| name | zero-trust-security |
| category | security |
| difficulty | advanced |
| estimated_time | 8-12 hours |
| prerequisites | Network security fundamentals, Container orchestration (Kubernetes), PKI and certificate management, Identity and access management |
| nist_controls | AC-4, SC-7, SC-8 |
| related_skills | secrets-management, secure-api-design, security-monitoring |
| version | 1.0.0 |
| description | Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin. |
Zero-Trust Security
Level 1: Quick Reference
Core Principles
Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.
Fundamental Tenets:
- No implicit trust based on network location
- Verify explicitly (authentication + authorization)
- Least privilege access (just-in-time, just-enough)
- Assume breach (limit blast radius, segment access)
- Inspect and log all traffic
Common Zero-Trust Patterns
1. Mutual TLS (mTLS)
# Istio PeerAuthentication for strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
When to use: Service-to-service authentication, encrypted communication between microservices.
2. Service Mesh
- Istio/Linkerd: Transparent mTLS, traffic encryption, identity management
- Consul Connect: Service identity and authorization
- AWS App Mesh: Cloud-native service mesh
Key benefits: Automatic encryption, fine-grained policies, observability.
3. BeyondCorp Model
# Identity-aware proxy configuration
apiVersion: v1
kind: Service
metadata:
name: webapp
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"default": "beyondcorp-config"}'
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
Use case: Remote access without VPN, identity-based access to applications.
Essential Checklist
Identity & Authentication:
- Workload identities for all services (SPIFFE/SPIRE)
- mTLS enabled for service-to-service communication
- Strong authentication (MFA, certificates, tokens)
- Identity lifecycle management (rotation, revocation)
Authorization:
- Fine-grained access policies (attribute-based)
- Least privilege by default
- Just-in-time access provisioning
- Policy enforcement at every access point
Network Security:
- Microsegmentation (NetworkPolicies, security groups)
- Encrypted communication (TLS 1.3+)
- Traffic inspection and filtering
- No trust based on network location
Monitoring & Verification:
- Continuous monitoring of authentication events
- Anomaly detection on access patterns
- Centralized logging (who, what, when, where)
- Regular access reviews and audits
Architecture:
- Policy Decision Point (PDP) implemented
- Policy Enforcement Point (PEP) at critical paths
- Policy Administration Point (PAP) for management
- Data plane and control plane separation
Quick Wins
Enable mTLS in service mesh (2-4 hours)
- Deploy Istio/Linkerd
- Configure strict mTLS mode
- Verify with traffic inspection
Implement Kubernetes NetworkPolicies (1-2 hours)
- Default deny all traffic
- Explicit allow rules per service
- Test connectivity
Deploy workload identities (3-4 hours)
- Install SPIFFE/SPIRE
- Configure workload attestation
- Integrate with service mesh
Level 2:
📚 Full Examples: See REFERENCE.md for complete code samples, detailed configurations, and production-ready implementations.
Implementation Guide
Zero-Trust Architecture Principles
Zero-trust architecture (ZTA) fundamentally reimagines security by eliminating implicit trust. Traditional castle-and-moat security assumes everything inside the perimeter is trustworthy, but ZTA treats every request as potentially hostile.
NIST 800-207 Zero Trust Tenets
All data sources and computing services are considered resources
- Applications, services, databases, IoT devices, containers
- Resources may be on-premises, cloud, edge, or hybrid
All communication is secured regardless of network location
- Encrypt all traffic (mTLS, TLS 1.3)
- No trust based on internal network position
- Apply same security to internal and external traffic
Access to resources is granted on a per-session basis
- Authentication and authorization for every request
- Continuous verification throughout session
- Short-lived credentials and tokens
Access is determined by dynamic policy
- User identity, device health, behavior, risk score
- Attribute-based access control (ABAC)
- Context-aware decisions (time, location, sensitivity)
Monitor and measure integrity and security posture
- Continuous monitoring of assets
- Real-time threat detection
- Security analytics and automation
All resource authentication and authorization are dynamic and strictly enforced
- No static rules or permanent access
- Adaptive policies based on risk
- Fail-secure by default
Collect as much information as possible about current state
- Asset inventory and behavior
- Network traffic analysis
- Security telemetry and logs
NIST Controls:
- AC-4: Information Flow Enforcement - Control information flow between security domains
- SC-7: Boundary Protection - Monitor and control communications at managed interfaces
- SC-8: Transmission Confidentiality and Integrity - Protect information during transmission
Mutual TLS (mTLS) Implementation
Mutual TLS provides bidirectional authentication where both client and server verify each other's identity using certificates.
Certificate Management
See REFERENCE.md for complete implementation.
Istio mTLS Configuration
See REFERENCE.md for complete implementation.
Verification and Troubleshooting
See REFERENCE.md for complete implementation.
Service Mesh for Zero-Trust
Service meshes provide a dedicated infrastructure layer for service-to-service communication with built-in security, observability, and traffic management.
Istio Architecture
See REFERENCE.md for complete implementation.
Authorization Policies
See REFERENCE.md for complete implementation.
Linkerd Alternative
See REFERENCE.md for complete implementation.
Identity-Based Access (Workload Identities)
SPIFFE/SPIRE Implementation
SPIFFE (Secure Production Identity Framework For Everyone) provides a universal identity framework for workloads in heterogeneous environments.
See REFERENCE.md for complete implementation.
SPIRE Server Configuration:
See REFERENCE.md for complete implementation.
SPIRE Agent Configuration:
See REFERENCE.md for complete implementation.
Integrating SPIRE with Istio
See REFERENCE.md for complete implementation.
Workload Identity Example:
See REFERENCE.md for complete implementation.
Network Segmentation (Microsegmentation)
Microsegmentation divides networks into small, isolated segments to limit lateral movement and reduce blast radius.
Kubernetes NetworkPolicies
See REFERENCE.md for complete implementation.
Cilium Network Policies (Advanced)
See REFERENCE.md for complete implementation.
Continuous Verification and Monitoring
Zero-trust requires continuous validation of security posture and real-time threat detection.
Security Monitoring Stack
See REFERENCE.md for complete implementation.
Prometheus Metrics for Zero-Trust
See REFERENCE.md for complete implementation.
BeyondCorp Model
BeyondCorp removes the concept of a privileged corporate network, treating all access as potentially hostile.
Identity-Aware Proxy (IAP)
See REFERENCE.md for complete implementation.
Open Policy Agent (OPA) for Context-Aware Access
See REFERENCE.md for complete implementation.
OPA Integration with API Gateway:
See REFERENCE.md for complete implementation.
NIST 800-207 Zero Trust Architecture
NIST SP 800-207 provides a comprehensive framework for implementing zero-trust architecture in federal and enterprise systems.
Zero Trust Architecture Components
1. Policy Engine (PE):
- Grants or denies access to resources
- Uses Policy Administrator to execute decisions
- Considers user, device, resource, and contextual attributes
2. Policy Administrator (PA):
- Establishes/shuts down communication paths
- Generates session-specific authentication tokens
- Instructs Policy Enforcement Points
3. Policy Enforcement Point (PEP):
- Enables, monitors, and terminates connections
- Forwards requests to Policy Engine
- Can be gateway, agent, or access proxy
Implementation Example:
See REFERENCE.md for complete implementation.
Trust Algorithm (TA)
The Trust Algorithm computes trust scores based on multiple inputs:
See REFERENCE.md for complete implementation.
Level 3: Deep Dive Resources
Official Documentation
NIST Standards:
SPIFFE/SPIRE:
Service Mesh:
BeyondCorp:
Books & Guides
- "Zero Trust Networks" by Evan Gilman & Doug Barth (O'Reilly)
- "BeyondCorp: Design Your Own Zero Trust Network" by Juana A. & Neal M.
- "Zero Trust Security: An Enterprise Guide" by Jason Garbis & Jerry Chapman
Tools & Projects
Zero-Trust Platforms:
- Palo Alto Prisma Access
- Zscaler Private Access
- Cloudflare Access
- Google BeyondCorp
Open Source:
- Open Policy Agent (OPA)
- Envoy Proxy
- Istio Service Mesh
- SPIFFE/SPIRE
Training & Certifications
- SANS SEC530: Defensible Security Architecture and Engineering
- Cloud Security Alliance: CCSK (Certificate of Cloud Security Knowledge)
- Kubernetes Security Specialist (CKS)
Related Skills
Deepen your zero-trust expertise with these complementary skills:
- Secrets Management: Vault, sealed secrets, external secrets operator
- Secure API Design: OAuth2, OIDC, API gateways
- Security Monitoring: SIEM, threat detection, incident response
Community Resources
Examples
Basic Usage
// TODO: Add basic example for zero-trust
// This example demonstrates core functionality
Advanced Usage
// TODO: Add advanced example for zero-trust
// This example shows production-ready patterns
Integration Example
// TODO: Add integration example showing how zero-trust
// works with other systems and services
See examples/zero-trust/ for complete working examples.
Integration Points
This skill integrates with:
Upstream Dependencies
- Tools: Common development tools and frameworks
- Prerequisites: Basic understanding of general concepts
Downstream Consumers
- Applications: Production systems requiring zero-trust functionality
- CI/CD Pipelines: Automated testing and deployment workflows
- Monitoring Systems: Observability and logging platforms
Related Skills
- See other skills in this category
Common Integration Patterns
- Development Workflow: How this skill fits into daily development
- Production Deployment: Integration with production systems
- Monitoring & Alerting: Observability integration points
Common Pitfalls
Pitfall 1: Insufficient Testing
Problem: Not testing edge cases and error conditions leads to production bugs
Solution: Implement comprehensive test coverage including:
- Happy path scenarios
- Error handling and edge cases
- Integration points with external systems
Prevention: Enforce minimum code coverage (80%+) in CI/CD pipeline
Pitfall 2: Hardcoded Configuration
Problem: Hardcoding values makes applications inflexible and environment-dependent
Solution: Use environment variables and configuration management:
- Separate config from code
- Use environment-specific configuration files
- Never commit secrets to version control
Prevention: Use tools like dotenv, config validators, and secret scanners
Pitfall 3: Ignoring Security Best Practices
Problem: Security vulnerabilities from not following established security patterns
Solution: Follow security guidelines:
- Input validation and sanitization
- Proper authentication and authorization
- Encrypted data transmission (TLS/SSL)
- Regular security audits and updates
Prevention: Use security linters, SAST tools, and regular dependency updates
Best Practices:
- Follow established patterns and conventions for zero-trust
- Keep dependencies up to date and scan for vulnerabilities
- Write comprehensive documentation and inline comments
- Use linting and formatting tools consistently
- Implement proper error handling and logging
- Regular code reviews and pair programming
- Monitor production metrics and set up alerts
Bundled Resources
See templates/, resources/, and scripts/ directories for:
- mTLS configuration examples
- SPIFFE workload identity templates
- NetworkPolicy examples
- Zero-trust architecture diagrams
- Automation scripts
- NIST 800-207 compliance checklist