Zero Trust Architecture · Schema

Zero Trust Resource

JSON Schema representing a protected enterprise resource in a Zero Trust Architecture deployment per NIST SP 800-207.

Access ControlAuthenticationAuthorizationCybersecurityIdentity ManagementLeast PrivilegeNetwork SecurityNISTSecurityZero Trust

Properties

Name Type Description
resourceId string Unique identifier for this resource.
name string Human-readable name of the resource.
description string Description of the resource and its purpose.
type string Category of the resource.
url string Primary URL or endpoint of the resource.
sensitivity string Data sensitivity classification of the resource.
owner string Team or individual responsible for this resource.
environment string Deployment environment.
protectionMechanisms array Security controls protecting this resource.
policyEnforcementPoint object Policy Enforcement Point protecting this resource.
allowedActions array HTTP methods or actions permitted on this resource.
tags array Tags for resource categorization.
complianceFrameworks array Regulatory compliance frameworks applicable to this resource.
created string Date the resource record was created.
modified string Date the resource record was last modified.
View JSON Schema on GitHub

JSON Schema

zero-trust-architecture-resource-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://github.com/api-evangelist/zero-trust-architecture/blob/main/json-schema/zero-trust-architecture-resource-schema.json",
  "title": "Zero Trust Resource",
  "description": "JSON Schema representing a protected enterprise resource in a Zero Trust Architecture deployment per NIST SP 800-207.",
  "type": "object",
  "properties": {
    "resourceId": {
      "type": "string",
      "description": "Unique identifier for this resource.",
      "examples": ["res-payments-api-prod", "res-hr-database-v2"]
    },
    "name": {
      "type": "string",
      "description": "Human-readable name of the resource.",
      "examples": ["Payments API", "HR Database", "Finance S3 Bucket"]
    },
    "description": {
      "type": "string",
      "description": "Description of the resource and its purpose."
    },
    "type": {
      "type": "string",
      "description": "Category of the resource.",
      "enum": ["api", "application", "database", "storage", "network-segment", "kubernetes-workload", "saas-application", "data-pipeline"],
      "examples": ["api"]
    },
    "url": {
      "type": "string",
      "format": "uri",
      "description": "Primary URL or endpoint of the resource.",
      "examples": ["https://api.example.com/v1/payments"]
    },
    "sensitivity": {
      "type": "string",
      "description": "Data sensitivity classification of the resource.",
      "enum": ["public", "internal", "confidential", "restricted", "top-secret"],
      "examples": ["confidential"]
    },
    "owner": {
      "type": "string",
      "description": "Team or individual responsible for this resource.",
      "examples": ["[email protected]"]
    },
    "environment": {
      "type": "string",
      "description": "Deployment environment.",
      "enum": ["production", "staging", "development", "disaster-recovery"],
      "examples": ["production"]
    },
    "protectionMechanisms": {
      "type": "array",
      "description": "Security controls protecting this resource.",
      "items": {
        "type": "string",
        "enum": [
          "mtls",
          "oauth2",
          "api-key",
          "ip-allowlist",
          "waf",
          "ddos-protection",
          "encryption-at-rest",
          "encryption-in-transit",
          "pep-gateway",
          "service-mesh"
        ]
      },
      "examples": [["mtls", "oauth2", "waf", "encryption-in-transit"]]
    },
    "policyEnforcementPoint": {
      "type": "object",
      "description": "Policy Enforcement Point protecting this resource.",
      "properties": {
        "type": {
          "type": "string",
          "description": "Type of PEP.",
          "enum": ["api-gateway", "service-mesh-proxy", "ztna-connector", "cloud-load-balancer", "sidecar-proxy"]
        },
        "vendor": {
          "type": "string",
          "description": "Vendor or project providing the PEP.",
          "examples": ["Envoy Proxy", "Kong", "AWS API Gateway", "Cloudflare Access"]
        }
      }
    },
    "allowedActions": {
      "type": "array",
      "description": "HTTP methods or actions permitted on this resource.",
      "items": {
        "type": "string"
      },
      "examples": [["GET", "POST", "PATCH", "DELETE"]]
    },
    "tags": {
      "type": "array",
      "description": "Tags for resource categorization.",
      "items": {
        "type": "string"
      },
      "examples": [["payments", "pci-dss", "critical"]]
    },
    "complianceFrameworks": {
      "type": "array",
      "description": "Regulatory compliance frameworks applicable to this resource.",
      "items": {
        "type": "string",
        "enum": ["pci-dss", "hipaa", "fedramp", "soc2", "gdpr", "nist-csf", "cmmc"]
      },
      "examples": [["pci-dss", "soc2"]]
    },
    "created": {
      "type": "string",
      "format": "date",
      "description": "Date the resource record was created.",
      "examples": ["2026-05-03"]
    },
    "modified": {
      "type": "string",
      "format": "date",
      "description": "Date the resource record was last modified.",
      "examples": ["2026-05-03"]
    }
  },
  "required": ["resourceId", "name", "type", "sensitivity"]
}