Zero Trust: verify explicitly, least privilege, assume breach — replace perimeter trust with identity trust.
Zero Trust Architecture
# Zero Trust: never trust, always verify
# Traditional: trust everyone inside the perimeter
# Zero Trust: verify every request regardless of origin
# Principles
# 1. Verify explicitly: authenticate every request
# 2. Least privilege: minimum access needed
# 3. Assume breach: design for post-compromise
# Implementation steps
# 1. Identity verification (MFA for all users)
Azure AD / Okta with conditional access policies
# 2. Device compliance
# Only managed, patched devices allowed
MDM enrollment required for production access
# 3. Micro-segmentation
# K8s NetworkPolicies restrict pod-to-pod traffic
# Service mesh (Istio) enforces mTLS between all services
# 4. Continuous monitoring
# SIEM: Splunk, Elastic Security
# UEBA: detect anomalous user behaviour
# All access logged and alerted on anomalies
# 5. Data-centric security
# Data classification: public/internal/confidential/restricted
# DLP (Data Loss Prevention) on sensitive data
# Encrypt everything at rest and in transit
# BeyondCorp model (Google)
# No VPN - access based on device + user identity
# Context-aware access policies