zero-trust-security
Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.
Best use case
zero-trust-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.
Teams using zero-trust-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/zero-trust/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How zero-trust-security Compares
| Feature / Agent | zero-trust-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Zero-trust architecture operates on the principle: "Never trust, always verify." Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Zero-Trust Security
## Level 1: Quick Reference
### Core Principles
Zero-trust architecture operates on the principle: **"Never trust, always verify."** Unlike traditional perimeter-based security, zero-trust assumes breach and verifies every request regardless of origin.
**Fundamental Tenets:**
- No implicit trust based on network location
- Verify explicitly (authentication + authorization)
- Least privilege access (just-in-time, just-enough)
- Assume breach (limit blast radius, segment access)
- Inspect and log all traffic
### Common Zero-Trust Patterns
#### 1. Mutual TLS (mTLS)
```yaml
# Istio PeerAuthentication for strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
```
**When to use:** Service-to-service authentication, encrypted communication between microservices.
#### 2. Service Mesh
- **Istio/Linkerd:** Transparent mTLS, traffic encryption, identity management
- **Consul Connect:** Service identity and authorization
- **AWS App Mesh:** Cloud-native service mesh
**Key benefits:** Automatic encryption, fine-grained policies, observability.
#### 3. BeyondCorp Model
```yaml
# Identity-aware proxy configuration
apiVersion: v1
kind: Service
metadata:
name: webapp
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"default": "beyondcorp-config"}'
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
```
**Use case:** Remote access without VPN, identity-based access to applications.
### Essential Checklist
**Identity & Authentication:**
- [ ] Workload identities for all services (SPIFFE/SPIRE)
- [ ] mTLS enabled for service-to-service communication
- [ ] Strong authentication (MFA, certificates, tokens)
- [ ] Identity lifecycle management (rotation, revocation)
**Authorization:**
- [ ] Fine-grained access policies (attribute-based)
- [ ] Least privilege by default
- [ ] Just-in-time access provisioning
- [ ] Policy enforcement at every access point
**Network Security:**
- [ ] Microsegmentation (NetworkPolicies, security groups)
- [ ] Encrypted communication (TLS 1.3+)
- [ ] Traffic inspection and filtering
- [ ] No trust based on network location
**Monitoring & Verification:**
- [ ] Continuous monitoring of authentication events
- [ ] Anomaly detection on access patterns
- [ ] Centralized logging (who, what, when, where)
- [ ] Regular access reviews and audits
**Architecture:**
- [ ] Policy Decision Point (PDP) implemented
- [ ] Policy Enforcement Point (PEP) at critical paths
- [ ] Policy Administration Point (PAP) for management
- [ ] Data plane and control plane separation
### Quick Wins
1. **Enable mTLS in service mesh** (2-4 hours)
- Deploy Istio/Linkerd
- Configure strict mTLS mode
- Verify with traffic inspection
2. **Implement Kubernetes NetworkPolicies** (1-2 hours)
- Default deny all traffic
- Explicit allow rules per service
- Test connectivity
3. **Deploy workload identities** (3-4 hours)
- Install SPIFFE/SPIRE
- Configure workload attestation
- Integrate with service mesh
---
## Level 2:
>
> **📚 Full Examples**: See [REFERENCE.md](./REFERENCE.md) for complete code samples, detailed configurations, and production-ready implementations.
Implementation Guide
### Zero-Trust Architecture Principles
Zero-trust architecture (ZTA) fundamentally reimagines security by eliminating implicit trust. Traditional castle-and-moat security assumes everything inside the perimeter is trustworthy, but ZTA treats every request as potentially hostile.
#### NIST 800-207 Zero Trust Tenets
1. **All data sources and computing services are considered resources**
- Applications, services, databases, IoT devices, containers
- Resources may be on-premises, cloud, edge, or hybrid
2. **All communication is secured regardless of network location**
- Encrypt all traffic (mTLS, TLS 1.3)
- No trust based on internal network position
- Apply same security to internal and external traffic
3. **Access to resources is granted on a per-session basis**
- Authentication and authorization for every request
- Continuous verification throughout session
- Short-lived credentials and tokens
4. **Access is determined by dynamic policy**
- User identity, device health, behavior, risk score
- Attribute-based access control (ABAC)
- Context-aware decisions (time, location, sensitivity)
5. **Monitor and measure integrity and security posture**
- Continuous monitoring of assets
- Real-time threat detection
- Security analytics and automation
6. **All resource authentication and authorization are dynamic and strictly enforced**
- No static rules or permanent access
- Adaptive policies based on risk
- Fail-secure by default
7. **Collect as much information as possible about current state**
- Asset inventory and behavior
- Network traffic analysis
- Security telemetry and logs
**NIST Controls:**
- **AC-4:** Information Flow Enforcement - Control information flow between security domains
- **SC-7:** Boundary Protection - Monitor and control communications at managed interfaces
- **SC-8:** Transmission Confidentiality and Integrity - Protect information during transmission
### Mutual TLS (mTLS) Implementation
Mutual TLS provides bidirectional authentication where both client and server verify each other's identity using certificates.
#### Certificate Management
*See [REFERENCE.md](./REFERENCE.md#example-0) for complete implementation.*
#### Istio mTLS Configuration
*See [REFERENCE.md](./REFERENCE.md#example-1) for complete implementation.*
#### Verification and Troubleshooting
*See [REFERENCE.md](./REFERENCE.md#example-2) for complete implementation.*
### Service Mesh for Zero-Trust
Service meshes provide a dedicated infrastructure layer for service-to-service communication with built-in security, observability, and traffic management.
#### Istio Architecture
*See [REFERENCE.md](./REFERENCE.md#example-3) for complete implementation.*
#### Authorization Policies
*See [REFERENCE.md](./REFERENCE.md#example-4) for complete implementation.*
#### Linkerd Alternative
*See [REFERENCE.md](./REFERENCE.md#example-5) for complete implementation.*
### Identity-Based Access (Workload Identities)
#### SPIFFE/SPIRE Implementation
SPIFFE (Secure Production Identity Framework For Everyone) provides a universal identity framework for workloads in heterogeneous environments.
*See [REFERENCE.md](./REFERENCE.md#example-6) for complete implementation.*
**SPIRE Server Configuration:**
*See [REFERENCE.md](./REFERENCE.md#example-7) for complete implementation.*
**SPIRE Agent Configuration:**
*See [REFERENCE.md](./REFERENCE.md#example-8) for complete implementation.*
#### Integrating SPIRE with Istio
*See [REFERENCE.md](./REFERENCE.md#example-9) for complete implementation.*
**Workload Identity Example:**
*See [REFERENCE.md](./REFERENCE.md#example-10) for complete implementation.*
### Network Segmentation (Microsegmentation)
Microsegmentation divides networks into small, isolated segments to limit lateral movement and reduce blast radius.
#### Kubernetes NetworkPolicies
*See [REFERENCE.md](./REFERENCE.md#example-11) for complete implementation.*
#### Cilium Network Policies (Advanced)
*See [REFERENCE.md](./REFERENCE.md#example-12) for complete implementation.*
### Continuous Verification and Monitoring
Zero-trust requires continuous validation of security posture and real-time threat detection.
#### Security Monitoring Stack
*See [REFERENCE.md](./REFERENCE.md#example-13) for complete implementation.*
#### Prometheus Metrics for Zero-Trust
*See [REFERENCE.md](./REFERENCE.md#example-14) for complete implementation.*
### BeyondCorp Model
BeyondCorp removes the concept of a privileged corporate network, treating all access as potentially hostile.
#### Identity-Aware Proxy (IAP)
*See [REFERENCE.md](./REFERENCE.md#example-15) for complete implementation.*
#### Open Policy Agent (OPA) for Context-Aware Access
*See [REFERENCE.md](./REFERENCE.md#example-16) for complete implementation.*
**OPA Integration with API Gateway:**
*See [REFERENCE.md](./REFERENCE.md#example-17) for complete implementation.*
### NIST 800-207 Zero Trust Architecture
NIST SP 800-207 provides a comprehensive framework for implementing zero-trust architecture in federal and enterprise systems.
#### Zero Trust Architecture Components
**1. Policy Engine (PE):**
- Grants or denies access to resources
- Uses Policy Administrator to execute decisions
- Considers user, device, resource, and contextual attributes
**2. Policy Administrator (PA):**
- Establishes/shuts down communication paths
- Generates session-specific authentication tokens
- Instructs Policy Enforcement Points
**3. Policy Enforcement Point (PEP):**
- Enables, monitors, and terminates connections
- Forwards requests to Policy Engine
- Can be gateway, agent, or access proxy
**Implementation Example:**
*See [REFERENCE.md](./REFERENCE.md#example-18) for complete implementation.*
#### Trust Algorithm (TA)
The Trust Algorithm computes trust scores based on multiple inputs:
*See [REFERENCE.md](./REFERENCE.md#example-19) for complete implementation.*
---
## Level 3: Deep Dive Resources
### Official Documentation
**NIST Standards:**
- [NIST SP 800-207: Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
- [NIST SP 800-53: Security and Privacy Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
**SPIFFE/SPIRE:**
- [SPIFFE Specification](https://github.com/spiffe/spiffe)
- [SPIRE Documentation](https://spiffe.io/docs/latest/spire-about/)
**Service Mesh:**
- [Istio Security](https://istio.io/latest/docs/concepts/security/)
- [Linkerd Security](https://linkerd.io/2/features/automatic-mtls/)
**BeyondCorp:**
- [BeyondCorp Research Papers](https://cloud.google.com/beyondcorp)
- [Identity-Aware Proxy](https://cloud.google.com/iap/docs)
### Books & Guides
- **"Zero Trust Networks"** by Evan Gilman & Doug Barth (O'Reilly)
- **"BeyondCorp: Design Your Own Zero Trust Network"** by Juana A. & Neal M.
- **"Zero Trust Security: An Enterprise Guide"** by Jason Garbis & Jerry Chapman
### Tools & Projects
**Zero-Trust Platforms:**
- Palo Alto Prisma Access
- Zscaler Private Access
- Cloudflare Access
- Google BeyondCorp
**Open Source:**
- Open Policy Agent (OPA)
- Envoy Proxy
- Istio Service Mesh
- SPIFFE/SPIRE
### Training & Certifications
- **SANS SEC530:** Defensible Security Architecture and Engineering
- **Cloud Security Alliance:** CCSK (Certificate of Cloud Security Knowledge)
- **Kubernetes Security Specialist (CKS)**
### Related Skills
Deepen your zero-trust expertise with these complementary skills:
- **Secrets Management:** Vault, sealed secrets, external secrets operator
- **Secure API Design:** OAuth2, OIDC, API gateways
- **Security Monitoring:** SIEM, threat detection, incident response
### Community Resources
- [r/netsec](https://reddit.com/r/netsec)
- [Cloud Native Security Day](https://events.linuxfoundation.org/cloud-native-security-day-north-america/)
- [OWASP](https://owasp.org/)
## Examples
### Basic Usage
```rust
// TODO: Add basic example for zero-trust
// This example demonstrates core functionality
```
### Advanced Usage
```rust
// TODO: Add advanced example for zero-trust
// This example shows production-ready patterns
```
### Integration Example
```rust
// TODO: Add integration example showing how zero-trust
// works with other systems and services
```
See `examples/zero-trust/` for complete working examples.
## Integration Points
This skill integrates with:
### Upstream Dependencies
- **Tools**: Common development tools and frameworks
- **Prerequisites**: Basic understanding of general concepts
### Downstream Consumers
- **Applications**: Production systems requiring zero-trust functionality
- **CI/CD Pipelines**: Automated testing and deployment workflows
- **Monitoring Systems**: Observability and logging platforms
### Related Skills
- See other skills in this category
### Common Integration Patterns
1. **Development Workflow**: How this skill fits into daily development
2. **Production Deployment**: Integration with production systems
3. **Monitoring & Alerting**: Observability integration points
## Common Pitfalls
### Pitfall 1: Insufficient Testing
**Problem:** Not testing edge cases and error conditions leads to production bugs
**Solution:** Implement comprehensive test coverage including:
- Happy path scenarios
- Error handling and edge cases
- Integration points with external systems
**Prevention:** Enforce minimum code coverage (80%+) in CI/CD pipeline
### Pitfall 2: Hardcoded Configuration
**Problem:** Hardcoding values makes applications inflexible and environment-dependent
**Solution:** Use environment variables and configuration management:
- Separate config from code
- Use environment-specific configuration files
- Never commit secrets to version control
**Prevention:** Use tools like dotenv, config validators, and secret scanners
### Pitfall 3: Ignoring Security Best Practices
**Problem:** Security vulnerabilities from not following established security patterns
**Solution:** Follow security guidelines:
- Input validation and sanitization
- Proper authentication and authorization
- Encrypted data transmission (TLS/SSL)
- Regular security audits and updates
**Prevention:** Use security linters, SAST tools, and regular dependency updates
**Best Practices:**
- Follow established patterns and conventions for zero-trust
- Keep dependencies up to date and scan for vulnerabilities
- Write comprehensive documentation and inline comments
- Use linting and formatting tools consistently
- Implement proper error handling and logging
- Regular code reviews and pair programming
- Monitor production metrics and set up alerts
---
## Bundled Resources
See `templates/`, `resources/`, and `scripts/` directories for:
- mTLS configuration examples
- SPIFFE workload identity templates
- NetworkPolicy examples
- Zero-trust architecture diagrams
- Automation scripts
- NIST 800-207 compliance checklist