What is Zero Trust?
Zero Trust is a security model based on the principle 'never trust, always verify.' It assumes no implicit trust granted to assets or users based solely on their network location.
Core Principles
- Verify Explicitly: Always authenticate and authorize based on all available data points
- Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access
- Assume Breach: Minimize blast radius and segment access
Identity Pillar
Strong Authentication
// Azure AD B2C configuration
const msalConfig = {
auth: {
clientId: 'your-client-id',
authority: 'https://login.microsoftonline.com/your-tenant',
redirectUri: 'https://app.example.com'
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false
}
};
// Require MFA for sensitive operations
const authRequest = {
scopes: ['api://your-api/.default'],
extraQueryParameters: {
acr_values: 'urn:microsoft:req1' // Require MFA
}
};Conditional Access
// Policy: Require compliant device for sensitive apps
{
"conditions": {
"applications": { "includeApplications": ["sensitive-app-id"] },
"users": { "includeGroups": ["all-employees"] },
"platforms": { "includePlatforms": ["all"] }
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"compliantDevice"
]
}
}Network Segmentation
Micro-Segmentation
# Kubernetes Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-isolation
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: web-frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432Device Trust
// Device compliance check middleware
function validateDeviceCompliance(req, res, next) {
const deviceId = req.headers['x-device-id'];
const deviceCert = req.headers['x-device-cert'];
// Verify device is registered and compliant
const device = await deviceService.getDevice(deviceId);
if (!device || !device.isCompliant) {
return res.status(403).json({
error: 'Device not compliant',
enrollmentUrl: '/device/enroll'
});
}
// Verify device certificate
if (!certService.verify(deviceCert, device.publicKey)) {
return res.status(403).json({ error: 'Invalid device certificate' });
}
next();
}Application Security
// Token validation with scope checking
function authorizeRequest(requiredScope) {
return async (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
try {
const decoded = await verifyToken(token);
// Check required scope
if (!decoded.scopes.includes(requiredScope)) {
return res.status(403).json({ error: 'Insufficient scope' });
}
// Check token binding
if (decoded.cnf?.kid !== req.headers['x-device-key']) {
return res.status(403).json({ error: 'Token binding mismatch' });
}
req.user = decoded;
next();
} catch (error) {
res.status(401).json({ error: 'Invalid token' });
}
};
}Monitoring & Analytics
// Log all access for analysis
const accessLog = {
timestamp: Date.now(),
user: req.user.id,
device: req.headers['x-device-id'],
resource: req.path,
action: req.method,
sourceIp: req.ip,
userAgent: req.headers['user-agent'],
riskScore: calculateRiskScore(req),
decision: 'allow'
};
await securityAnalytics.log(accessLog);Implementation Roadmap
- Inventory assets and identify sensitive data
- Implement strong identity verification (MFA)
- Deploy micro-segmentation
- Enable device compliance checking
- Implement continuous monitoring
- Automate policy enforcement
Conclusion
Zero Trust is a journey, not a destination. Start with identity and incrementally add layers. The goal is reducing attack surface while maintaining productivity.