Mobile Network Operators (MNOs) face increasing security complexity driven by massive scale, multi-vendor environments, and the need to operate legacy and 5G networks in parallel. This white paper shows how Zero Trust Architecture (ZTA) can be practically applied to 5G and cloud-native networks by adapting the NIST SP 800-207 model—incorporating Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), Policy Engine (PE), and Policy Administrator (PA)—into a continuous, context-aware, and auditable security framework. It introduces a closed-loop policy model in which real-time telemetry from across the network (devices via RAN, core, and cloud) continuously informs and refines policy decisions and enforcement.  

Why it matters: Robust policy management is what operationalizes Zero Trust, translating architectural principles into enforceable, scalable, and continuously adaptive security controls across distributed 5G environments. By defining how policies are created, evaluated, executed, and enforced across domains, it enables consistent, automated decisioning at scale while reducing operational complexity and configuration drift. When combined with telemetry, enforcement points, and cloud-native automation (e.g., Policy as Code and CI/CD), policy management allows operators to dynamically adapt to risk and enforce fine-grained access controls across multi-vendor ecosystems.

Equally important, the paper’s practical recommendations provide a clear path to implementation, standardizing roles and policy flows, enabling closed-loop enforcement across domains, defining cross-domain policy semantics, and operationalizing through orchestration and automation. Together, these recommendations move Zero Trust policy management from theory to deployable practice, helping operators strengthen security posture while accelerating service delivery and future-proofing networks for 6G evolution.