System Design Space
Knowledge graphSettings

Updated: June 25, 2026 at 6:16 AM

Zero Trust Architecture

medium

How to design Zero Trust architecture: identity, segmentation, policy decision and enforcement points, mTLS, continuous verification, and phased rollout.

Zero Trust architecture becomes useful only when it stops being a slogan and turns into a new trust model inside the system.

The chapter shows how explicit identity checks, policy enforcement, segmentation, and phased migration move security away from blind trust in the network and into verifiable architecture choices.

For design reviews, it frames Zero Trust as a sequence of steps with user-experience friction, latency overhead, and operational cost rather than as a future-state slide.

Practical value of this chapter

Design in practice

Design access around identity, request context, policy decision and enforcement points, not around network trust.

Decision quality

Validate where the trust boundary sits, how access decisions are made, and how quickly rights can be revoked after compromise.

Interview articulation

Frame the answer around the route: subject, resource, context, policy, enforcement, and audit trail.

Trade-off framing

Make the cost of segmentation, mutual TLS, short-lived credentials, check latency, and operating complexity explicit.

NIST

SP 800-207

The baseline NIST reference for Zero Trust Architecture.

Open document

The perimeter model rests on one assumption: if you are inside the network, you can be trusted. Break that assumption once, and an attacker moves through the system freely. Zero Trust removes the assumption: security is built not around inside-versus-outside, but around identity, request context, and continuous access verification.

Zero Trust Architecture assumes that network location alone does not prove trust. Every request is evaluated again: who is calling, which resource they want, what context surrounds the request, and where the policy is enforced — and any one of those answers can deny access.

Zero Trust principles

Never trust by default

Trust is not inherited from the previous request. Every time it is checked again: subject, context, resource, action, and the authorization policy that applies.

Least privilege

Access is granted for a specific task and a limited time. The wider and longer-lived the grant, the more an attacker gains from a single stolen credential — hence the lean on least privilege.

Assume breach

The question is not whether an attacker gets in, but what they can do once inside. Hence segmentation, observability, rapid revocation, and blast-radius control.

Base

Identification -> AuthN -> AuthZ

Identity and authorization models are the foundation — without them, phased Zero Trust adoption falls apart.

Open chapter

Reference architecture

Identity

  • One model for users, services, devices, and workload identity.
  • Identity provider, account lifecycle, MFA, and passkeys.
  • Short-lived credentials instead of long-lived secrets.

Access policies

  • Policy decision point: RBAC/ABAC/ReBAC or policy as code.
  • The decision considers subject, action, resource, and request context.
  • Deny by default as the baseline for new resources.

Policy enforcement

  • Policy enforcement points in API gateways, service mesh, and applications.
  • mTLS and service identity for east-west traffic.
  • Audit trail for access decisions.

Telemetry and response

  • Continuous verification through logs, metrics, and security signals.
  • Risk-based access and dynamic restrictions.
  • Fast incident response and automated access revocation.

Context signals for access decisions

Identity assurance

Question: Who is requesting access, and how strong is the proof?

Implementation: MFA, passkeys, phishing-resistant login, and device-bound credentials.

Device posture

Question: Does the device meet baseline security requirements?

Implementation: Device management state, patch level, disk encryption, and compromise indicators.

Workload identity

Question: How does a service prove itself when calling another service?

Implementation: Workload certificates, SPIFFE/SPIRE, and short-lived credentials.

Data sensitivity

Question: How critical is the resource, and should access be temporary?

Implementation: Data classification, purpose binding, and read-only defaults for risky paths.

Behavioral context

Question: Is geography, time, device, or request behavior unusual?

Implementation: Risk scoring, adaptive authentication, step-up checks, and temporary action limits.

Policy enforcement matrix

SurfacePolicy enforcement pointChecksAction on deny
External API (north-south)API gateway + WAFAuthN/AuthZ, token claims, schema validation, rate limits.Block the request, log the policy decision, and send a signal to the SOC.
Service-to-service (east-west)Service meshmTLS, service identity, service policy, namespace segmentation.Terminate the connection and log the decision with the trace ID.
Data planeDB proxy / data access layerABAC/ReBAC, row and column rules, time-bounded credentials.Reject the request and trigger an access review for the risky scenario.
Administrative operationsPrivileged access gatewayJIT access, approval flow, session recording.Do not issue the temporary elevation token; notify service owners.
CI/CD and deploymentPolicy as code + admission controlSigned artifacts, workload identity, environment policy.Stop the deployment and open a security ticket automatically.

Operational metrics

Strong-authentication coverage for privileged users

Goal: 100%

Without strong authentication, Zero Trust quickly becomes a paper exercise.

mTLS coverage for east-west traffic

Goal: >= 95%

Shows whether inter-service calls are protected inside the system, not only at the external edge.

Share of administrative operations through JIT access

Goal: >= 90%

Reduces exposure from permanent privileged access and lateral movement.

Mean revocation time for a compromised identity

Goal: < 15 minutes

Faster revocation shrinks the compromise window and blast radius.

Policy-decision logging coverage

Goal: 100%

Without decision logs, investigation and compliance evidence become unreliable.

Implementation plan

1. Inventory

Map identities, services, secrets, critical paths, and the trust assumptions the current architecture makes.

2. Strong authentication baseline

Enable MFA and passkeys for users, workload identity for services, and remove shared credentials so a compromised secret does not belong to everyone at once.

3. Policy centralization

Move access rules into a shared policy layer and enable deny by default for new resources.

4. Segmentation and enforcement

Separate the contours — production from non-production, data tiers, administrative paths, and key traffic enforcement points — so compromising one segment does not open the door to its neighbors.

5. Continuous verification

Monitor access anomalies, run regular access reviews, and rotate credentials automatically.

Typical antipatterns

  • Treating Zero Trust as a product instead of an architectural approach and operating model.
  • Replacing the VPN while leaving identity and authorization models unchanged — newer at the edge, same default trust inside.
  • Allowing everything inside the cluster and still calling it Zero Trust.
  • Skipping revocation and deprovisioning processes even when authentication is strong.
  • Keeping permanent administrative access without JIT access, just-enough administration, and explicit approvals.

Quick practical check: if compromising one service gives an attacker “almost everything,” Zero Trust is only nominally implemented.

References

Related chapters

Enable tracking in Settings