Security - Zero Trust

Zero Trust is a modern cybersecurity framework based on one central realization: Traditional "perimeter-based" security is no longer enough.

In the past, security followed a "Castle-and-Moat" model. If you were inside the castle (the corporate network), you were trusted. If you were outside, you were a threat. Zero Trust flips this and assumes that threats already exist both inside and outside the network.

The Core Mantra: "Never Trust, Always Verify"

Under Zero Trust, no user, device, or application is granted "implicit trust" just because they are on a certain network (like an office Wi-Fi) or use a certain device. Every single request for access must be authenticated, authorized, and continuously validated.

The 4 Pillars of Zero Trust

Least Privilege Access: Users are given only the minimum level of access they need to do their job. If a developer only needs access to a specific database, they aren't given access to the entire server network. This prevents "lateral movement" if an account is hacked.
Microsegmentation: Instead of one big network, the environment is broken into small, isolated zones (segments). A breach in one zone is contained there and cannot easily spread to the rest of the company's data.
Continuous Monitoring & Validation: Security isn't a one-time check at "login." The system constantly checks for suspicious behavior. If a user suddenly tries to download 5,000 files from a new location at 3
AM, the system can automatically revoke their access.
Assume Breach: Zero Trust operates as if an attacker is already inside the network. This mindset leads to building defenses that focus on protecting the data and applications themselves, rather than just the "walls" around them.

Why is it popular now?

The shift to Remote Work and Cloud Computing killed the traditional perimeter.

The "Wall" is gone: Employees now work from home, coffee shops, and airports.
Data is everywhere: Company data isn't just in one server room; it’s in AWS, Google Drive, Slack, and Salesforce.
Device diversity: People use personal phones (BYOD), tablets, and laptops that the company doesn't fully control.

How to Achieve Zero Trust?

Achieving Zero Trust is a multi-year strategic journey rather than a single technical project. It involves moving away from a "perimeter-based" defense (where once you're in, you're trusted) to a model where every request is verified.

Organizations typically achieve this by following the CISA Zero Trust Maturity Model and the NIST 800-207 standards.

1. The 5 Key Areas of Zero Trust

Implementation is broken down into five key areas. You don't have to perfect one to start another; they usually progress in parallel.

Identity: Move from simple passwords to Phishing-resistant MFA (like FIDO2 keys). Use a single Identity Provider (IdP) to manage everyone—employees, contractors, and even "non-human" service accounts.
Devices: You must know the "health" of a device before it connects. If a laptop has its firewall turned off or is missing a critical patch, its access is automatically restricted, even if the user’s password is correct.
Networks: Replace traditional VPNs with ZTNA (Zero Trust Network Access). Instead of giving a user access to the "Internal Network," you give them a "micro-tunnel" directly to a specific application.
Applications & Workloads: Security is baked into the app itself. Use "Service Meshes" (like Istio) in cloud environments to ensure that even internal microservices must authenticate with each other.
Data: Focus on the "Protect Surface." Encrypt data at rest and in transit, and use Data Loss Prevention (DLP) to monitor who is moving sensitive files and where they are going.

2. The 5-Step Implementation Roadmap

Most security architects follow this practical workflow to transition a legacy environment:

Step 1: Identify the "Protect Surface" – You can't protect everything equally. Identify your "Crown Jewels"—sensitive customer data, proprietary code, or financial systems.
Step 2: Map the Transaction Flows – Document how data actually moves. Who needs access to the database? Which apps talk to each other? You can't secure what you don't understand.
Step 3: Build a Zero Trust Architecture – Design a "Micro-Perimeter" around each Protect Surface using a Policy Enforcement Point (PEP) (like a next-gen firewall or a cloud access proxy).
Step 4: Create the Policy – Write "Who, What, When, Where, Why" rules. Example: "Only the Finance Team (Who) can access the Payroll App (What) from a managed company laptop (Device Health) during business hours (When)."
Step 5: Monitor and Maintain – This is the "Continuous" part. Use AI and analytics to look for anomalies, like a user logging in from New York and London 10 minutes apart (Impossible Travel).

3. Key Technologies You’ll Need

To achieve Zero Trust, you usually integrate several specific tools:

IAM (Identity & Access Management): Tools like Okta, Microsoft Entra ID, or Ping Identity.
EDR (Endpoint Detection & Response): Tools like CrowdStrike or SentinelOne to verify device health.
ZTNA (Zero Trust Network Access): Replaces VPNs (e.g., Zscaler, Cloudflare One, or Tailscale).
Microsegmentation: Tools that create "internal fences" in your data center (e.g., Illumio or Akamai Guardicore).

Google's role in Zero Trust

Google is widely considered the pioneer of the Zero Trust model. While the term "Zero Trust" was coined by an analyst at Forrester, Google was the first company to prove it could be done at a massive, global scale.

Their journey began in response to Operation Aurora in 2009—a sophisticated nation-state cyberattack that targeted Google and other tech giants. Google realized that if an attacker could get inside their "castle walls" (internal network), they could move freely. To fix this, they threw away the "castle and moat" model and built BeyondCorp.

1. Zero Trust in Google Corp (Internal)

Internally, Google operates under the BeyondCorp framework. Its goal was simple: enable every Googler to work from any network (home, coffee shop, or office) without using a VPN.

How it works inside Google:

The Network is Untrusted: Google treats its own office Wi-Fi the same as a public coffee shop's Wi-Fi. No internal application is "open" just because you are in the building.
The Access Proxy: All internal tools (like their bug tracker or HR portal) are behind a central "Access Proxy." You don't connect to the network; you connect to the proxy.
Trust Tiers: Access is determined by a combination of User Identity (Who are you?) and Device State (Is your laptop encrypted? Is the OS updated?).
- Example: A Googler on a managed, patched laptop can access sensitive code. That same Googler on a personal iPad might only be allowed to see their own payroll info.
Inventory Databases: Google maintains a massive, real-time database of every authorized device. If a device hasn't checked in recently or is missing a security patch, its "trust score" drops instantly.

2. Zero Trust in Google Cloud (GCP)

Google took the "BeyondCorp" lessons and turned them into products for GCP customers. They also expanded the concept to include BeyondProd, which focuses on how microservices talk to each other (Workload Zero Trust).

Key Tools for GCP Implementation:

Identity-Aware Proxy (IAP): This is the direct descendant of Google’s internal access proxy. It allows you to protect your web apps and VMs without a VPN. It checks the user's identity and context (like location or IP) before letting a single packet through.
VPC Service Controls: This creates a "digital fence" around your data. Even if a user has the right password, VPC Service Controls can block them from moving data out of a specific perimeter (preventing data exfiltration).
Chrome Enterprise Premium: Formerly known as BeyondCorp Enterprise, this integrates Zero Trust directly into the browser. It can detect if a user is about to upload sensitive data to a personal Drive or if they are visiting a malicious site.
Access Context Manager: This is the "brain" that defines the rules. It allows you to write policies like: "Only allow access to the Production Database if the user has MFA enabled AND is using a company-owned device."
BeyondProd (Workload Identity): In GCP, services don't trust each other by default. They use Workload Identity (often via a Service Mesh like Istio/Anthos) to ensure that Service A must prove its identity to Service B before they exchange data.

Attestation vs Traditional Auth