zero-trust-architecture
8
总安装量
5
周安装量
#35967
全站排名
安装命令
npx skills add https://github.com/melodic-software/claude-code-plugins --skill zero-trust-architecture
Agent 安装分布
antigravity
3
codex
3
gemini-cli
3
trae
2
windsurf
2
Skill 文档
Zero Trust Architecture
Comprehensive guide to zero trust security architecture – the “never trust, always verify” approach to modern security.
When to Use This Skill
- Designing security architecture for new systems
- Migrating from perimeter-based security
- Implementing microsegmentation
- Evaluating identity-based access controls
- Understanding ZTNA (Zero Trust Network Access)
- Assessing security posture
Core Principles
Zero Trust Pillars:
1. Never Trust, Always Verify
âââ Every request is verified regardless of origin
âââ No implicit trust based on network location
âââ Continuous authentication and authorization
2. Least Privilege Access
âââ Minimum permissions required for the task
âââ Just-in-time access when possible
âââ Just-enough-access for the operation
3. Assume Breach
âââ Design as if attackers are already inside
âââ Minimize blast radius of any compromise
âââ Continuous monitoring and verification
4. Explicit Verification
âââ Verify user identity
âââ Verify device health
âââ Verify request context
âââ Make access decisions at each request
Architecture Components
Identity Layer
Identity Provider (IdP):
âââ Multi-factor authentication (MFA)
âââ Single sign-on (SSO)
âââ Federated identity
âââ Privileged access management (PAM)
User Identity:
- Strong authentication required
- Continuous session validation
- Risk-based authentication
- Context-aware access decisions
Service Identity:
- Machine identity management
- Service accounts with rotation
- Certificate-based authentication
- Workload identity
Device Layer
Device Trust Assessment:
âââ Device health attestation
âââ Endpoint detection and response (EDR)
âââ Mobile device management (MDM)
âââ Certificate-based device identity
âââ Posture assessment
Device Trust Signals:
- Is the device managed/enrolled?
- Is the OS up to date?
- Is security software running?
- Are there known vulnerabilities?
- Is there anomalous behavior?
Network Layer
Microsegmentation:
âââââââââââââââââââââââââââââââââââââââââââ
â Traditional â
â ââââââââââââââââââââââââââââââââââââ â
â â Flat Internal Network â â
â â Trust everything inside â â
â ââââââââââââââââââââââââââââââââââââ â
â â â
â Zero Trust â
â âââââââ âââââââ âââââââ âââââââ â
â â Seg â â Seg â â Seg â â Seg â â
â â A â â B â â C â â D â â
â ââââ¬âââ ââââ¬âââ ââââ¬âââ ââââ¬âââ â
â â â â â â
â All traffic verified at each hop â
âââââââââââââââââââââââââââââââââââââââââââ
Network Controls:
- Software-defined perimeter (SDP)
- Network access control (NAC)
- DNS security
- Encrypted communications (mTLS)
Application Layer
Application Security:
âââ API gateway with authentication
âââ Service mesh for service-to-service
âââ Web application firewall (WAF)
âââ Runtime application self-protection (RASP)
âââ Secure software supply chain
Access Control:
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- Policy-based access control
- Just-in-time access provisioning
Data Layer
Data Protection:
âââ Classification and labeling
âââ Encryption at rest and in transit
âââ Data loss prevention (DLP)
âââ Rights management
âââ Tokenization/masking
Data Access:
- Need-to-know basis
- Fine-grained access control
- Audit logging for all access
- Data residency compliance
Implementation Patterns
Pattern 1: Identity-Aware Proxy
âââââââââââââââââââââ
â Identity Proxy â
â (BeyondCorp-style)â
âââââââââââ¬ââââââââââ
â
âââââââââââââââââââââââ¼ââââââââââââââââââââââ
â â â
ââââââ¼âââââ ââââââ¼âââââ ââââââ¼âââââ
â User â â Device â â Context â
â Identityâ â Trust â â Eval â
ââââââ¬âââââ ââââââ¬âââââ ââââââ¬âââââ
â â â
âââââââââââââââââââââââ¼ââââââââââââââââââââââ
â
âââââââââââ¼ââââââââââ
â Access Decision â
âââââââââââ¬ââââââââââ
â
âââââââââââ¼ââââââââââ
â Application â
âââââââââââââââââââââ
How it works:
1. User requests access to application
2. Proxy checks user identity (authentication)
3. Proxy evaluates device trust score
4. Proxy considers context (location, time, behavior)
5. Policy engine makes access decision
6. If approved, proxy provides access
Pattern 2: Service Mesh Zero Trust
âââââââââââââââââââââââââââââââââââââââââââââââââââ
â Control Plane â
â ââââââââââââ ââââââââââââ ââââââââââââ â
â â Policy â â Cert â â Config â â
â â Engine â â Authorityâ â Store â â
â ââââââ¬ââââââ ââââââ¬ââââââ ââââââ¬ââââââ â
âââââââââ¼ââââââââââââââ¼ââââââââââââââ¼âââââââââââââ
â â â
âââââââââ¼ââââââââââââââ¼ââââââââââââââ¼âââââââââââââ
â Data Plane â
â âââââââââââââââ âââââââââââââââ â
â â Service A ââââmTLSâââºâ Service B â â
â â âââââââââ â â âââââââââ â â
â â â Proxy â â â â Proxy â â â
â â âââââââââ â â âââââââââ â â
â âââââââââââââââ âââââââââââââââ â
âââââââââââââââââââââââââââââââââââââââââââââââââââ
Service mesh provides:
- mTLS between all services
- Fine-grained authorization policies
- Service-to-service identity
- Traffic encryption everywhere
- Policy enforcement at the proxy
Pattern 3: ZTNA (Zero Trust Network Access)
Traditional VPN:
User ââ⺠VPN ââ⺠Full Network Access
ZTNA (Zero Trust Network Access):
User ââ⺠ZTNA Broker ââ⺠Specific App Only
â
âââââââ¼ââââââ
â Evaluate: â
â - Identityâ
â - Device â
â - Context â
â - Policy â
âââââââ¬ââââââ
â
Access to ONE application
(not entire network)
ZTNA Benefits:
- Application-level access, not network-level
- Invisible infrastructure (no exposed IPs)
- Consistent policy regardless of location
- Reduced attack surface
Trust Evaluation
Continuous Trust Scoring
Trust Score Components:
User Trust:
âââ Authentication strength [0-25 points]
âââ Session age/freshness [0-15 points]
âââ Behavioral anomalies [0-20 points]
âââ Historical patterns [0-10 points]
Device Trust:
âââ Device management status [0-20 points]
âââ Security posture [0-20 points]
âââ Patch level [0-15 points]
âââ Certificate validity [0-10 points]
Context Trust:
âââ Network location [0-15 points]
âââ Geolocation [0-10 points]
âââ Time of access [0-10 points]
âââ Request patterns [0-15 points]
Total Score: 0-185 points
Policy Example:
- Score > 150: Full access
- Score 100-150: Limited access + step-up auth
- Score 50-100: Read-only access
- Score < 50: Block access
Risk-Based Access Decisions
Access Decision Matrix:
â Low-Risk Resource â High-Risk Resource
âââââââââââââââââââââ¼ââââââââââââââââââââ¼ââââââââââââââââââââ
High Trust Score â Allow â Allow
Medium Trust Score â Allow â MFA Challenge
Low Trust Score â MFA Challenge â Block + Alert
Dynamic Factors:
- Time-based: Unusual access hours?
- Location-based: Unusual geography?
- Behavior-based: Unusual patterns?
- Resource-based: Sensitive data access?
Implementation Roadmap
Phase 1: Visibility and Identity
Duration: 3-6 months
Steps:
1. Inventory all users, devices, applications
2. Implement strong identity management
3. Enable MFA everywhere
4. Deploy comprehensive logging
5. Establish baseline behaviors
Success Criteria:
â¡ 100% user MFA coverage
â¡ Complete asset inventory
â¡ Centralized authentication
â¡ Security event visibility
Phase 2: Device Trust
Duration: 3-6 months
Steps:
1. Implement device management (MDM/UEM)
2. Deploy endpoint security (EDR)
3. Establish device trust policies
4. Enable device health attestation
5. Enforce device compliance
Success Criteria:
â¡ All devices managed/enrolled
â¡ Device posture assessment active
â¡ Non-compliant devices blocked
â¡ Certificate-based device identity
Phase 3: Microsegmentation
Duration: 6-12 months
Steps:
1. Map application dependencies
2. Define segmentation policies
3. Implement network controls
4. Deploy software-defined perimeter
5. Enable east-west traffic inspection
Success Criteria:
â¡ Critical apps microsegmented
â¡ East-west traffic encrypted
â¡ Lateral movement restricted
â¡ Segment-level monitoring
Phase 4: Adaptive Access
Duration: 3-6 months
Steps:
1. Implement risk scoring
2. Deploy policy decision points
3. Enable continuous authentication
4. Implement just-in-time access
5. Automate access decisions
Success Criteria:
â¡ Risk-based access decisions
â¡ Context-aware policies
â¡ Automated access reviews
â¡ Just-in-time privileged access
Anti-Patterns
Zero Trust Anti-Patterns:
1. "Zero Trust In Name Only"
â Adding MFA and calling it zero trust
â Comprehensive identity + device + network + data controls
2. "Perimeter Replacement"
â Replacing VPN with ZTNA without other controls
â ZTNA as part of comprehensive architecture
3. "Trust The Internal Network"
â Applying zero trust only at the edge
â Verify all traffic, including internal
4. "One-Time Verification"
â Verify at login, trust for session duration
â Continuous verification throughout session
5. "Security Theater"
â Complex controls that users bypass
â Frictionless security that's hard to bypass
Technology Options
Identity & Access:
- Azure AD / Entra ID
- Okta
- Ping Identity
- Google Identity
ZTNA Solutions:
- Zscaler Private Access
- Cloudflare Access
- Palo Alto Prisma Access
- Tailscale
Service Mesh:
- Istio
- Linkerd
- Consul Connect
- AWS App Mesh
Device Management:
- Microsoft Intune
- Jamf
- VMware Workspace ONE
- Google Endpoint Management
Related Skills
api-security– OAuth, OIDC, JWT patternsmtls-service-mesh– Service-to-service securitysecrets-management– Credential and secret handlingobservability-patterns– Security monitoring and detection