-
Mechanism rigor
Allow/forward or AV-only; enforcement is purely detection based.
-
Assurance evidence
No structural proof, determinism, or provenance beyond AV verdicts.
-
Usability fidelity
Full editability and zero latency because files are untouched.
-
Validation test rigor
Malformed or macro-laden samples still pass, revealing lack of control.
-
Auditability
Only coarse pass/fail telemetry; no tamper-evident chain of custody.
-
Threat coverage
No mitigation for macros, parser exploits, nesting, obfuscation, or unknowns.
Zero Trust Spectrum
Deterministic File Assurance for Zero-Trust Programs
The Zero Trust Spectrum (ZS-1 → ZS-6) provides a CyBOK-aligned language for rating how files are inspected, sanitized, isolated, or deterministically rebuilt-complete with per-dimension scores, validation tests, and governance signals for Zero-Trust architectures.
Who this is for
CISOs, Zero-Trust program owners, security engineers, platform/product teams, delivery partners.
Use it for
Pick the minimum assurance that still satisfies risk, usability, and compliance.
Download
Zero-Trust Spectrum (Files) Overview
The Zero-Trust Spectrum defines six progressive assurance levels (ZS-1 → ZS-6) describing how files are verified, controlled, and evidenced within zero-trust architectures. Levels advance from detection-based trust (ZS-1/2) to deterministic rebuild and independent verification (ZS-6). The framework is aligned with NIST SP-800-207, UK NCSC Zero-Trust Architecture, and CyBOK principles and published under CC BY 4.0 for open reference and adoption.
Contents
Orientation
Alignment
Resources
Mission Snapshot
Purpose
Declarative framework for deciding file-handling requirements inside Zero-Trust architectures.
Scope
Email & collab · Web/SWG/ICAP · APIs · Storage · Kiosks · Air-gapped/CDS · SDK/Embedded · File import/export
Audience
Security architects, platform teams, regulated industries, product leaders building trusted data flows.
Rating Scale & Dimensions
Every ZS level is scored 0 → 4 across six dimensions so buyers can compare like-for-like claims.
Scale (0 → 4)
-
Detection or reputation only; no structural enforcement.
-
Coarse rules or feature stripping; limited validation, best-effort only.
-
Isolation/flattening; limited spec awareness.
-
Allow-only or spec-aware validation/repair with detailed logs.
-
Model-driven rebuild with reproducible outcomes for supported formats.
Dimensions
- Mechanism rigor Strength of the control mechanism irrespective of detections.
- Assurance evidence Quality of conformance proof, determinism, validators, provenance.
- Usability fidelity How much editability and workflow fidelity is preserved.
- Validation test rigor Depth of acceptance tests teams can run independently.
- Auditability Chain-of-custody, tamper evidence, and investigative readiness.
- Threat coverage Active content, parser exploits, nests, obfuscation, signed content, unknowns.
ZS-Level Definitions
| Level | Label | Core Mechanism | Description |
|---|---|---|---|
| ZS-1 | Pass-through | Implicit trust | Files accepted without verification; basic metadata checks only. |
| ZS-2 | Detection | Known-threat identification | Signature/hash/pattern recognition detects known threats but cannot assure safety. |
| ZS-3 | Isolation / Flattening | Behavioural containment | Executes or renders files in controlled environments to prevent direct interaction. |
| ZS-4 | Sanitisation | Rule-based removal | Strips or deactivates risky features (macros, scripts, links) within the original file. |
| ZS-5 | Transform | Rebuild from known-good template | Parses and reconstructs files to conform to safe models; removes unsafe components. |
| ZS-6 | Deterministic Rebuild | Clean intermediary model | Files fully deconstructed and rebuilt from specification; no source bytes retained; output verified with audit evidence. |
Flat-file Export / Import
Flat-file export/import is an essential control boundary. Many Zero-Trust architectures require exporting processed content to a flat, policy-governed format (XML, CSV, JSON, TXT, PDF/A) before re-ingestion or cross-domain movement.
- This ensures rebuilt data is validated, context-neutral, and verifiable—aligning with ZS-6 deterministic assurance while evidencing policy enforcement.
- ZS-5 may emit validated/sanitized output in the native format, but structural fidelity still depends on the source file.
- ZS-6 can export to neutral flat files or re-import from them, so no source-file dependency remains.
- Flat-file output suits air-gap transfers, audit trails, and ingestion by downstream trusted systems; optional flat-file import supports deterministic rebuilding from clean data structures.
Decision Quick Picks
Operational note: Modern ZS-6 rebuild engines routinely deliver sub-100 ms latency for mid-size documents and scale horizontally in containerized deployments.
- Performance ≠ level: Throughput/latency are architecture and tuning dependent; a well-engineered ZS-6 can outperform a poorly tuned ZS-2/5.
- Format coverage is product-specific: Many ZS-6 offerings support dozens of formats—validate rebuild vs sanitize vs bypass per format.
- Policy fallback is about coverage/SLOs: Use ZS-5 fallback only when a format lacks rebuild support or an SLO demands it; use ZS-3 for binaries/installer classes that cannot be rebuilt.
- Supplier/customer uploads & data rooms: Target ZS-6; fallback ZS-5 only for unsupported formats. External risk + audit trail means deterministic outputs; optional flat-file exports feed downstream apps safely.
- Exec / finance / legal attachments: Target ZS-6 for Office/PDF/images; fallback ZS-5. Sensitive workflows demand evidencing plus fidelity.
- General collaboration (M365/Workspace, SharePoint/Drive): Target ZS-6 for all supported formats; fallback to ZS-5 only for unsupported or custom types. ZS-3 isolation reserved for executables/archives that cannot be rebuilt.
- Web downloads & SWG: Docs/images/media → ZS-6 if supported & SLOs met; else ZS-5. Unknown binaries/installers → ZS-3 isolation. Tier high-volume CDN flows by MIME, size, and reputation.
- Cross-domain / air-gap / OT/classified: Transfer path at ZS-6 with strict policy + reporting plus optional flat-file export/import; review path via ZS-3 read-only previews.
- Storage & archival remediation: Enable flat-file export mode for long-term governance so structural metadata and policy outcomes persist apart from original content.
- Automation & integration pipelines (API/SDK): Require flat-file interchange (XML/JSON schema) for validated objects feeding analytics, ETL, SIEM, or DLP workflows.
- Developer tools & installers: Docs/packages → ZS-5 (ZS-6 where supported). Executables → ZS-3 isolation plus repo/code-sign controls.
Classification Criteria
| Dimension | ZS-1 | ZS-2 | ZS-3 | ZS-4 | ZS-5 | ZS-6 |
|---|---|---|---|---|---|---|
| Content verification | None | Partial (signatures) | Partial (behavioural) | Moderate | Full | Full (spec-level) |
| Structural enforcement | None | None | Partial | Moderate | Full (software) | Full + independent verification |
| Policy conformance | None | Basic | Contextual | Enforced rules | Full | Full, provable |
| Audit evidence | None | Minimal | Limited logs | Moderate | Comprehensive | Deterministic & tamper-evident |
| Fidelity / usability | Full | Full | Read-only | High | High | Spec-compliant |
Evidence expectations: Classifications above ZS-4 require conformance testing, proof no source-file bytes persist, policy enforcement traceability, validation/verification steps, and reproducible audit trails.
Zero Trust Spectrum Levels
-
Mechanism rigor
Policy strips macros/scripts/links yet leaves underlying structure untouched.
-
Assurance evidence
Evidence is limited to policy-hit logs; little spec validation.
-
Usability fidelity
High usability apart from removed risky features.
-
Validation test rigor
Seed macros/OLE to verify removal plus reason codes.
-
Auditability
Lists of removed constructs, but minimal per-object provenance.
-
Threat coverage
Handles common active content yet struggles with parser or obfuscated attacks.
-
Mechanism rigor
Static rendering or remote isolation keeps active content away from endpoints.
-
Assurance evidence
Isolation telemetry shows containment but not rebuild-grade determinism.
-
Usability fidelity
Mostly read-only or limited interactivity—great for triage, not authoring.
-
Validation test rigor
Deliver active content and confirm flattened or isolated presentation.
-
Auditability
Session logs and release/deny trails support investigations.
-
Threat coverage
Neutralizes active content during viewing; downloads may still carry original bytes.
-
Mechanism rigor
Positive selection copies only allow-listed structures into safe templates.
-
Assurance evidence
Template coverage and exception manifests provide repeatable assurances.
-
Usability fidelity
High usability for modelled features; coverage gaps require new templates.
-
Validation test rigor
Inject allowed/disallowed elements and observe copy/drop evidence.
-
Auditability
Template IDs, policy versions, and exception logs support traceability.
-
Threat coverage
Covers modelled embeds/nests/obfuscation but only where templates exist.
-
Mechanism rigor
Spec-aware parsing plus repair/sanitise routines enforce structure; outputs can be emitted in the native format or optional flat-file exports, but still reference original structure.
-
Assurance evidence
Validation/repair logs act as conformance evidence per object.
-
Usability fidelity
Maintains authoring fidelity while repairing defects deterministically.
-
Validation test rigor
Spec-violating samples should surface precise repair telemetry.
-
Auditability
Per-object validation traces, repair counts, and policy diffs.
-
Threat coverage
Covers macros, parser exploits, nests, and obfuscation for supported formats; optional flat-file exports aid downstream review but remain tied to sanitized source semantics.
-
Mechanism rigor
Model-driven rebuild outputs new spec-compliant files with no unsafe bytes and can natively export/import neutral flat files (XML/JSON/CSV/PDF-A) for air-gap or analytic flows.
-
Assurance evidence
Validators plus provenance prove deterministic results per file.
-
Usability fidelity
Full fidelity for supported formats while eliminating risky source bytes.
-
Validation test rigor
Diff input/output, review validator logs, and confirm provenance packages.
-
Auditability
Signed manifests, hashes, policy IDs, and tamper-evident logs per submission.
-
Threat coverage
Mitigates macros, parser exploits, nests, obfuscation—flat-file export/import provides a clean break for cross-domain transfer; fallbacks defined for unsupported formats.
Each tier defines how the control handles encrypted payloads, nested archives, macros, scripts, active content, media, metadata, and unsupported formats. Advance maturity when operational risk or regulatory posture demands it.
Summary: ZS-1 pass-through · ZS-2 policy sanitize · ZS-3 flatten/isolate · ZS-4 positive selection · ZS-5 deep parsing & repair · ZS-6 deterministic rebuild.
Evaluation Cues
- Per-format handling: pass, sanitize, isolate, repair, or rebuild—including encrypted or nested files.
- Evidence: validation traces, policy actions, forensic logging, handover to SIEM/SOAR.
- Coverage: connectors for email, ICAP/SWG, APIs/SDK, storage/EDR, kiosk, air-gapped/CDS workflows.
- Operations: throughput, latency, offline cadence, update hygiene, and failure-handling playbooks.
- Governance: KPIs, assurance statements, and security testing for each tier adoption.
Evaluation Criteria
Functional
- Mechanism type and visibility (pass, sanitise, rebuild).
- Encrypted/password-protected handling.
- Nested/archived content support.
- Export/import to flat structured formats (CSV, XML, JSON, TXT, PDF/A).
- Ability to rebuild directly from validated flat data for deterministic ZS-6 workflows.
- Policy configuration depth per format/feature.
Governance & Interop
- Policy versioning, audit trails, and tamper-evident logs.
- DLP/SOAR/SIEM integration and open telemetry (API/syslog).
- Export sanitised/rebuilt outputs to safe zones; store or transmit clean flat files as audit artifacts and cross-domain handoffs.
- Open standards, schema alignment, and reproducible SLO reporting.
Integration Patterns
Core processing flows
- Email / Collaboration (inline or API): M365, Google Workspace, SEG, SMTP relay, API ingestion.
- Web / SWG / Proxy (ICAP / reverse-proxy / WAF): upload & download enforcement with identity-aware policies.
- Storage / Archive (on-ingest + scheduled): S3, NAS, SharePoint, Azure Blob with retention/governance hooks.
- Application / SDK / API (sync / async): deep embedding into custom apps, brokers, or zero-trust gateways.
Operational & isolated environments
- Kiosk / Air-gap / Cross-domain (CDS): export/import via neutral flat files; deterministic rebuild between networks.
- OT / Industrial / Classified networks: deterministic enforcement at transfer guard boundaries with policy directionality.
Automation & ecosystem integration
- SOAR / DLP / SIEM / UEBA: event forwarding, orchestration hooks, automated remediation.
- EDR / XDR / Email Security / CASB: complementary enforcement via shared telemetry and policy alignment.
- Data Governance / Compliance / Audit: policy reports, per-file assurance logs, retention labeling, regulatory evidence.
Developer & operational enablement
- CLI / Container / K8s operators: scalable cluster processing with declarative pipelines.
- API Gateway / ESB / Workflow engines: inline validation for automated data exchange.
- Flat-file export / import: deterministic output/input for analytics, ETL, SIEM/DLP, or cross-domain transfer.
File Coverage Reality Check
Breadth ≠ depth. Build a file-coverage register and rate each format by mechanism and fallback.
Office & Productivity
PDF & Print Streams
CAD / BIM
Media & Imagery
Archives & Containers
Custom / Legacy Formats
- List formats by family (Office, PDF, images, archives, CAD/media, text/flat, specialized).
- Document per-format ZS level (6/5/4/3), limitations, nested content handling, password/encrypted behavior, max size/complexity.
- State default fallback (e.g., unsupported → ZS-3 isolate or block) and note that “more formats” ≠ higher assurance—depth of rebuild/sanitization matters most.
Active content
Macros, scripts, JS, OLE, XFA, plug-ins.
Parser exploits
Memory corruption, malformed structures, decompression abuse.
Embedded & nested
Linked objects, nested archives, container recursion.
Obfuscation
Polyglots, malformed metadata, stego tricks.
Signed content
Trusted-but-malicious or expired signatures; re-signing expectations.
Unknown / 0-day
Unsupported formats or feature abuse—define default fallbacks.
Validation Tests & Signals
Dataset essentials: macros/OLE, PDF JS & launch actions, nested archives (depth > 5), polyglots (PDF/ZIP), malformed EXIF/media metadata, passworded samples, malformed containers.
Expectations:
- ZS-3 → static renders or isolation boundaries enforced for every submission.
- ZS-4 / ZS-5 → per-element logs for copied, repaired, or removed content plus exception handling.
- ZS-6 → no unsafe source-byte carryover, validator report attached, provenance with input/output hashes and policy IDs.
Signals to emit: outcome code, reason, elements copied/removed/repaired, validator findings, archive tree, input/output hashes, policy version, latency/error stats.
Guardrails & Defaults
Encrypted / Passworded
- Block or decrypt inside a trusted zone before processing.
- Never emit original bytes; log crypto metadata and avoid storing plaintext.
Archives & Nesting
- Recurse with safe depth/size limits.
- Apply the target ZS level to each extracted item and rebuild deterministically.
- Detect polyglots and MIME/type mismatches.
Unknown / Unsupported
- Default to block or ZS-3 isolate.
- Time-bound exceptions with precise telemetry.
Signed Content
- Validate before processing.
- Preserve provenance metadata; re-sign outputs in a trusted zone when signatures must persist.
Implementation Moments that Matter
Integration Surface
ICAP, REST, event-driven, inline or asynchronous flows, SDK kits for embedded OEM or on-device use (M365 Graph, SharePoint, Google Drive APIs, etc.).
Assurance Proof
Signed manifests, replayable logs, policy versioning, attestation packages per submission.
Human Factors
UI/UX for releases, exception handling, succinct user messaging, governance dashboards.
PoV & SLO discipline
Measure p95/p99 latency and sustained throughput per format/level on intended infrastructure, track fidelity and error handling, publish SLOs by flow (email/web/storage/API) with the chosen ZS per format.
CyBOK Alignment Signals
- Isolation & least common mechanism: ZS-3 limits code execution while ZS-4/5/6 constrain flows per OS & virtualisation guidance.
- Malware & obfuscation coverage: Positive selection and rebuild reduce dependence on signatures for packed, polymorphic, and script-based threats.
- Web/mobile client risks: Structural controls mitigate the active-content attack surface that dominates appified ecosystems.
- Formal assurance realism: Deterministic rebuilds plus validator outputs document assumptions when full formal proofs are impractical.
- Forensics & auditability: Chain-of-custody, reproducibility, and tamper-evident logs align with ACPO and ISO/IEC 17025 style expectations.
- Secure SDL practices: Validation tests map to threat modelling, metrics/KPIs, memory-safety, and CI/CD gating guidance from CyBOK.
NCSC Alignment Signals
- Zero-Trust enforcement plane: ZS-levels define discrete policy enforcement stages consistent with NCSC Zero Trust Architecture.
- Explicit verification: Every file crossing a trust boundary is validated to policy before use—mirrors “never trust, always verify.”
- Least privilege data flow: ZS-4 → ZS-6 enforce minimal-trust exchange, removing executable or ambiguous payloads.
- Assume breach pragmatism: Rebuild and isolation tiers sustain assurance even when detection or endpoint trust fails.
- Continuous assurance: Validation and remediation logs provide verifiable evidence streams for governance and SOC integration.
- Composability: Spectrum tiers align with NCSC guidance on layered assurance, compartmentalisation, and data-centric protection.
NIST SP 800-207 Alignment Signals
- Policy enforcement point mapping: ZS processing embodies a content-centric PEP mediating data before trust decisions.
- Dynamic trust evaluation: ZS-levels represent variable assurance tied to contextual risk, paralleling NIST’s decision/enforcement model.
- Continuous diagnostics & mitigation: Per-file telemetry feeds broader CDM pipelines for adaptive risk management.
- Separation of control & data planes: ZS-6 deterministic rebuild ensures untrusted bytes never traverse trusted domains directly.
- Least-privilege workflow: Each spectrum step limits access to verified content only, echoing NIST least-privilege at the data layer.
- Evidence-driven architecture: Spec-validation outputs and provenance records provide measurable trust evidence expected by mature ZT implementations.
FAQ
How are ZS levels used?
Each level maps to a measurable assurance state. Assign targets per workflow based on usability, risk, and compliance signals.
Do higher levels replace lower ones?
No—you often blend tiers. Critical ingress/egress runs ZS-6 while productivity paths stay on ZS-5/4.
Does ZS-6 eliminate all threats?
ZS-6 minimizes dependence on detection by rebuilding structure, but you still monitor residuals like unsupported formats or policy drift.
What should I measure?
Track throughput, P50/95/99 latency, error & bypass rates, unsupported-format counts, and policy drift alerts.
Glossary
Key terms referenced across ZS levels and evaluation criteria.
Content Disarm & Reconstruction (CDR)
Deterministic extraction and rebuild of file content. See reference.
Positive Selection / DDR
Copy only known-good elements into safe templates (ZS-4). Unknown items are removed by policy design.
Flat-file export/import
Neutral CSV/XML/JSON/TXT/PDF-A outputs used for cross-domain transfer, archival, or deterministic re-ingestion.
Policy Enforcement Point (PEP)
A control plane described in NIST SP 800-207; here it is the file-processing tier mediating untrusted inputs.
Deterministic rebuild
ZS-6 capability to create a clean intermediary model and emit a fresh spec-compliant file with provenance.
Validation test harness
Repeatable dataset + telemetry capture used to verify claims (sometimes called “buyer tests”).