IT AI Skill

Zero Trust Security

Design and implement zero-trust security architectures with continuous verification, least-privilege access, micro-segmentation, and device/identity verification. Use when building zero-trust frameworks, implementing network segmentation, configuring identi...

Zero Trust Security Architecture

Design and implement zero-trust security frameworks that enforce continuous verification, least-privilege access, micro-segmentation, and comprehensive identity and device verification across all network access.

Workflow

Phase 1: Zero Trust Assessment & Planning

Current state assessment:

Network topology mapping (on-prem, cloud, hybrid, SaaS)
Identity landscape: directories, authentication methods, MFA adoption
Application inventory and criticality classification
Data classification and sensitivity mapping
Current access patterns and privilege analysis
Gap analysis against zero-trust principles

Define trust boundaries:

Identify critical assets and data requiring highest protection
Define policy decision points (PDP) and policy enforcement points (PEP)
Establish trust factors: identity, device health, location, behavior, context
Determine minimum trust score required per resource

Develop implementation roadmap:

Phase 1: Visibility and identity foundation
Phase 2: Access control and MFA enforcement
Phase 3: Device posture and micro-segmentation
Phase 4: Continuous monitoring and adaptive policies
Phase 5: Automation and self-healing

Phase 2: Identity & Access Foundation

Strong identity verification:

Multi-factor authentication (MFA) for all users and systems
Phishing-resistant authentication (FIDO2, Windows Hello, passkeys)
Just-in-time (JIT) provisioning and just-enough-access (JEA)
Role-based access control (RBAC) and attribute-based access control (ABAC)
Privileged access management (PAM) for admin accounts

Device trust assessment:

Device compliance checking (OS version, patches, encryption, EDR status)
Device inventory and classification (corporate-managed, BYOD, IoT)
Conditional access policies based on device trust score
Certificate-based device authentication

Network micro-segmentation:

Segment by: department, application, data sensitivity, geography
East-west traffic controls (server-to-server, workstation-to-server)
North-south traffic controls (external to internal)
Zero-trust network access (ZTNA) replacing VPN

Phase 3: Continuous Monitoring & Adaptive Response

Real-time trust evaluation:

Continuous authentication (re-authentication triggers based on risk)
Behavioral analytics (UEBA) for anomaly detection
Context-aware access decisions (location, time, device, network)
Dynamic privilege adjustment based on risk score

Policy enforcement engine:

Centralized policy management (single source of truth)
Real-time policy evaluation at each access request
Automated policy updates based on threat intelligence
Policy testing and simulation before deployment

Incident response integration:

Automatic access revocation on compromised credentials
Network isolation of compromised devices
Lateral movement prevention
Automated containment and remediation playbooks

Templates

Zero Trust Architecture Framework

ZERO TRUST ARCHITURE — Reference Framework
============================================
Version: [2.0] | NIST SP 800-207 Aligned

CORE PRINCIPLES:
  1. Never trust, always verify
  2. Verify explicitly (all access requests authenticated, authorized, encrypted)
  3. Apply least privilege access (just-in-time, just-enough-access)
  4. Assume breach (segment, monitor, respond)
  5. Continuous evaluation (dynamic trust scores, adaptive policies)

TRUST FACTORS & WEIGHTING:
┌──────────────────────────────┬────────┬────────────────────────────────────┐
│ Factor                       │ Weight │ Evaluation Criteria                │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Identity Verification        │ 25%    │ MFA status, password strength,     │
│                              │        │ account age, role appropriateness   │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Device Posture               │ 20%    │ OS version, patch status,          │
│                              │        │ encryption, EDR active, compliance  │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Network Context              │ 15%    │ Location, IP reputation,           │
│                              │        │ network type, VPN status            │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Behavioral Analytics         │ 20%    │ Login patterns, access patterns,    │
│                              │        │ data access patterns, anomaly score  │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Environmental Risk           │ 10%    │ Time of day, geo-velocity,         │
│                              │        │ concurrent sessions, threat intel   │
├──────────────────────────────┼────────┼────────────────────────────────────┤
│ Asset Sensitivity            │ 10%    │ Data classification,               │
│                              │        │ regulatory requirements,            │
│                              │        │ business criticality                │
└──────────────────────────────┴────────┴────────────────────────────────────┘

TRUST SCORE CALCULATION:
  Score = Σ(Factor_i × Weight_i × Compliance_i)
  Range: 0-100

  90-100: Full access (standard policies apply)
  70-89:  Standard access (MFA required)
  50-69:  Restricted access (MFA + additional verification)
  30-49:  Limited access (approved apps only, monitoring)
  <30:    Blocked (access denied, alert generated)

ACCESS POLICY MATRIX:
┌──────────────────┬────────────┬────────────┬────────────┬──────────────┐
│ Resource Tier    │ Critical   │ High       │ Medium     │ Low          │
│                  │ (Crown    │ (Sensitive │ (Internal) │ (Public)     │
│                  │  Jewels)  │ Data)      │            │              │
├──────────────────┼────────────┼────────────┼────────────┼──────────────┤
│ Min Trust Score  │    85     │    70      │    50      │    30        │
├──────────────────┼────────────┼────────────┼────────────┼──────────────┤
│ MFA Required     │   FIDO2   │   MFA      │   MFA      │   Optional   │
├──────────────────┼────────────┼────────────┼────────────┼──────────────┤
│ Device Posture   │   Enforce │   Enforce  │   Warn     │   None       │
├──────────────────┼────────────┼────────────┼────────────┼──────────────┤
│ Session Timeout  │   15 min  │   30 min   │   2 hours  │   8 hours    │
├──────────────────┼────────────┼────────────┼────────────┼──────────────┤
│ Re-auth Interval │   30 min  │   60 min   │   4 hours  │   8 hours    │
└──────────────────┴────────────┴────────────┴────────────┴──────────────┘

POLICY ENFORCEMENT POINTS:
  Identity Provider (IdP) — Authentication and authorization decisions
  Network Firewall — Traffic filtering and segmentation
  Proxy/Gateway — Application access mediation
  Endpoint Agent — Device compliance and local enforcement
  Cloud Access Security Broker (CASB) — SaaS application access control

Implementation Roadmap

ZERO TRUST IMPLEMENTATION — Phased Roadmap
============================================
Organization: [Company] | Target Completion: [18 months]

PHASE 1: VISIBILITY & IDENTITY FOUNDATION (Months 1-4)
  Objectives:
    ✓ Complete network and asset inventory
    ✓ Implement centralized identity management (SSO)
    ✓ Deploy MFA for all users (target: 100%)
    ✓ Implement privileged access management (PAM)
    ✓ Classify data and applications by sensitivity
  Deliverables:
    • Network map and asset inventory (automated)
    • Identity directory with all users and services
    • MFA deployment dashboard (progress tracking)
    • Data classification policy and labels
  KPIs: MFA adoption ≥ 95% | Asset inventory accuracy ≥ 98%

PHASE 2: ACCESS CONTROL ENFORCEMENT (Months 5-8)
  Objectives:
    ✓ Implement conditional access policies
    ✓ Deploy role-based access control (RBAC)
    ✓ Enforce least privilege across all systems
    ✓ Implement just-in-time (JIT) provisioning
    ✓ Deploy cloud access security broker (CASB)
  Deliverables:
    • Conditional access policy framework
    • RBAC matrix for all systems
    • JIT access workflow
    • CASB deployment and policy configuration
  KPIs: Excessive privilege reduction ≥ 60% | Access request approval time < 4h

PHASE 3: MICRO-SEGMENTATION & DEVICE TRUST (Months 9-12)
  Objectives:
    ✓ Implement network micro-segmentation
    ✓ Deploy device compliance checking
    ✓ Implement zero-trust network access (ZTNA)
    ✓ Retire legacy VPN
    ✓ Deploy endpoint detection and response (EDR)
  Deliverables:
    • Network segmentation architecture and firewall rules
    • Device compliance policy framework
    • ZTNA deployment (VPN replacement)
    • EDR coverage dashboard
  KPIs: Micro-segmentation coverage ≥ 90% | VPN users migrated ≥ 95%

PHASE 4: CONTINUOUS MONITORING (Months 13-15)
  Objectives:
    ✓ Deploy UEBA (User Entity Behavioral Analytics)
    ✓ Implement continuous trust scoring
    ✓ Create automated incident response playbooks
    ✓ Establish security operations dashboard
  Deliverables:
    • UEBA deployment and baseline
    • Trust scoring engine and thresholds
    • IR playbooks (automated containment)
    • SOAR integration
  KPIs: Mean time to detect (MTTD) < 5 min | MTTA < 15 min

PHASE 5: AUTOMATION & OPTIMIZATION (Months 16-18)
  Objectives:
    ✓ Automate policy updates based on threat intel
    ✓ Implement self-healing capabilities
    ✓ Optimize policies based on usage analytics
    ✓ Conduct penetration testing and validation
  Deliverables:
    • Automated policy management system
    • Self-healing playbooks
    • Policy optimization report
    • Zero trust maturity assessment
  KPIs: Automated policy updates ≥ 80% | Policy optimization cycle: monthly

Integration Points

Identity providers: Okta, Azure AD, Ping Identity, OneLogin
MFA solutions: Duo, YubiKey, FIDO2, Microsoft Authenticator
PAM: CyberArk, BeyondTrust, Thycotic, Delinea
Network security: Palo Alto Networks, Fortinet, Cisco Secure Firewall
ZTNA: Zscaler Private Access, Cloudflare Access, Netskope, Shadow
CASB: Netskope, Zscaler, McAfee MVISION, McAfee
Endpoint security: CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black
SIEM/SOAR: Splunk, IBM QRadar, Microsoft Sentinel, Palo Alto Cortex XSOAR
UEBA: Exabeam, Securonix, Microsoft Insider Risk Management
Cloud platforms: AWS IAM, Azure Security Center, GCP Security Command Center

Edge Cases

| Scenario | Handling | |----------|----------| | Legacy systems cannot support modern authentication | Implement proxy/gateway-based access; credential vaulting; network segmentation | | Remote workers on unmanaged devices | Enforce stricter policies; browser-mediated access only; session recording | | Emergency break-glass access needed | Pre-approved emergency accounts with full audit logging; auto-expire after use | | Third-party/vendor access required | Time-bound access; separate identity store; enhanced monitoring; contract review | | High-friction MFA causes productivity loss | Implement risk-based MFA (step-up only when needed); remember device for 30 days | | Micro-segmentation breaks legitimate workflows | Document all required flows; implement exception process; review quarterly | | Trust score false positive (blocks legitimate user) | Provide self-service unblock; log for policy tuning; adjust thresholds | | Migrate from VPN to ZTNA without downtime | Parallel run period; phased migration by user group; fallback VPN for 30 days |

Output

Zero Trust Maturity Dashboard

ZERO TRUST MATURITY — Assessment Dashboard
============================================
As of: 2025-01-15 | Implementation Phase: [Phase 2 of 5]

OVERALL ZERO TRUST SCORE: 58/100 [█████████████████████████░░░░░░░░░░░░]

DOMAIN ASSESSMENT:
┌────────────────────────────┬────────┬───────────────┬────────────┐
│ Domain                    │ Score  │ Target        │ Status     │
├────────────────────────────┼────────┼───────────────┼────────────┤
│ Identity & Authentication │   78   │   90          │ ████████░░ | On track  │
│ Network Segmentation      │   52   │   85          │ ██████░░░░ | Behind    │
│ Device Management         │   65   │   80          │ ███████░░░ | On track  │
│ Application Security      │   55   │   85          │ ██████░░░░ | Behind    │
│ Data Protection           │   48   │   80          │ █████░░░░░ | Behind    │
│ Monitoring & Analytics    │   62   │   90          │ ███████░░░ | On track  │
│ Incident Response         │   58   │   85          │ ██████░░░░ | Behind    │
│ Policy Management         │   61   │   80          │ ███████░░░ | On track  │
└────────────────────────────┴────────┴───────────────┴────────────┘

KEY METRICS:
  MFA adoption: 94.2% (target: 95%) — Near target
  Excessive privileges identified: 34% of accounts (↓ from 67% last quarter)
  Conditional access policies: 47 active (covers 82% of systems)
  Micro-segmentation coverage: 61% (target: 90% by Phase 3)
  Device compliance rate: 78.5% (target: 95%)
  Mean trust score: 72.3/100 (target: 80+)

THREAT MITIGATION IMPACT:
  Lateral movement attempts blocked: 234 this month (↑ from 0 — detection working)
  Privilege escalation attempts blocked: 67 this month
  Unauthorized access attempts denied: 1,892 this month
  Mean time to contain (zero trust): 18 min (↓ from 45 min pre-zero trust)

RISK EXPOSURE:
  Unprotected critical assets: 12 (↓ from 28)
  Legacy VPN users remaining: 23% (target: 0% by Phase 3)
  Systems without conditional access: 18%
  Known trust score false positives: 2.1% (acceptable)

NEXT QUARTER PRIORITIES:
  1. Accelerate micro-segmentation deployment (Phase 3 prep)
  2. Reduce excessive privileges from 34% to 25%
  3. Deploy CASB for top 10 SaaS applications
  4. Pilot ZTNA for remote workforce (500 users)