System Design Fundamentals

Zero Trust Architecture

A

Zero Trust Architecture

The Castle Falls from Within

A contractor is working remotely on a security patch for your company. Their laptop is a mid-range Windows machine they bought themselves. They connect to your corporate VPN — the firewall recognizes them as “inside” and grants access. But they don’t know it yet: their laptop is infected with malware from a malicious PDF they opened last week.

Welcome to your nightmare.

In traditional security models — the “castle and moat” approach — the perimeter firewall is your only real defense. Once you’re past it, everything inside the castle is assumed trustworthy. So this contractor, despite having a compromised laptop, now has access to your databases, internal APIs, admin panels, source code repositories, and customer data. The attacker has hours before anyone notices because no one’s checking credentials once you’re “inside.”

This is the fundamental flaw in perimeter-based security that every major tech company discovered the hard way. Google, after suffering dozens of advanced attacks, decided to rethink everything. They called their new approach “BeyondCorp.” The principle was radical at the time: never trust, always verify. Every request requires authentication and authorization, regardless of where it comes from. That contractor’s compromised laptop gets treated the same as a random device on the public internet. The network no longer matters; identity and device health matter.

This shift from “trust the network” to “verify everything” is Zero Trust Architecture, and it’s become the security standard for all serious tech companies.

Why the Castle-and-Moat Model Breaks

The traditional security model made sense in 1995. Employees worked in offices connected to a corporate network. Outsiders were on the internet. You built a firewall to separate them. Done.

But the world changed:

Remote Work & Cloud Computing

  • Employees work from home, coffee shops, airports
  • Your infrastructure is spread across AWS, Azure, Google Cloud
  • There is no “inside” anymore — everything is distributed
  • The VPN becomes a bottleneck and a single point of failure

Bring Your Own Device (BYOD)

  • Employees use personal laptops, phones, tablets
  • You can’t fully control these devices like you could corporate laptops
  • Device security varies wildly

Software Supply Chain

  • You depend on thousands of third-party libraries and services
  • A compromised dependency doesn’t care about your firewall
  • You need to verify even “internal” services

Insider Threats

  • Not everyone with network access is trustworthy
  • Malicious insiders or compromised accounts exist
  • Network access alone shouldn’t grant data access

The Breach is Inevitable

  • No perimeter is unbreakable
  • Once attackers are past the firewall, they have free rein
  • You need to assume breach has happened and minimize damage

Zero Trust flips the entire paradigm: assume the network is hostile. Assume breach has already occurred. Design every system to verify every request and grant minimum necessary access.

The Medieval vs. Modern Security Metaphor

Imagine two buildings:

Medieval Castle:

  • Massive outer wall and moat
  • Drawbridge at the entrance (firewall)
  • Once past the drawbridge, anyone can walk into any room
  • Talk to the king’s treasurer in his office? No guards, no credentials check
  • Steal the crown jewels? Nobody’s stopping you — you made it past the wall

Modern Secure Facility:

  • No perimeter walls (because the internet is everywhere)
  • Every single room has its own lock
  • Every person needs a badge to enter every room
  • Cameras and sensors monitoring every hallway
  • Even employees are re-verified when entering sensitive areas
  • Every action is logged and auditable
  • You can’t carry out one set of tasks to gain access to another

Zero Trust is designing your infrastructure like the modern facility.

The Three Pillars: Identity, Device, Network

Zero Trust rests on three foundations:

Pillar 1: Identity Verification (Who are you?)

The most critical pillar. You can’t secure anything without knowing who’s requesting access.

Strong Authentication:

  • Passwords alone are dead — too easy to compromise
  • Multi-Factor Authentication (MFA) everywhere: password + something you have (phone, security key) + something you are (biometric)
  • For services: certificate-based authentication, cryptographic signatures
  • For APIs: never trust API keys alone — validate them against identity systems

Continuous Verification:

  • Initial login isn’t enough
  • Re-authenticate for sensitive actions
  • Verify location: access from a new location? Require additional verification
  • Verify device: access from a new device? Require additional verification
  • Verify time: access at 3 AM from a user who always works 9-5? Flag it

Context-Aware Access:

  • Combine multiple signals: user ID + device + location + time + behavior
  • Access decision is made on all available data
  • A contractor accessing from their home at 3 AM on Sunday has different risk profile than the lead engineer accessing from the office at 10 AM

Pillar 2: Device Verification (What device are you using?)

Even if you know who someone is, their device might be compromised.

Device Health Attestation:

  • Is the operating system fully patched? (If Windows 10 is from 2020, no.)
  • Is antivirus running and up-to-date?
  • Is full disk encryption enabled?
  • Are OS firewalls enabled?
  • Can the device prove these things with cryptographic signatures?

Mobile Device Management (MDM):

  • Track inventory of approved devices
  • Enforce security policies (minimum OS version, encryption, screen lock timeout)
  • Ability to wipe devices remotely if lost or stolen
  • Enforce app policies

Device Certificates:

  • Issue cryptographic certificates to approved devices
  • These certificates prove the device is managed and compliant
  • Require valid certificates for any access

Real-world example: A contractor’s personal laptop, while having the correct OS, hasn’t received security updates in 8 months. The antivirus license expired. Zero Trust would automatically deny access until these issues are fixed, regardless of the correct password and MFA code.

Pillar 3: Network Micro-Segmentation (Where are you?)

Instead of “inside” vs “outside,” you segment your network by workload and risk profile.

The Old Model:

[Internet]

[Firewall allows port 443 in]

[Corporate Network — flat, everything trusts everything]
    ├── Web servers
    ├── Databases
    ├── Admin panels
    └── Customer data stores

Zero Trust Model:

[Internet]

[Identity & Device verification]

[Service A can only access Service B if:
    - Valid service identity (certificate)
    - Appropriate credentials (authentication)
    - Least privilege authorization]

[Everything encrypted, everything logged]

Instead of one flat network, you segment by:

  • Application/workload: Web tier, API tier, database tier — each is separate
  • Environment: Production, staging, development — strict boundaries
  • Risk level: User-facing services vs internal tools vs sensitive data stores
  • Team: Finance team services can’t access engineering services without explicit access

Network policies in Kubernetes exemplify this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  # This blocks all traffic by default (deny-all)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-to-api
spec:
  podSelector:
    matchLabels:
      tier: api
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: web

This policy says: “Block all traffic by default. Allow only traffic from the web tier to the API tier.” Services that aren’t explicitly allowed can’t talk to each other, period.

Zero Trust in Microservices: mTLS & Service Identity

When you have thousands of microservices, you need a way for them to prove their identity to each other. This is where Mutual TLS (mTLS) and service identity systems come in.

mTLS: Mutual Authentication

Traditional TLS: Client verifies the server’s certificate. Server doesn’t verify the client.

mTLS: Both sides verify each other’s certificates. Every request is cryptographically authenticated.

Service A wants to call Service B:

[Service A presents its certificate: "I am Service A, signed by CA"]
[Service B presents its certificate: "I am Service B, signed by CA"]

[Both verify each other's certificates cryptographically]

[Communication is encrypted and authenticated]

Service Identity: Who is Service A?

You need a way to issue and verify service identities. SPIFFE (Secure Production Identity Framework for Everyone) is the industry standard:

  • Issues cryptographically-signed identities to services
  • Each service gets a unique URI-based identity (spiffe://your-company.com/service/payment-service)
  • These identities are short-lived (hours or minutes) and automatically rotated
  • Services present these credentials in mTLS handshakes

Service Mesh: Automation

Manually configuring mTLS for thousands of services is infeasible. Service meshes (Istio, Linkerd) automate this:

┌─────────────────────────────────────┐
│ Service Mesh (Istio/Linkerd)        │
├─────────────────────────────────────┤
│ Automatic mTLS between all services │
│ Certificate injection and rotation   │
│ Authorization policies              │
│ Traffic management                  │
├─────────────────────────────────────┤
│ Your microservices (transparent)    │
└─────────────────────────────────────┘

Every request between services is authenticated and encrypted without the services needing to know about it.

Zero Trust at Google: BeyondCorp Case Study

Google deployed BeyondCorp starting in 2011, eliminating the corporate VPN entirely by 2015. Here’s what they did:

Phase 1: Identity

  • Centralized authentication (Google Sign-In for employees)
  • MFA mandatory (Security Keys)
  • Continuous authentication throughout the session

Phase 2: Device Security

  • Device inventory and management
  • Automatic device security monitoring
  • Devices deemed insecure are quarantined

Phase 3: Application Access

  • Every application requires authentication
  • No “internal” exceptions — the only difference between internal and external access is the authentication context
  • Applications moved from private networks to public internet (but require authentication)

Phase 4: Monitoring & Incident Response

  • Every request is logged (auditable)
  • ML-based anomaly detection (unusual access patterns)
  • Incident response procedures for compromised accounts/devices

Result: Google employees can access any corporate application from anywhere — a coffee shop, an airport, a home office. Security didn’t decrease; it increased. The threat model shifted from “protect the perimeter” to “verify every request, expect compromise.”

Implementation Roadmap: You Don’t Do This Overnight

Zero Trust is a journey, not a flip-of-a-switch. Here’s a realistic phasing:

Phase 1: Identity Foundation (Months 1-3)

  • Deploy Single Sign-On (SSO) — all employees authenticate through one system
  • Enable MFA — every employee gets a security key or authenticator app
  • Build employee identity directory
  • Start logging all authentication events

Phase 2: Device Trust (Months 4-6)

  • Implement Mobile Device Management (MDM)
  • Collect device security data (OS version, patch level, antivirus status)
  • Create device health policies (minimum OS version, encrypted disk required)
  • Start enforcing policies — deny access from non-compliant devices

Phase 3: Micro-segmentation (Months 7-12)

  • Map your network and applications
  • Identify critical paths (what needs to communicate with what?)
  • Implement network policies (deny-all by default, explicitly allow)
  • Deploy service mesh for service-to-service authentication
  • Start with non-critical applications

Phase 4: Continuous Monitoring (Ongoing)

  • Deploy behavioral analytics and anomaly detection
  • Set up incident response for suspicious activity
  • Regular security audits and penetration testing
  • Iterate and improve policies

Practical Implementation: API Authentication

Here’s a concrete example: securing internal APIs in a Zero Trust model.

The Problem: Your API gateway needs to grant access to requests from authorized services. How do you prevent unauthorized services from calling your API?

Zero Trust Solution:

# Every service has a SPIFFE identity
Service A ID: spiffe://company.com/services/web-api
Service B ID: spiffe://company.com/services/mobile-api
# API gateway verifies the service identity before granting access
def authenticate_request(request):
    # Extract certificate from mTLS connection
    client_cert = request.client_certificate

    # Verify certificate is valid and signed by trusted CA
    if not verify_certificate(client_cert):
        return 401_UNAUTHORIZED

    # Extract the service identity
    service_id = client_cert.subject.spiffe_id
    # e.g., "spiffe://company.com/services/web-api"

    # Check authorization policy
    if not is_authorized(service_id, request.resource):
        return 403_FORBIDDEN

    # Request is authenticated and authorized
    process_request(request)

Key Trade-Offs: The Real Costs

Zero Trust isn’t free or frictionless:

Complexity:

  • More infrastructure components (certificate management, identity systems, network policies)
  • More operational burden (managing policies at scale is hard)
  • Debugging is harder when requests need to pass multiple authorization checks

User Experience:

  • More authentication friction (though modern implementations are smoother)
  • Users might need to re-authenticate more frequently
  • Legitimate access sometimes gets denied due to policy misconfigurations

Performance:

  • mTLS adds CPU overhead to every request
  • Certificate verification takes time
  • Continuous identity verification adds latency
  • But the overhead is usually minimal with modern hardware

Organizational Change:

  • Security isn’t “someone else’s problem” anymore
  • Teams must think about least-privilege access
  • Requires continuous vigilance and monitoring
  • Cultural shift from “assume inside is safe” to “assume everything is risky”

Cost:

  • Identity management infrastructure (Okta, Azure AD, Google Cloud Identity)
  • Device management and mobile device management
  • Service mesh deployment and maintenance
  • Security monitoring and incident response
  • But compared to the cost of a breach, it’s reasonable investment

Key Takeaways

  1. The network perimeter is obsolete — Remote work, cloud computing, and supply chain risks mean there is no “inside” to protect anymore
  2. Assume breach — Design every system assuming attackers are already inside your network. Zero Trust is about damage limitation
  3. Verify everything, trust nothing — Every request requires authentication and authorization, regardless of source
  4. Least privilege is non-negotiable — Users and services get access to only what they need, nothing more
  5. Identity is the new perimeter — Who you are, what device you’re using, and where you are replace network-based security
  6. Automation is essential — Manually managing Zero Trust policies at scale is impossible. Use service meshes, policy engines, and automation
  7. It’s a journey, not a destination — Zero Trust implementation happens in phases. Start with identity, add device trust, then micro-segment, then monitor

Practice Scenarios

Scenario 1: The Compromised Contractor A contractor’s laptop is infected with malware, but they successfully authenticate with their password and MFA code. In a Zero Trust system, what additional checks might catch this? What signals indicate the device is compromised? (Hint: missing security patches, no disk encryption, outdated antivirus)

Scenario 2: The Privilege Escalation A junior engineer’s account is compromised. In a traditional model, the attacker now has access to all “internal” systems. How does Zero Trust limit what they can access? What would a least-privilege policy look like for this engineer?

Scenario 3: The Service-to-Service Exploit An attacker compromises Service A. They try to query the database directly. What prevents them? What if they try to call Service B (which is authorized to query the database)? How does mTLS help? What about authorization policies?

Looking Forward

Zero Trust Architecture is fundamental to modern security. But security isn’t just about authentication and authorization — it’s also about what we do after breach occurs. That’s where detection, response, and ongoing monitoring come in. As you design systems, remember: authentication and authorization are just entry gates. The real battle happens after someone gets inside.

We’ve now covered the security fundamentals that protect our systems from external threats (DDoS), insider threats (Zero Trust), and verified access. In the next chapter, we’ll shift focus to a different kind of challenge: making these secured systems fast. Security and performance are often in tension — encryption has overhead, verification takes time, logging consumes resources. Balancing them requires careful architectural decisions and the right trade-off analysis. Let’s talk about optimization.