Zero Trust Implementation


Zero Trust Principles

Zero Trust replaces the castle-and-moat model with "never trust, always verify." Every request is authenticated, authorized, and inspected regardless of origin.

Micro-Segmentation

Divide your network into small, isolated zones. Each zone requires separate authentication.




# Terraform: AWS security group micro-segmentation


resource "aws_security_group" "app_to_db" {


name = "app-db-ingress"


description = "Allow app tier to database"


vpc_id = var.vpc_id




ingress {


from_port = 5432


to_port = 5432


protocol = "tcp"


security_groups = [aws_security_group.app_tier.id]


}




egress {


from_port = 0


to_port = 0


protocol = "-1"


cidr_blocks = ["0.0.0.0/0"]


}


}





Least Privilege Access

Implement just-in-time (JIT) access with ephemeral credentials.




# JIT access broker


from datetime import datetime, timedelta


import boto3




def grant_just_in_time_access(user, resource, duration_minutes=60):


iam = boto3.client("iam")


policy = {


"Version": "2012-10-17",


"Statement": [{


"Effect": "Allow",


"Action": resource["actions"],


"Resource": resource["arn"],


"Condition": {


"DateLessThan": {


"aws:CurrentTime": (datetime.utcnow() +


timedelta(minutes=duration_minutes)).isoformat()


}


}


}]


}


return iam.create_policy(PolicyName=f"jit-{user}-{int(datetime.utcnow().timestamp())}",


PolicyDocument=json.dumps(policy))





Verify Every Request

Every API call must be verified at the application layer.




// Zero Trust API gateway middleware


function zeroTrustMiddleware(req, res, next) {


const context = {


userId: req.headers["x-user-id"],


deviceId: req.headers["x-device-id"],


geo: req.headers["x-geo-location"],


time: Date.now(),


path: req.path


};




Promise.all([


verifyIdentity(context.userId),


verifyDevice(context.deviceId),


checkGeoPolicy(context.geo, context.path),


checkTimePolicy(context.time)


]).then(([identity, device, geo, time]) => {


if (identity && device && geo.allowed && time.allowed) {


next();


} else {


res.status(401).json({ error: "Access denied" });


}


});


}





Continuous Monitoring

Log and analyze all access attempts in real time.




-- Anomaly detection query


SELECT user_id, COUNT(*) as attempts,


COUNT(DISTINCT ip_address) as ips,


COUNT(DISTINCT geo_location) as regions


FROM access_logs


WHERE timestamp > NOW() - INTERVAL '1 hour'


AND denied = true


GROUP BY user_id


HAVING COUNT(*) > 10;





Conclusion

Zero Trust is an architectural shift, not a product. Start with a single application, implement micro-segmentation, enforce least privilege, and expand gradually. Measure progress by reduction in lateral movement capability and mean time to detect anomalies.