SA.
ENVI

Blog post

Zero Trust Architecture: Identity Is the New Perimeter

Never trust, always verify — zero trust moves security from the network edge to every request, every service, every identity.

Category
system-design
Published
3D rendering of a blue padlock and fingerprint — cyber security and authentication concept

What zero trust replaces

The traditional security model assumed that everything inside the corporate network was trusted. A VPN gave you access to the network, and the network gave you access to services. This is the castle-and-moat model: hard on the outside, soft on the inside.

The model fails in two predictable ways. First, if an attacker gets inside the perimeter (via phishing, a compromised credential, or a supply chain attack) they can move laterally with little friction. Second, modern systems have no clear perimeter — services span multiple clouds, employees work remotely, and microservices talk across cluster boundaries.

Zero trust replaces network location with identity as the trust anchor. Being on the network grants nothing. Every request must be authenticated and authorized, regardless of where it originates.

The three principles

1. Verify explicitly. Authenticate and authorize every request using all available signals: identity, device health, location, time of day, behavioral patterns. Never grant access based on network location alone.

2. Use least privilege access. Every service, user, and device gets the minimum permissions needed. Access is time-limited where possible and revoked immediately when no longer needed.

3. Assume breach. Design as if attackers are already inside. Segment everything. Log everything. Minimize blast radius so that a single compromised service cannot access the entire system.

What you actually implement

Service-to-service authentication with mTLS

Mutual TLS (mTLS) is the foundation of zero trust for service communication. Both parties present certificates: the client authenticates the server (standard TLS) and the server authenticates the client (the "mutual" part).

In a service mesh like Istio or Linkerd, mTLS is enforced automatically. Each service gets a short-lived certificate (typically from SPIFFE/SPIRE), and the sidecar proxy handles the mTLS handshake transparently. Services cannot communicate unless both certificates are valid and authorized.

Centralized authorization policy

Authentication tells you who is calling. Authorization tells you what they're allowed to do. In a zero trust model, authorization policies are centralized and enforced at a policy engine, not scattered across application code.

Open Policy Agent (OPA) is the common choice: policies are written in Rego, evaluated at the sidecar or API gateway, and auditable. A service cannot bypass authorization by making a direct call — the proxy enforces the policy before the request reaches application code.

Short-lived credentials

Long-lived API keys are a liability. Zero trust systems use short-lived tokens (JWT with expiry, SPIFFE SVIDs, AWS STS temporary credentials) that expire within minutes to hours. If a token is leaked, the window of exposure is bounded.

Device trust for user access

For human access, zero trust extends to device health. A user with valid credentials on an unpatched, compromised laptop is not a trusted user. Device trust integrates with endpoint management (MDM) to verify patch level, disk encryption, and screen lock before granting access.

Where teams get stuck

Retrofitting legacy services. Services that authenticate using shared secrets or IP allowlists are hard to migrate. The practical path is to put them behind an API gateway or service mesh that handles mTLS on their behalf, then migrate internal auth incrementally.

Certificate rotation at scale. If you manage certificates manually, rotation becomes a reliability risk. Automate it from day one with cert-manager (Kubernetes) or SPIRE. Short-lived certificates that rotate automatically are more secure and more reliable than long-lived ones you remember to update.

Alert fatigue from excessive logging. Zero trust generates a lot of access log data. Without a clear threat model, you end up logging everything and alerting on nothing useful. Start with the high-value paths (admin access, cross-service calls with elevated privilege) and expand from there.

The migration path

Zero trust is not a single project — it is a direction. A pragmatic sequence:

  1. Inventory all service-to-service calls and map their current authentication (or lack of it).
  2. Deploy a service mesh in observe mode (log but do not block) to understand traffic patterns.
  3. Enable mTLS enforcement for one service at a time, starting with the highest-risk paths.
  4. Migrate user access to short-lived tokens and device-aware policies.
  5. Centralize authorization policy and remove authorization logic from application code.

Each step reduces blast radius. You do not need all of them before you are safer.