丁久

Posted on May 21 • Originally published at dingjiu1989-hue.github.io

Zero Trust Implementation

#security #cloud #devops

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Zero Trust Implementation

Zero Trust Principles

Zero Trust replaces the castle-and-moat model with "never trust, always verify." Every request is authenticated, authorized, and inspected regardless of origin.

Micro-Segmentation

Divide your network into small, isolated zones. Each zone requires separate authentication.

Terraform: AWS security group micro-segmentation

resource "aws_security_group" "app_to_db" {

name = "app-db-ingress"

description = "Allow app tier to database"

vpc_id = var.vpc_id

ingress {

from_port = 5432

to_port = 5432

protocol = "tcp"

security_groups = [aws_security_group.app_tier.id]

}

egress {

from_port = 0

to_port = 0

protocol = "-1"

cidr_blocks = ["0.0.0.0/0"]

}

Least Privilege Access

Implement just-in-time (JIT) access with ephemeral credentials.

JIT access broker

from datetime import datetime, timedelta

import boto3

def grant_just_in_time_access(user, resource, duration_minutes=60):

iam = boto3.client("iam")

policy = {

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": resource["actions"],

"Resource": resource["arn"],

"Condition": {

"DateLessThan": {

"aws:CurrentTime": (datetime.utcnow() +

timedelta(minutes=duration_minutes)).isoformat()

}

}]

}

return iam.create_policy(PolicyName=f"jit-{user}-{int(datetime.utcnow().timestamp())}",

PolicyDocument=json.dumps(policy))

Verify Every Request

Every API call must be verified at the application layer.

// Zero Trust API gateway middleware

function zeroTrustMiddleware(req, res, next) {

const context = {

userId: req.headers["x-user-id"],

deviceId: req.headers["x-device-id"],

geo: req.headers["x-geo-location"],

time: Date.now(),

path: req.path

};

Promise.all([

verifyIdentity(context.userId),

verifyDevice(context.deviceId),

checkGeoPolicy(context.geo, context.path),

checkTimePolicy(context.time)

]).then(([identity, device, geo, time]) => {

if (identity && device && geo.allowed && time.allowed) {

next();

} else {

res.status(401).json({ error: "Access denied" });

}

});

}

Continuous Monitoring

Log and analyze all access attempts in real time.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- Anomaly detection query

SELECT user_id, COUNT(*) as attempts,

COUNT(DISTINCT ip_address) as ips,

COUNT(DISTINCT geo_location) as regions

FROM access_logs

WHERE timestamp > NOW() - INTERVAL '1 hour'

AND denied = true

GROUP BY user_id

HAVING COUNT(*) > 10;

Conclusion

Zero Trust is an architectural shift, not a product. Start with a single application, implement micro-segmentation, enforce least privilege, and expand gradually. Measure progress by reduction in lateral movement capability and mean time to detect anomalies.