Zero Trust Architecture — Never Trust, Always Verify

The perimeter is dead#

Traditional security had a simple model: everything inside the network is trusted, everything outside is not. Build a firewall, VPN in, and you're safe.

Then remote work happened. Cloud happened. Microservices happened. Now there is no "inside." Your services run across multiple clouds, your employees work from coffee shops, and your APIs are called from everywhere.

Zero trust is the answer: never trust, always verify.

The core principles#

1. Verify explicitly#

Every request must prove its identity. No exceptions.

• User identity: Who is making this request? (OAuth, SSO)
• Device health: Is this device managed and up to date? (MDM)
• Context: Where are they connecting from? Is this normal behavior?

2. Least privilege access#

Give every user and service the minimum permissions they need. No more.

• Developers don't get production database access
• Services can only call the APIs they need
• Permissions are time-bound (expire after the session)

3. Assume breach#

Design as if attackers are already inside. Limit blast radius.

• Micro-segmentation between services
• Encrypt data in transit AND at rest
• Log everything for forensic analysis
• Regular rotation of secrets and certificates

Implementation layers#

Identity#

Everything has an identity. Not just users — services, devices, and API clients too.

• Users authenticate via SSO (Okta, Auth0, Azure AD)
• Services authenticate via mTLS certificates or service tokens
• Devices authenticate via MDM enrollment
• All identities are centrally managed and auditable

Network#

No implicit trust based on network location.

• Micro-segmentation: services can only reach specific other services
• Service mesh (Istio/Linkerd) enforces mTLS between all pods
• No flat network — even internal traffic is encrypted and authorized
• VPN is replaced by identity-aware proxies (BeyondCorp, Cloudflare Access)

Application#

Every API validates the request, every time.

• JWT validation on every endpoint (not just the gateway)
• RBAC/ABAC for fine-grained authorization
• Input validation and rate limiting at every layer
• No service trusts another service implicitly

Data#

Protect the data, not just the network.

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Column-level encryption for sensitive fields (SSN, card numbers)
• DLP (Data Loss Prevention) monitoring for exfiltration
• Audit logging for all data access

Google's BeyondCorp#

Google implemented zero trust internally after Operation Aurora (2009 breach). Key insights:

• Access is based on identity + device trust, not network location
• No VPN needed — employees access internal apps through an identity-aware proxy
• Every request is evaluated against current context (device health, location, time)
• Works from anywhere — office, home, and coffee shop get the same security

This model is now available as BeyondCorp Enterprise and inspired Cloudflare Access, Zscaler, and Azure AD Conditional Access.

When zero trust is overkill#

• Early-stage startups with 3 developers and one app — simple auth + HTTPS is enough
• Internal tools used by a small team behind SSO — full zero trust adds complexity without proportional benefit
• Prototypes — ship first, secure later (but don't forget the "later" part)

See security in your architecture#

On Codelit, generate any system and click the Security Audit on your API gateway, database, or auth service. The audit identifies where zero trust principles are missing and suggests specific improvements.

---

Audit your security posture: describe your system on Codelit.io and run security audits on every component.