Cloud & Infrastructure Security
Zero Trust Architecture
4 min read
Zero Trust is one of the most discussed frameworks in modern security. This lesson covers the principles, implementation patterns, and interview questions you'll encounter.
What Is Zero Trust?
The core principle: "Never trust, always verify."
Traditional perimeter security assumes everything inside the network is trusted. Zero Trust assumes breach and verifies every request regardless of source.
Traditional vs Zero Trust
| Aspect | Perimeter Security | Zero Trust |
|---|---|---|
| Trust Model | Trust inside, verify outside | Verify everything |
| Network | Flat internal network | Micro-segmentation |
| Access | VPN = full access | Per-resource access |
| Authentication | Once at perimeter | Continuous verification |
| Assumption | Network location = trust | Assume breach |
NIST Zero Trust Principles
Based on NIST SP 800-207:
- All data sources and computing services are resources
- All communication is secured regardless of location
- Access granted on per-session basis
- Access determined by dynamic policy
- Monitor and measure integrity of assets
- Authentication and authorization strictly enforced
- Collect information for security improvement
Zero Trust Architecture Components
┌────────────────────────────────────────────────────────────────┐
│ ZERO TRUST ARCHITECTURE │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Subject │───▶│ Policy │───▶│ Policy Enforcement │ │
│ │ (User/App) │ │ Engine │ │ Point (PEP) │ │
│ └─────────────┘ └─────────────┘ └──────────┬──────────┘ │
│ │ │ │
│ ┌──────┴──────┐ │ │
│ │ Policy │ │ │
│ │Administrator│ │ │
│ └─────────────┘ │ │
│ │ │
│ ┌──────────────────────────────────────────────┐│ │
│ │ Trust Algorithm Inputs ││ │
│ │ • User identity & credentials ││ │
│ │ • Device health & compliance │▼ │
│ │ • Request context & behavior │ ┌──────┐ │
│ │ • Threat intelligence │───▶│Target│ │
│ │ • Time & location │ │ Resource│
│ └──────────────────────────────────────────────┘ └──────┘ │
└────────────────────────────────────────────────────────────────┘
Interview Question: Design Zero Trust
Q: "How would you implement Zero Trust for a company with remote workers?"
Structured Answer:
1. Identity Verification
• Implement SSO with strong identity provider (Okta, Azure AD)
• Enforce MFA for all users, preferably phishing-resistant (FIDO2)
• Use conditional access policies based on risk signals
• Implement device trust (managed devices only for sensitive apps)
2. Micro-segmentation
• Replace VPN with identity-aware proxy (Cloudflare Access, Zscaler)
• Segment network by application, not location
• Implement network policies in Kubernetes
• Use software-defined perimeter for legacy apps
3. Continuous Verification
# Example: Continuous access evaluation
def evaluate_access(request, user_context):
checks = [
verify_identity(request.user),
check_device_compliance(user_context.device),
assess_risk_score(user_context),
validate_request_context(request),
check_threat_intelligence(request.source_ip)
]
if all(checks):
return grant_access(request, ttl=300) # Short-lived access
else:
return require_step_up_auth(request)
4. Least Privilege Access
• Just-in-time (JIT) access for privileged operations
• Time-bound access with automatic revocation
• Attribute-based access control (ABAC)
• Regular access reviews and recertification
5. Monitoring & Analytics
• Log all access attempts and decisions
• Detect anomalous behavior (UEBA)
• Real-time alerting on policy violations
• Continuous compliance monitoring
Zero Trust Implementation Patterns
BeyondCorp Model (Google)
┌─────────────────────────────────────────────────────────────┐
│ ACCESS FLOW │
│ │
│ User → Device Trust → Identity Check → Access Proxy → App │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Device Cert MFA + SSO Context-Aware │
│ Compliance Risk Score Authorization │
└─────────────────────────────────────────────────────────────┘
Software-Defined Perimeter
| Component | Function |
|---|---|
| SDP Controller | Authenticates users, manages connections |
| Initiating Host | User device requesting access |
| Accepting Host | Protected resource/application |
| Single Packet Authorization | Cryptographic access request |
Zero Trust Maturity Model
| Stage | Characteristics |
|---|---|
| Traditional | Perimeter-based, implicit trust |
| Initial | Some MFA, basic segmentation |
| Advanced | Identity-centric, micro-segmentation |
| Optimal | Continuous verification, adaptive policies |
Assessment Questions for Interviews
When asked to assess an organization's Zero Trust maturity:
- Identity: "Is MFA enforced everywhere? Phishing-resistant?"
- Device: "Can unmanaged devices access sensitive data?"
- Network: "Is the network micro-segmented?"
- Application: "Are apps accessible only through identity proxy?"
- Data: "Is data classified and access controlled?"
- Monitoring: "Can you detect lateral movement?"
Common Pitfalls
| Pitfall | Solution |
|---|---|
| VPN = Zero Trust | VPN provides network access, not Zero Trust |
| One-time authentication | Implement continuous verification |
| Ignoring legacy apps | Use reverse proxy or SDP |
| No device trust | Implement device compliance checks |
| Over-privileged access | Implement JIT and time-bound access |
Interview Tip: Zero Trust is a journey, not a destination. Emphasize that implementation is iterative and should be prioritized based on risk. Start with crown jewel applications and expand from there.
Next, we'll cover network security and segmentation. :::