Skip to content
ROOT
STUB

Zero-Trust Security

The pattern: no implicit trust based on network location, IP, or VPN. Every request authenticates and authorizes. Identity is the perimeter. Workload identity (SPIFFE/SPIRE) for services; OIDC for humans; capability allowlists for tools (MCP). Lateral movement after a compromise becomes structurally harder because the network gives an attacker nothing.

The trade-off: operational complexity vs. defense against lateral movement. Zero-trust requires identity infrastructure (Dex, Keycloak, SPIRE), every service to do crypto, every tool to be allowlisted. The benefit is structural: a compromised credential gives access to one thing, not the whole network. The classic flat-network breach pattern stops working.

First touched in Year 2 Phase 12: Platform Engineering — service mesh mTLS + workload identity + Dex OIDC on basecamp. Reaches DEEP in Year 5 Phase 29: AI Surface — applying zero-trust to the AI surface (prompt injection, agent capability scoping, model exfil) is the synthesis.

  • zero-trust-networking — the network-layer companion; this entry is the identity + authorization side, that one is the transport side.
  • least-privilege — every authenticated identity still gets the minimum grant; zero-trust without least-privilege is just expensive auth.
  • defense-in-depth — zero-trust is the identity-as-perimeter layer in the stack.
  • secrets-lifecycle — workload identity is what lets services stop holding long-lived secrets entirely.
  • threat-modelingSpoofing and lateral-movement threats are exactly what zero-trust answers.
  • service-mesh — the mTLS + SPIFFE plane that makes zero-trust feasible at K8s scale.
  • platform-as-product — zero-trust only works when the platform makes “do the right thing” the default path.