zero-trust-security

Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.

Best use case

zero-trust-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.

Teams using zero-trust-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/zero-trust/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/standards/main/skills/security/zero-trust/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/zero-trust/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How zero-trust-security Compares

Feature / Agentzero-trust-securityStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Zero-Trust Security

## Level 1: Quick Reference

### Core Principles

Zero-trust architecture operates on the principle: **"Never trust, always verify."** Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.

**Fundamental Tenets:**

- No implicit trust based on network location
- Verify explicitly (authentication + authorization)
- Least privilege access (just-in-time, just-enough)
- Assume breach (limit blast radius, segment access)
- Inspect and log all traffic

### Common Zero-Trust Patterns

#### 1. Mutual TLS (mTLS)

```yaml
# Istio PeerAuthentication for strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT
```

**When to use:** Service-to-service authentication, encrypted communication between microservices.

#### 2. Service Mesh

- **Istio/Linkerd:** Transparent mTLS, traffic encryption, identity management
- **Consul Connect:** Service identity and authorization
- **AWS App Mesh:** Cloud-native service mesh

**Key benefits:** Automatic encryption, fine-grained policies, observability.

#### 3. BeyondCorp Model

```yaml
# Identity-aware proxy configuration
apiVersion: v1
kind: Service
metadata:
  name: webapp
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
    cloud.google.com/backend-config: '{"default": "beyondcorp-config"}'
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8080
```

**Use case:** Remote access without VPN, identity-based access to applications.

### Essential Checklist

**Identity & Authentication:**

- [ ] Workload identities for all services (SPIFFE/SPIRE)
- [ ] mTLS enabled for service-to-service communication
- [ ] Strong authentication (MFA, certificates, tokens)
- [ ] Identity lifecycle management (rotation, revocation)

**Authorization:**

- [ ] Fine-grained access policies (attribute-based)
- [ ] Least privilege by default
- [ ] Just-in-time access provisioning
- [ ] Policy enforcement at every access point

**Network Security:**

- [ ] Microsegmentation (NetworkPolicies, security groups)
- [ ] Encrypted communication (TLS 1.3+)
- [ ] Traffic inspection and filtering
- [ ] No trust based on network location

**Monitoring & Verification:**

- [ ] Continuous monitoring of authentication events
- [ ] Anomaly detection on access patterns
- [ ] Centralized logging (who, what, when, where)
- [ ] Regular access reviews and audits

**Architecture:**

- [ ] Policy Decision Point (PDP) implemented
- [ ] Policy Enforcement Point (PEP) at critical paths
- [ ] Policy Administration Point (PAP) for management
- [ ] Data plane and control plane separation

### Quick Wins

1. **Enable mTLS in service mesh** (2-4 hours)
   - Deploy Istio/Linkerd
   - Configure strict mTLS mode
   - Verify with traffic inspection

2. **Implement Kubernetes NetworkPolicies** (1-2 hours)
   - Default deny all traffic
   - Explicit allow rules per service
   - Test connectivity

3. **Deploy workload identities** (3-4 hours)
   - Install SPIFFE/SPIRE
   - Configure workload attestation
   - Integrate with service mesh

---

## Level 2:
>
> **📚 Full Examples**: See [REFERENCE.md](./REFERENCE.md) for complete code samples, detailed configurations, and production-ready implementations.

 Implementation Guide

### Zero-Trust Architecture Principles

Zero-trust architecture (ZTA) fundamentally reimagines security by eliminating implicit trust. Traditional castle-and-moat security assumes everything inside the perimeter is trustworthy, but ZTA treats every request as potentially hostile.

#### NIST 800-207 Zero Trust Tenets

1. **All data sources and computing services are considered resources**
   - Applications, services, databases, IoT devices, containers
   - Resources may be on-premises, cloud, edge, or hybrid

2. **All communication is secured regardless of network location**
   - Encrypt all traffic (mTLS, TLS 1.3)
   - No trust based on internal network position
   - Apply same security to internal and external traffic

3. **Access to resources is granted on a per-session basis**
   - Authentication and authorization for every request
   - Continuous verification throughout session
   - Short-lived credentials and tokens

4. **Access is determined by dynamic policy**
   - User identity, device health, behavior, risk score
   - Attribute-based access control (ABAC)
   - Context-aware decisions (time, location, sensitivity)

5. **Monitor and measure integrity and security posture**
   - Continuous monitoring of assets
   - Real-time threat detection
   - Security analytics and automation

6. **All resource authentication and authorization are dynamic and strictly enforced**
   - No static rules or permanent access
   - Adaptive policies based on risk
   - Fail-secure by default

7. **Collect as much information as possible about current state**
   - Asset inventory and behavior
   - Network traffic analysis
   - Security telemetry and logs

**NIST Controls:**

- **AC-4:** Information Flow Enforcement - Control information flow between security domains
- **SC-7:** Boundary Protection - Monitor and control communications at managed interfaces
- **SC-8:** Transmission Confidentiality and Integrity - Protect information during transmission

### Mutual TLS (mTLS) Implementation

Mutual TLS provides bidirectional authentication where both client and server verify each other's identity using certificates.

#### Certificate Management


*See [REFERENCE.md](./REFERENCE.md#example-0) for complete implementation.*


#### Istio mTLS Configuration


*See [REFERENCE.md](./REFERENCE.md#example-1) for complete implementation.*


#### Verification and Troubleshooting


*See [REFERENCE.md](./REFERENCE.md#example-2) for complete implementation.*


### Service Mesh for Zero-Trust

Service meshes provide a dedicated infrastructure layer for service-to-service communication with built-in security, observability, and traffic management.

#### Istio Architecture


*See [REFERENCE.md](./REFERENCE.md#example-3) for complete implementation.*


#### Authorization Policies


*See [REFERENCE.md](./REFERENCE.md#example-4) for complete implementation.*


#### Linkerd Alternative


*See [REFERENCE.md](./REFERENCE.md#example-5) for complete implementation.*


### Identity-Based Access (Workload Identities)

#### SPIFFE/SPIRE Implementation

SPIFFE (Secure Production Identity Framework For Everyone) provides a universal identity framework for workloads in heterogeneous environments.


*See [REFERENCE.md](./REFERENCE.md#example-6) for complete implementation.*


**SPIRE Server Configuration:**


*See [REFERENCE.md](./REFERENCE.md#example-7) for complete implementation.*


**SPIRE Agent Configuration:**


*See [REFERENCE.md](./REFERENCE.md#example-8) for complete implementation.*


#### Integrating SPIRE with Istio


*See [REFERENCE.md](./REFERENCE.md#example-9) for complete implementation.*


**Workload Identity Example:**


*See [REFERENCE.md](./REFERENCE.md#example-10) for complete implementation.*


### Network Segmentation (Microsegmentation)

Microsegmentation divides networks into small, isolated segments to limit lateral movement and reduce blast radius.

#### Kubernetes NetworkPolicies


*See [REFERENCE.md](./REFERENCE.md#example-11) for complete implementation.*


#### Cilium Network Policies (Advanced)


*See [REFERENCE.md](./REFERENCE.md#example-12) for complete implementation.*


### Continuous Verification and Monitoring

Zero-trust requires continuous validation of security posture and real-time threat detection.

#### Security Monitoring Stack


*See [REFERENCE.md](./REFERENCE.md#example-13) for complete implementation.*


#### Prometheus Metrics for Zero-Trust


*See [REFERENCE.md](./REFERENCE.md#example-14) for complete implementation.*


### BeyondCorp Model

BeyondCorp removes the concept of a privileged corporate network, treating all access as potentially hostile.

#### Identity-Aware Proxy (IAP)


*See [REFERENCE.md](./REFERENCE.md#example-15) for complete implementation.*


#### Open Policy Agent (OPA) for Context-Aware Access


*See [REFERENCE.md](./REFERENCE.md#example-16) for complete implementation.*


**OPA Integration with API Gateway:**


*See [REFERENCE.md](./REFERENCE.md#example-17) for complete implementation.*


### NIST 800-207 Zero Trust Architecture

NIST SP 800-207 provides a comprehensive framework for implementing zero-trust architecture in federal and enterprise systems.

#### Zero Trust Architecture Components

**1. Policy Engine (PE):**

- Grants or denies access to resources
- Uses Policy Administrator to execute decisions
- Considers user, device, resource, and contextual attributes

**2. Policy Administrator (PA):**

- Establishes/shuts down communication paths
- Generates session-specific authentication tokens
- Instructs Policy Enforcement Points

**3. Policy Enforcement Point (PEP):**

- Enables, monitors, and terminates connections
- Forwards requests to Policy Engine
- Can be gateway, agent, or access proxy

**Implementation Example:**


*See [REFERENCE.md](./REFERENCE.md#example-18) for complete implementation.*


#### Trust Algorithm (TA)

The Trust Algorithm computes trust scores based on multiple inputs:


*See [REFERENCE.md](./REFERENCE.md#example-19) for complete implementation.*


---

## Level 3: Deep Dive Resources

### Official Documentation

**NIST Standards:**

- [NIST SP 800-207: Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
- [NIST SP 800-53: Security and Privacy Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)

**SPIFFE/SPIRE:**

- [SPIFFE Specification](https://github.com/spiffe/spiffe)
- [SPIRE Documentation](https://spiffe.io/docs/latest/spire-about/)

**Service Mesh:**

- [Istio Security](https://istio.io/latest/docs/concepts/security/)
- [Linkerd Security](https://linkerd.io/2/features/automatic-mtls/)

**BeyondCorp:**

- [BeyondCorp Research Papers](https://cloud.google.com/beyondcorp)
- [Identity-Aware Proxy](https://cloud.google.com/iap/docs)

### Books & Guides

- **"Zero Trust Networks"** by Evan Gilman & Doug Barth (O'Reilly)
- **"BeyondCorp: Design Your Own Zero Trust Network"** by Juana A. & Neal M.
- **"Zero Trust Security: An Enterprise Guide"** by Jason Garbis & Jerry Chapman

### Tools & Projects

**Zero-Trust Platforms:**

- Palo Alto Prisma Access
- Zscaler Private Access
- Cloudflare Access
- Google BeyondCorp

**Open Source:**

- Open Policy Agent (OPA)
- Envoy Proxy
- Istio Service Mesh
- SPIFFE/SPIRE

### Training & Certifications

- **SANS SEC530:** Defensible Security Architecture and Engineering
- **Cloud Security Alliance:** CCSK (Certificate of Cloud Security Knowledge)
- **Kubernetes Security Specialist (CKS)**

### Related Skills

Deepen your zero-trust expertise with these complementary skills:

- **Secrets Management:** Vault, sealed secrets, external secrets operator
- **Secure API Design:** OAuth2, OIDC, API gateways
- **Security Monitoring:** SIEM, threat detection, incident response

### Community Resources

- [r/netsec](https://reddit.com/r/netsec)
- [Cloud Native Security Day](https://events.linuxfoundation.org/cloud-native-security-day-north-america/)
- [OWASP](https://owasp.org/)

## Examples

### Basic Usage

```rust
// TODO: Add basic example for zero-trust
// This example demonstrates core functionality
```

### Advanced Usage

```rust
// TODO: Add advanced example for zero-trust
// This example shows production-ready patterns
```

### Integration Example

```rust
// TODO: Add integration example showing how zero-trust
// works with other systems and services
```

See `examples/zero-trust/` for complete working examples.

## Integration Points

This skill integrates with:

### Upstream Dependencies

- **Tools**: Common development tools and frameworks
- **Prerequisites**: Basic understanding of general concepts

### Downstream Consumers

- **Applications**: Production systems requiring zero-trust functionality
- **CI/CD Pipelines**: Automated testing and deployment workflows
- **Monitoring Systems**: Observability and logging platforms

### Related Skills

- See other skills in this category

### Common Integration Patterns

1. **Development Workflow**: How this skill fits into daily development
2. **Production Deployment**: Integration with production systems
3. **Monitoring & Alerting**: Observability integration points

## Common Pitfalls

### Pitfall 1: Insufficient Testing

**Problem:** Not testing edge cases and error conditions leads to production bugs

**Solution:** Implement comprehensive test coverage including:

- Happy path scenarios
- Error handling and edge cases
- Integration points with external systems

**Prevention:** Enforce minimum code coverage (80%+) in CI/CD pipeline

### Pitfall 2: Hardcoded Configuration

**Problem:** Hardcoding values makes applications inflexible and environment-dependent

**Solution:** Use environment variables and configuration management:

- Separate config from code
- Use environment-specific configuration files
- Never commit secrets to version control

**Prevention:** Use tools like dotenv, config validators, and secret scanners

### Pitfall 3: Ignoring Security Best Practices

**Problem:** Security vulnerabilities from not following established security patterns

**Solution:** Follow security guidelines:

- Input validation and sanitization
- Proper authentication and authorization
- Encrypted data transmission (TLS/SSL)
- Regular security audits and updates

**Prevention:** Use security linters, SAST tools, and regular dependency updates

**Best Practices:**

- Follow established patterns and conventions for zero-trust
- Keep dependencies up to date and scan for vulnerabilities
- Write comprehensive documentation and inline comments
- Use linting and formatting tools consistently
- Implement proper error handling and logging
- Regular code reviews and pair programming
- Monitor production metrics and set up alerts

---

## Bundled Resources

See `templates/`, `resources/`, and `scripts/` directories for:

- mTLS configuration examples
- SPIFFE workload identity templates
- NetworkPolicy examples
- Zero-trust architecture diagrams
- Automation scripts
- NIST 800-207 compliance checklist

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.