playbooks

home / skills / williamzujkowski / standards / zero-trust

zero-trust skill

/skills/security/zero-trust

This skill helps implement zero-trust security patterns and best practices across services, ensuring authentication, authorization, and continuous verification.

npx playbooks add skill williamzujkowski/standards --skill zero-trust

Review the files below or copy the command above to add this skill to your agents.

Files (12)
SKILL.md
14.6 KB
---
name: zero-trust-security
category: security
difficulty: advanced
estimated_time: 8-12 hours
prerequisites:
- Network security fundamentals
- Container orchestration (Kubernetes)
- PKI and certificate management
- Identity and access management
nist_controls:
- AC-4
- SC-7
- SC-8
related_skills:
- secrets-management
- secure-api-design
- security-monitoring
version: 1.0.0
description: 'Zero-trust architecture operates on the principle: "Never trust, always
  verify." Unlike traditional perimeter-based security, zero-trust assumes breach
  and verifies every request regardless of origin.'
---


# Zero-Trust Security

## Level 1: Quick Reference

### Core Principles

Zero-trust architecture operates on the principle: **"Never trust, always verify."** Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.

**Fundamental Tenets:**

- No implicit trust based on network location
- Verify explicitly (authentication + authorization)
- Least privilege access (just-in-time, just-enough)
- Assume breach (limit blast radius, segment access)
- Inspect and log all traffic

### Common Zero-Trust Patterns

#### 1. Mutual TLS (mTLS)

```yaml
# Istio PeerAuthentication for strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT
```

**When to use:** Service-to-service authentication, encrypted communication between microservices.

#### 2. Service Mesh

- **Istio/Linkerd:** Transparent mTLS, traffic encryption, identity management
- **Consul Connect:** Service identity and authorization
- **AWS App Mesh:** Cloud-native service mesh

**Key benefits:** Automatic encryption, fine-grained policies, observability.

#### 3. BeyondCorp Model

```yaml
# Identity-aware proxy configuration
apiVersion: v1
kind: Service
metadata:
  name: webapp
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
    cloud.google.com/backend-config: '{"default": "beyondcorp-config"}'
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8080
```

**Use case:** Remote access without VPN, identity-based access to applications.

### Essential Checklist

**Identity & Authentication:**

- [ ] Workload identities for all services (SPIFFE/SPIRE)
- [ ] mTLS enabled for service-to-service communication
- [ ] Strong authentication (MFA, certificates, tokens)
- [ ] Identity lifecycle management (rotation, revocation)

**Authorization:**

- [ ] Fine-grained access policies (attribute-based)
- [ ] Least privilege by default
- [ ] Just-in-time access provisioning
- [ ] Policy enforcement at every access point

**Network Security:**

- [ ] Microsegmentation (NetworkPolicies, security groups)
- [ ] Encrypted communication (TLS 1.3+)
- [ ] Traffic inspection and filtering
- [ ] No trust based on network location

**Monitoring & Verification:**

- [ ] Continuous monitoring of authentication events
- [ ] Anomaly detection on access patterns
- [ ] Centralized logging (who, what, when, where)
- [ ] Regular access reviews and audits

**Architecture:**

- [ ] Policy Decision Point (PDP) implemented
- [ ] Policy Enforcement Point (PEP) at critical paths
- [ ] Policy Administration Point (PAP) for management
- [ ] Data plane and control plane separation

### Quick Wins

1. **Enable mTLS in service mesh** (2-4 hours)
   - Deploy Istio/Linkerd
   - Configure strict mTLS mode
   - Verify with traffic inspection

2. **Implement Kubernetes NetworkPolicies** (1-2 hours)
   - Default deny all traffic
   - Explicit allow rules per service
   - Test connectivity

3. **Deploy workload identities** (3-4 hours)
   - Install SPIFFE/SPIRE
   - Configure workload attestation
   - Integrate with service mesh

---

## Level 2:
>
> **đź“š Full Examples**: See [REFERENCE.md](./REFERENCE.md) for complete code samples, detailed configurations, and production-ready implementations.

 Implementation Guide

### Zero-Trust Architecture Principles

Zero-trust architecture (ZTA) fundamentally reimagines security by eliminating implicit trust. Traditional castle-and-moat security assumes everything inside the perimeter is trustworthy, but ZTA treats every request as potentially hostile.

#### NIST 800-207 Zero Trust Tenets

1. **All data sources and computing services are considered resources**
   - Applications, services, databases, IoT devices, containers
   - Resources may be on-premises, cloud, edge, or hybrid

2. **All communication is secured regardless of network location**
   - Encrypt all traffic (mTLS, TLS 1.3)
   - No trust based on internal network position
   - Apply same security to internal and external traffic

3. **Access to resources is granted on a per-session basis**
   - Authentication and authorization for every request
   - Continuous verification throughout session
   - Short-lived credentials and tokens

4. **Access is determined by dynamic policy**
   - User identity, device health, behavior, risk score
   - Attribute-based access control (ABAC)
   - Context-aware decisions (time, location, sensitivity)

5. **Monitor and measure integrity and security posture**
   - Continuous monitoring of assets
   - Real-time threat detection
   - Security analytics and automation

6. **All resource authentication and authorization are dynamic and strictly enforced**
   - No static rules or permanent access
   - Adaptive policies based on risk
   - Fail-secure by default

7. **Collect as much information as possible about current state**
   - Asset inventory and behavior
   - Network traffic analysis
   - Security telemetry and logs

**NIST Controls:**

- **AC-4:** Information Flow Enforcement - Control information flow between security domains
- **SC-7:** Boundary Protection - Monitor and control communications at managed interfaces
- **SC-8:** Transmission Confidentiality and Integrity - Protect information during transmission

### Mutual TLS (mTLS) Implementation

Mutual TLS provides bidirectional authentication where both client and server verify each other's identity using certificates.

#### Certificate Management


*See [REFERENCE.md](./REFERENCE.md#example-0) for complete implementation.*


#### Istio mTLS Configuration


*See [REFERENCE.md](./REFERENCE.md#example-1) for complete implementation.*


#### Verification and Troubleshooting


*See [REFERENCE.md](./REFERENCE.md#example-2) for complete implementation.*


### Service Mesh for Zero-Trust

Service meshes provide a dedicated infrastructure layer for service-to-service communication with built-in security, observability, and traffic management.

#### Istio Architecture


*See [REFERENCE.md](./REFERENCE.md#example-3) for complete implementation.*


#### Authorization Policies


*See [REFERENCE.md](./REFERENCE.md#example-4) for complete implementation.*


#### Linkerd Alternative


*See [REFERENCE.md](./REFERENCE.md#example-5) for complete implementation.*


### Identity-Based Access (Workload Identities)

#### SPIFFE/SPIRE Implementation

SPIFFE (Secure Production Identity Framework For Everyone) provides a universal identity framework for workloads in heterogeneous environments.


*See [REFERENCE.md](./REFERENCE.md#example-6) for complete implementation.*


**SPIRE Server Configuration:**


*See [REFERENCE.md](./REFERENCE.md#example-7) for complete implementation.*


**SPIRE Agent Configuration:**


*See [REFERENCE.md](./REFERENCE.md#example-8) for complete implementation.*


#### Integrating SPIRE with Istio


*See [REFERENCE.md](./REFERENCE.md#example-9) for complete implementation.*


**Workload Identity Example:**


*See [REFERENCE.md](./REFERENCE.md#example-10) for complete implementation.*


### Network Segmentation (Microsegmentation)

Microsegmentation divides networks into small, isolated segments to limit lateral movement and reduce blast radius.

#### Kubernetes NetworkPolicies


*See [REFERENCE.md](./REFERENCE.md#example-11) for complete implementation.*


#### Cilium Network Policies (Advanced)


*See [REFERENCE.md](./REFERENCE.md#example-12) for complete implementation.*


### Continuous Verification and Monitoring

Zero-trust requires continuous validation of security posture and real-time threat detection.

#### Security Monitoring Stack


*See [REFERENCE.md](./REFERENCE.md#example-13) for complete implementation.*


#### Prometheus Metrics for Zero-Trust


*See [REFERENCE.md](./REFERENCE.md#example-14) for complete implementation.*


### BeyondCorp Model

BeyondCorp removes the concept of a privileged corporate network, treating all access as potentially hostile.

#### Identity-Aware Proxy (IAP)


*See [REFERENCE.md](./REFERENCE.md#example-15) for complete implementation.*


#### Open Policy Agent (OPA) for Context-Aware Access


*See [REFERENCE.md](./REFERENCE.md#example-16) for complete implementation.*


**OPA Integration with API Gateway:**


*See [REFERENCE.md](./REFERENCE.md#example-17) for complete implementation.*


### NIST 800-207 Zero Trust Architecture

NIST SP 800-207 provides a comprehensive framework for implementing zero-trust architecture in federal and enterprise systems.

#### Zero Trust Architecture Components

**1. Policy Engine (PE):**

- Grants or denies access to resources
- Uses Policy Administrator to execute decisions
- Considers user, device, resource, and contextual attributes

**2. Policy Administrator (PA):**

- Establishes/shuts down communication paths
- Generates session-specific authentication tokens
- Instructs Policy Enforcement Points

**3. Policy Enforcement Point (PEP):**

- Enables, monitors, and terminates connections
- Forwards requests to Policy Engine
- Can be gateway, agent, or access proxy

**Implementation Example:**


*See [REFERENCE.md](./REFERENCE.md#example-18) for complete implementation.*


#### Trust Algorithm (TA)

The Trust Algorithm computes trust scores based on multiple inputs:


*See [REFERENCE.md](./REFERENCE.md#example-19) for complete implementation.*


---

## Level 3: Deep Dive Resources

### Official Documentation

**NIST Standards:**

- [NIST SP 800-207: Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
- [NIST SP 800-53: Security and Privacy Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)

**SPIFFE/SPIRE:**

- [SPIFFE Specification](https://github.com/spiffe/spiffe)
- [SPIRE Documentation](https://spiffe.io/docs/latest/spire-about/)

**Service Mesh:**

- [Istio Security](https://istio.io/latest/docs/concepts/security/)
- [Linkerd Security](https://linkerd.io/2/features/automatic-mtls/)

**BeyondCorp:**

- [BeyondCorp Research Papers](https://cloud.google.com/beyondcorp)
- [Identity-Aware Proxy](https://cloud.google.com/iap/docs)

### Books & Guides

- **"Zero Trust Networks"** by Evan Gilman & Doug Barth (O'Reilly)
- **"BeyondCorp: Design Your Own Zero Trust Network"** by Juana A. & Neal M.
- **"Zero Trust Security: An Enterprise Guide"** by Jason Garbis & Jerry Chapman

### Tools & Projects

**Zero-Trust Platforms:**

- Palo Alto Prisma Access
- Zscaler Private Access
- Cloudflare Access
- Google BeyondCorp

**Open Source:**

- Open Policy Agent (OPA)
- Envoy Proxy
- Istio Service Mesh
- SPIFFE/SPIRE

### Training & Certifications

- **SANS SEC530:** Defensible Security Architecture and Engineering
- **Cloud Security Alliance:** CCSK (Certificate of Cloud Security Knowledge)
- **Kubernetes Security Specialist (CKS)**

### Related Skills

Deepen your zero-trust expertise with these complementary skills:

- **Secrets Management:** Vault, sealed secrets, external secrets operator
- **Secure API Design:** OAuth2, OIDC, API gateways
- **Security Monitoring:** SIEM, threat detection, incident response

### Community Resources

- [r/netsec](https://reddit.com/r/netsec)
- [Cloud Native Security Day](https://events.linuxfoundation.org/cloud-native-security-day-north-america/)
- [OWASP](https://owasp.org/)

## Examples

### Basic Usage

```rust
// TODO: Add basic example for zero-trust
// This example demonstrates core functionality
```

### Advanced Usage

```rust
// TODO: Add advanced example for zero-trust
// This example shows production-ready patterns
```

### Integration Example

```rust
// TODO: Add integration example showing how zero-trust
// works with other systems and services
```

See `examples/zero-trust/` for complete working examples.

## Integration Points

This skill integrates with:

### Upstream Dependencies

- **Tools**: Common development tools and frameworks
- **Prerequisites**: Basic understanding of general concepts

### Downstream Consumers

- **Applications**: Production systems requiring zero-trust functionality
- **CI/CD Pipelines**: Automated testing and deployment workflows
- **Monitoring Systems**: Observability and logging platforms

### Related Skills

- See other skills in this category

### Common Integration Patterns

1. **Development Workflow**: How this skill fits into daily development
2. **Production Deployment**: Integration with production systems
3. **Monitoring & Alerting**: Observability integration points

## Common Pitfalls

### Pitfall 1: Insufficient Testing

**Problem:** Not testing edge cases and error conditions leads to production bugs

**Solution:** Implement comprehensive test coverage including:

- Happy path scenarios
- Error handling and edge cases
- Integration points with external systems

**Prevention:** Enforce minimum code coverage (80%+) in CI/CD pipeline

### Pitfall 2: Hardcoded Configuration

**Problem:** Hardcoding values makes applications inflexible and environment-dependent

**Solution:** Use environment variables and configuration management:

- Separate config from code
- Use environment-specific configuration files
- Never commit secrets to version control

**Prevention:** Use tools like dotenv, config validators, and secret scanners

### Pitfall 3: Ignoring Security Best Practices

**Problem:** Security vulnerabilities from not following established security patterns

**Solution:** Follow security guidelines:

- Input validation and sanitization
- Proper authentication and authorization
- Encrypted data transmission (TLS/SSL)
- Regular security audits and updates

**Prevention:** Use security linters, SAST tools, and regular dependency updates

**Best Practices:**

- Follow established patterns and conventions for zero-trust
- Keep dependencies up to date and scan for vulnerabilities
- Write comprehensive documentation and inline comments
- Use linting and formatting tools consistently
- Implement proper error handling and logging
- Regular code reviews and pair programming
- Monitor production metrics and set up alerts

---

## Bundled Resources

See `templates/`, `resources/`, and `scripts/` directories for:

- mTLS configuration examples
- SPIFFE workload identity templates
- NetworkPolicy examples
- Zero-trust architecture diagrams
- Automation scripts
- NIST 800-207 compliance checklist

Overview

This skill codifies zero-trust architecture guidance and practical patterns for building systems that assume breach and verify every request. It consolidates core tenets (least privilege, continuous verification, encrypted communications) and offers quick wins, checklists, and implementation patterns for service meshes, mTLS, workload identities, and network segmentation. Use it to accelerate secure design and deployments with concrete steps and verification ideas. The content is focused on actionable outcomes for cloud-native and hybrid environments.

How this skill works

The skill inspects and organizes zero-trust controls across identity, authorization, network, and monitoring layers. It provides configuration patterns (mTLS, service mesh policies, network policies), operational checklists (rotation, logging, audits), and implementation priorities (Policy Engine/Administrator/Enforcement Points). It highlights quick wins that can be completed in hours and deeper design elements aligned to NIST SP 800-207 for enterprise adoption.

When to use it

  • Designing microservices or migrating legacy apps to cloud-native infrastructure
  • Replacing VPNs with identity-aware remote access (BeyondCorp-style)
  • Enforcing service-to-service encryption and authenticated workloads
  • Reducing blast radius and implementing fine-grained segmentation
  • Formalizing access policies and continuous verification for compliance

Best practices

  • Adopt workload identities (SPIFFE/SPIRE) and short-lived credentials
  • Enable mTLS through a service mesh and enforce strict mode by default
  • Apply least-privilege with attribute-based policies and just-in-time access
  • Default-deny network posture with Kubernetes NetworkPolicies or Cilium
  • Centralize telemetry: logs, metrics, and anomaly detection for continuous verification

Example use cases

  • Enable strict mTLS across a Kubernetes cluster via Istio to secure service-to-service calls
  • Deploy SPIRE to provision workload identities and integrate with a service mesh
  • Implement default-deny NetworkPolicies and then allow explicit service flows
  • Use an identity-aware proxy to provide remote app access without VPN
  • Integrate OPA policies at the API gateway for context-aware authorization

FAQ

How quickly can I get meaningful zero-trust coverage?

Start with quick wins: enable mTLS in a service mesh, deploy default-deny network policies, and roll out workload identities—each can yield measurable improvements in hours to days.

What are the most common implementation pitfalls?

Insufficient testing, hardcoded configurations, and skipping telemetry. Mitigate by writing integration tests, treating config as code, rotating secrets, and centralizing logs and metrics.