory of corporate devices corporate equipment – classification of corporate devices 2. analysis of corporate mobile device – antivirus software management tools – firewall settings 3. analysis of corporate remote access – data encryption services – update of patches of the operating 4. analysis of the corporate security policy system and applications – secure remote access tools Review of security policies. 1. assessment of current security policies – creating and deleting users – device security – data protection on the device – requirements for using MFA and strong passwords – incident response procedures – network segmentation policy – standards for safe configuration of environments By conducting a thorough audit covering these areas, an model, knowledge of the corporate network structure, organization can lay a solid foundation for implementing a conducting an inventory of its assets and the distribution of ZT architecture that protects data flows, applications, and data flows necessary for the functioning of corporate the overall network environment. This comprehensive applications and the operation of business processes built on approach is essential to protecting against sophisticated them. cyber threats in today’s complex and dynamic IT landscape. The network infrastructure analysis methodology outlined in this paper provides a structured approach to 6. Conclusions conducting comprehensive network infrastructure assessments, describes approaches and practices for finding Summarizing the above, it has been established that the useful information when conducting them, and emphasizes implementation of a ZT architecture is currently essential for the key data needed to document the results. enterprises and organizations seeking to enhance the It has been established that conducting a detailed protection of their information systems from both existing assessment and documentation of the corporate network and anticipated cyber threats. It has been determined that infrastructure, inventorying its assets, access, and data flows, integral attributes of the process of migrating an enterprise’s as well as classifying the received information from the security model to a ZT architecture (security model) include perspective of information security, will allow the enterprise a clear understanding of the architecture of the existing to effectively plan an iterative migration of the existing 104 security model to a ZT architecture, with a lower probability Internet Measurement Conference (2016). doi: of abnormal situations, reduced downtime of business 10.1145/2987443.2987467. processes, and lower costs for operational support. [16] J. Myerson, Identifying Enterprise Network Prospects for further research may be aimed at Vulnerabilities, Int. J. Netw. Manag. 12 (2002). doi: developing approaches and practices for the iterative 10.1002/nem.433. migration of corporate infrastructure elements to a ZT [17] S. Yevseiev, Models of Socio-Cyber-Physical Systems architecture. Security: monograph, PC TECHNOLOGY CENTER (2023). References [18] S. Rodigari, et al., Performance Analysis of Zero-Trust multi-cloud, IEEE 14th International Conference on [1] S. Rose, Planning for a Zero-Trust Architecture: A Cloud Computing (CLOUD) (2021) 730–732. doi: Planning Guide for Federal Administrators (NIST 10.1109/CLOUD53861.2021.00097. CSWP 20), National Institute of Standards and [19] S. Ghasemshirazi, G. Shirvani, M. Alipour, Zero-Trust: Technology (2022) 1–16. doi: 10.6028/NIST.CSWP.20. Applications, Challenges, and Opportunities, ArXiv, [2] S. Rose, Zero-Trust Architecture. NIST Special (2023). doi: 10.48550/arXiv.2309.03582. Publication 800-207, National Institute of Standards [20] D. Shevchuk, Designing Secured Services for and Technology (2020) 1–50. doi: Authentication, Authorization, and Accounting of 10.6028/NIST.SP.800-207. Users, in: Cybersecurity providing in information and [3] Y. He, A Survey on Zero-Trust Architecture: telecommunication systems II, vol. 3550 (2023) 217– Challenges and Future Trends, Wireless 225. Communications and Mobile Computing (2022). doi: [21] C. Mu, et al., ETA: A Method of Dynamic Network 10.1155/2022/6476274. Device Security Assessment, Journal of Physics: [4] Y. Ge, Q. Zhu, Zero-Trust for Cyber Resilience, ArXiv Conference Series 1229 (2019). doi: 10.1088/1742- (2023). doi: 10.48550/arXiv.2312.02882. 6596/1229/1/012060. [5] R. Habash, M. Khalel, Zero-trust Security Model for [22] Y. Shunzheng, Assessment of Network Security Policy Enterprise Networks, Iraqi J. Inf. Commun. Technol. Based on Security Capability, Journal of Wuhan (2023). doi: 10.31987/ijict.6.2.223. University (2009). [6] S. Hong, et al., Research on Zero-Trust Evaluation [23] M. Abedin, et al., Vulnerability Analysis for Method for Network Security, in: 3rd International Evaluating Quality of Protection of Security Policies, Conference on Frontiers of Electronics, Information QoP '06: Proceedings of the 2nd ACM Workshop on and Computation Technologies (ICFEICT), (2023) Quality of Protection (2006) 49–52. doi: 449–454. doi: 10.1109/icfeict59 519.2023.00080. 10.1145/1179494.1179505. [7] M. Xu, et al., Zero-Trust Security Authentication [24] J.S. Al-Azzeh, et al., Analysis of self-similar traffic Based on SPA and Endogenous Security Architecture, models in computer networks, International Review Electronics (2023). doi: 10.3390/electro nics12040782. on Modelling and Simulations 10(5) (2017) 328–336. [8] Y. Ge, Q. Zhu, Trust Threshold Policy for Explainable [25] M. Zaliskyi, et al., Method of traffic monitoring for and Adaptive Zero-Trust Defense in Enterprise DDoS attacks detection in e-health systems and Networks, IEEE Conference on Communications and networks, in: Informatics & Data-Driven Medicine, Network Security (2022) 359–364. doi: vol. 2255 (2018) 193–204. 10.1109/CNS56114.2022.9947263. [9] S. Sarkar, et al., Security of Zero-Trust Networks in Cloud Computing: A Comparative Review, Sustainability (2022). doi: 10.3390/su141811213. [10] P. Phiayura, S. Teerakanok, A Comprehensive Framework for Migrating to Zero-Trust Architecture, IEEE Access 11 (2023) 19487–19511. doi: 10.1109/ACCESS.2023.3248622. [11] S. Teerakanok, T. Uehara, A. Inomata, Migrating to Zero-Trust Architecture: Reviews and Challenges, Secur. Commun. Netw. (2021) 1–10. doi: 10.1155/2021/9947347. [12] J. Boston, J. Chapman, Zero-Trust Security: An Enterprise Guide, Apress (2021). doi: 10.1007/978-1- 4842-6702-8. [13] E. Gilman, D. Barth, Zero-Trust Networks, O’Reilly Media, Incorporated (2017). [14] S. Vasylyshyn, et al., A Model of Decoy System Based on Dynamic Attributes for Cybercrime Investigation, Eastern-European J. Enterp. Technol. 1(9(121) (2023). 6–20. doi: 10.15587/1729-4061.2023.273363. [15] M. Luckie, et al., bdrmap: Inference of Borders Between IP Networks, Proceedings of the 2016 105