--- name: zero-trust-security description: "Design and implement zero-trust security architectures with continuous verification, least-privilege access, micro-segmentation, and device/identity verification. Use when building zero-trust frameworks, implementing network segmentation, configuring identity-based access controls, or creating trust scoring systems. Triggers on phrases like 'zero trust', 'zero-trust architecture', 'ZTNA', 'micro-segmentation', 'least privilege', 'continuous verification', 'identity-based access', 'network segmentation', 'trust scoring', 'never trust always verify', 'SASE'." --- # Zero Trust Security Architecture Design and implement zero-trust security frameworks that enforce continuous verification, least-privilege access, micro-segmentation, and comprehensive identity and device verification across all network access. ## Workflow ### Phase 1: Zero Trust Assessment & Planning 1. **Current state assessment**: - Network topology mapping (on-prem, cloud, hybrid, SaaS) - Identity landscape: directories, authentication methods, MFA adoption - Application inventory and criticality classification - Data classification and sensitivity mapping - Current access patterns and privilege analysis - Gap analysis against zero-trust principles 2. **Define trust boundaries**: - Identify critical assets and data requiring highest protection - Define policy decision points (PDP) and policy enforcement points (PEP) - Establish trust factors: identity, device health, location, behavior, context - Determine minimum trust score required per resource 3. **Develop implementation roadmap**: - Phase 1: Visibility and identity foundation - Phase 2: Access control and MFA enforcement - Phase 3: Device posture and micro-segmentation - Phase 4: Continuous monitoring and adaptive policies - Phase 5: Automation and self-healing ### Phase 2: Identity & Access Foundation 1. **Strong identity verification**: - Multi-factor authentication (MFA) for all users and systems - Phishing-resistant authentication (FIDO2, Windows Hello, passkeys) - Just-in-time (JIT) provisioning and just-enough-access (JEA) - Role-based access control (RBAC) and attribute-based access control (ABAC) - Privileged access management (PAM) for admin accounts 2. **Device trust assessment**: - Device compliance checking (OS version, patches, encryption, EDR status) - Device inventory and classification (corporate-managed, BYOD, IoT) - Conditional access policies based on device trust score - Certificate-based device authentication 3. **Network micro-segmentation**: - Segment by: department, application, data sensitivity, geography - East-west traffic controls (server-to-server, workstation-to-server) - North-south traffic controls (external to internal) - Zero-trust network access (ZTNA) replacing VPN ### Phase 3: Continuous Monitoring & Adaptive Response 1. **Real-time trust evaluation**: - Continuous authentication (re-authentication triggers based on risk) - Behavioral analytics (UEBA) for anomaly detection - Context-aware access decisions (location, time, device, network) - Dynamic privilege adjustment based on risk score 2. **Policy enforcement engine**: - Centralized policy management (single source of truth) - Real-time policy evaluation at each access request - Automated policy updates based on threat intelligence - Policy testing and simulation before deployment 3. **Incident response integration**: - Automatic access revocation on compromised credentials - Network isolation of compromised devices - Lateral movement prevention - Automated containment and remediation playbooks ## Templates ### Zero Trust Architecture Framework ``` ZERO TRUST ARCHITURE — Reference Framework ============================================ Version: [2.0] | NIST SP 800-207 Aligned CORE PRINCIPLES: 1. Never trust, always verify 2. Verify explicitly (all access requests authenticated, authorized, encrypted) 3. Apply least privilege access (just-in-time, just-enough-access) 4. Assume breach (segment, monitor, respond) 5. Continuous evaluation (dynamic trust scores, adaptive policies) TRUST FACTORS & WEIGHTING: ┌──────────────────────────────┬────────┬────────────────────────────────────┐ │ Factor │ Weight │ Evaluation Criteria │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Identity Verification │ 25% │ MFA status, password strength, │ │ │ │ account age, role appropriateness │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Device Posture │ 20% │ OS version, patch status, │ │ │ │ encryption, EDR active, compliance │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Network Context │ 15% │ Location, IP reputation, │ │ │ │ network type, VPN status │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Behavioral Analytics │ 20% │ Login patterns, access patterns, │ │ │ │ data access patterns, anomaly score │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Environmental Risk │ 10% │ Time of day, geo-velocity, │ │ │ │ concurrent sessions, threat intel │ ├──────────────────────────────┼────────┼────────────────────────────────────┤ │ Asset Sensitivity │ 10% │ Data classification, │ │ │ │ regulatory requirements, │ │ │ │ business criticality │ └──────────────────────────────┴────────┴────────────────────────────────────┘ TRUST SCORE CALCULATION: Score = Σ(Factor_i × Weight_i × Compliance_i) Range: 0-100 90-100: Full access (standard policies apply) 70-89: Standard access (MFA required) 50-69: Restricted access (MFA + additional verification) 30-49: Limited access (approved apps only, monitoring) <30: Blocked (access denied, alert generated) ACCESS POLICY MATRIX: ┌──────────────────┬────────────┬────────────┬────────────┬──────────────┐ │ Resource Tier │ Critical │ High │ Medium │ Low │ │ │ (Crown │ (Sensitive │ (Internal) │ (Public) │ │ │ Jewels) │ Data) │ │ │ ├──────────────────┼────────────┼────────────┼────────────┼──────────────┤ │ Min Trust Score │ 85 │ 70 │ 50 │ 30 │ ├──────────────────┼────────────┼────────────┼────────────┼──────────────┤ │ MFA Required │ FIDO2 │ MFA │ MFA │ Optional │ ├──────────────────┼────────────┼────────────┼────────────┼──────────────┤ │ Device Posture │ Enforce │ Enforce │ Warn │ None │ ├──────────────────┼────────────┼────────────┼────────────┼──────────────┤ │ Session Timeout │ 15 min │ 30 min │ 2 hours │ 8 hours │ ├──────────────────┼────────────┼────────────┼────────────┼──────────────┤ │ Re-auth Interval │ 30 min │ 60 min │ 4 hours │ 8 hours │ └──────────────────┴────────────┴────────────┴────────────┴──────────────┘ POLICY ENFORCEMENT POINTS: Identity Provider (IdP) — Authentication and authorization decisions Network Firewall — Traffic filtering and segmentation Proxy/Gateway — Application access mediation Endpoint Agent — Device compliance and local enforcement Cloud Access Security Broker (CASB) — SaaS application access control ``` ### Implementation Roadmap ``` ZERO TRUST IMPLEMENTATION — Phased Roadmap ============================================ Organization: [Company] | Target Completion: [18 months] PHASE 1: VISIBILITY & IDENTITY FOUNDATION (Months 1-4) Objectives: ✓ Complete network and asset inventory ✓ Implement centralized identity management (SSO) ✓ Deploy MFA for all users (target: 100%) ✓ Implement privileged access management (PAM) ✓ Classify data and applications by sensitivity Deliverables: • Network map and asset inventory (automated) • Identity directory with all users and services • MFA deployment dashboard (progress tracking) • Data classification policy and labels KPIs: MFA adoption ≥ 95% | Asset inventory accuracy ≥ 98% PHASE 2: ACCESS CONTROL ENFORCEMENT (Months 5-8) Objectives: ✓ Implement conditional access policies ✓ Deploy role-based access control (RBAC) ✓ Enforce least privilege across all systems ✓ Implement just-in-time (JIT) provisioning ✓ Deploy cloud access security broker (CASB) Deliverables: • Conditional access policy framework • RBAC matrix for all systems • JIT access workflow • CASB deployment and policy configuration KPIs: Excessive privilege reduction ≥ 60% | Access request approval time < 4h PHASE 3: MICRO-SEGMENTATION & DEVICE TRUST (Months 9-12) Objectives: ✓ Implement network micro-segmentation ✓ Deploy device compliance checking ✓ Implement zero-trust network access (ZTNA) ✓ Retire legacy VPN ✓ Deploy endpoint detection and response (EDR) Deliverables: • Network segmentation architecture and firewall rules • Device compliance policy framework • ZTNA deployment (VPN replacement) • EDR coverage dashboard KPIs: Micro-segmentation coverage ≥ 90% | VPN users migrated ≥ 95% PHASE 4: CONTINUOUS MONITORING (Months 13-15) Objectives: ✓ Deploy UEBA (User Entity Behavioral Analytics) ✓ Implement continuous trust scoring ✓ Create automated incident response playbooks ✓ Establish security operations dashboard Deliverables: • UEBA deployment and baseline • Trust scoring engine and thresholds • IR playbooks (automated containment) • SOAR integration KPIs: Mean time to detect (MTTD) < 5 min | MTTA < 15 min PHASE 5: AUTOMATION & OPTIMIZATION (Months 16-18) Objectives: ✓ Automate policy updates based on threat intel ✓ Implement self-healing capabilities ✓ Optimize policies based on usage analytics ✓ Conduct penetration testing and validation Deliverables: • Automated policy management system • Self-healing playbooks • Policy optimization report • Zero trust maturity assessment KPIs: Automated policy updates ≥ 80% | Policy optimization cycle: monthly ``` ## Integration Points - **Identity providers**: Okta, Azure AD, Ping Identity, OneLogin - **MFA solutions**: Duo, YubiKey, FIDO2, Microsoft Authenticator - **PAM**: CyberArk, BeyondTrust, Thycotic, Delinea - **Network security**: Palo Alto Networks, Fortinet, Cisco Secure Firewall - **ZTNA**: Zscaler Private Access, Cloudflare Access, Netskope, Shadow - **CASB**: Netskope, Zscaler, McAfee MVISION, McAfee - **Endpoint security**: CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black - **SIEM/SOAR**: Splunk, IBM QRadar, Microsoft Sentinel, Palo Alto Cortex XSOAR - **UEBA**: Exabeam, Securonix, Microsoft Insider Risk Management - **Cloud platforms**: AWS IAM, Azure Security Center, GCP Security Command Center ## Edge Cases | Scenario | Handling | |----------|----------| | Legacy systems cannot support modern authentication | Implement proxy/gateway-based access; credential vaulting; network segmentation | | Remote workers on unmanaged devices | Enforce stricter policies; browser-mediated access only; session recording | | Emergency break-glass access needed | Pre-approved emergency accounts with full audit logging; auto-expire after use | | Third-party/vendor access required | Time-bound access; separate identity store; enhanced monitoring; contract review | | High-friction MFA causes productivity loss | Implement risk-based MFA (step-up only when needed); remember device for 30 days | | Micro-segmentation breaks legitimate workflows | Document all required flows; implement exception process; review quarterly | | Trust score false positive (blocks legitimate user) | Provide self-service unblock; log for policy tuning; adjust thresholds | | Migrate from VPN to ZTNA without downtime | Parallel run period; phased migration by user group; fallback VPN for 30 days | ## Output ### Zero Trust Maturity Dashboard ``` ZERO TRUST MATURITY — Assessment Dashboard ============================================ As of: 2025-01-15 | Implementation Phase: [Phase 2 of 5] OVERALL ZERO TRUST SCORE: 58/100 [█████████████████████████░░░░░░░░░░░░] DOMAIN ASSESSMENT: ┌────────────────────────────┬────────┬───────────────┬────────────┐ │ Domain │ Score │ Target │ Status │ ├────────────────────────────┼────────┼───────────────┼────────────┤ │ Identity & Authentication │ 78 │ 90 │ ████████░░ | On track │ │ Network Segmentation │ 52 │ 85 │ ██████░░░░ | Behind │ │ Device Management │ 65 │ 80 │ ███████░░░ | On track │ │ Application Security │ 55 │ 85 │ ██████░░░░ | Behind │ │ Data Protection │ 48 │ 80 │ █████░░░░░ | Behind │ │ Monitoring & Analytics │ 62 │ 90 │ ███████░░░ | On track │ │ Incident Response │ 58 │ 85 │ ██████░░░░ | Behind │ │ Policy Management │ 61 │ 80 │ ███████░░░ | On track │ └────────────────────────────┴────────┴───────────────┴────────────┘ KEY METRICS: MFA adoption: 94.2% (target: 95%) — Near target Excessive privileges identified: 34% of accounts (↓ from 67% last quarter) Conditional access policies: 47 active (covers 82% of systems) Micro-segmentation coverage: 61% (target: 90% by Phase 3) Device compliance rate: 78.5% (target: 95%) Mean trust score: 72.3/100 (target: 80+) THREAT MITIGATION IMPACT: Lateral movement attempts blocked: 234 this month (↑ from 0 — detection working) Privilege escalation attempts blocked: 67 this month Unauthorized access attempts denied: 1,892 this month Mean time to contain (zero trust): 18 min (↓ from 45 min pre-zero trust) RISK EXPOSURE: Unprotected critical assets: 12 (↓ from 28) Legacy VPN users remaining: 23% (target: 0% by Phase 3) Systems without conditional access: 18% Known trust score false positives: 2.1% (acceptable) NEXT QUARTER PRIORITIES: 1. Accelerate micro-segmentation deployment (Phase 3 prep) 2. Reduce excessive privileges from 34% to 25% 3. Deploy CASB for top 10 SaaS applications 4. Pilot ZTNA for remote workforce (500 users) ```