ANSWER

Zero-Trust Architecture (ZTA) is a security mindset that treats every request—whether from a laptop in the office or a microservice in the cloud—as untrusted until it proves otherwise. Instead of assuming that anything “inside the firewall” is safe, the system demands continuous verification (identity, device health, location, behavior) and then grants only the minimum access needed to perform the task.

Why a Business / Systems Analyst Should Care

• Shifts Non-Functional Requirements
  • Performance*—added policy checks can affect latency; capture acceptable response-time SLAs.
  • Logging & Auditing*—ZTA generates granular telemetry; specify retention, privacy, and analytics needs.
  • Scalability*—verification services must scale with user spikes; include load thresholds in requirements.

• Changes User Journeys - Password-plus-MFA becomes mandatory, contractors use short-lived access tokens, and service-to-service calls must present signed certificates. Map these steps in current- vs. future-state process flows so stakeholders see the impact on onboarding, customer support, and incident response.

• Reframes Risk & Compliance - ZTA directly supports controls in ISO 27001, SOC 2, and GDPR. Analysts translate those regulatory statements into acceptance criteria—e.g., “All PII APIs require device compliance and role-based scopes.”

• Influences Build-vs-Buy Decisions - Because least-privilege rules are evaluated at every hop, analysts must gather functional requirements for IAM, endpoint posture, and policy engines, then score vendors or internal solutions against them.

• Creates New Metrics - Define KPIs such as mean time to revoke compromised credentials, percentage of workloads with micro-segmentation enforced, or failed access attempts flagged by UEBA; they become part of the benefits case.

Typical Analyst Tasks in a Zero-Trust Initiative

Example

In a mortgage-origination platform, underwriters now log in from home. A BA documents their journey: device check → MFA → loan-doc API call scoped to “read-only underwriting queue.” By detailing that flow and its non-functional thresholds (≤300 ms added latency, 99.9 % policy-engine uptime), the BA ensures Zero-Trust improves security and keeps the loan cycle time competitive.