Marketplace
zero-trust-architecture
Use when designing security architectures, implementing zero trust principles, or evaluating security posture. Covers never trust always verify, microsegmentation, identity-based access, and ZTNA patterns.
allowed_tools: Read, Glob, Grep
$ Installer
git clone https://github.com/melodic-software/claude-code-plugins /tmp/claude-code-plugins && cp -r /tmp/claude-code-plugins/plugins/systems-design/skills/zero-trust-architecture ~/.claude/skills/claude-code-plugins// tip: Run this command in your terminal to install the skill
SKILL.md
name: zero-trust-architecture description: Use when designing security architectures, implementing zero trust principles, or evaluating security posture. Covers never trust always verify, microsegmentation, identity-based access, and ZTNA patterns. allowed-tools: Read, Glob, Grep
Zero Trust Architecture
Comprehensive guide to zero trust security architecture - the "never trust, always verify" approach to modern security.
When to Use This Skill
- Designing security architecture for new systems
- Migrating from perimeter-based security
- Implementing microsegmentation
- Evaluating identity-based access controls
- Understanding ZTNA (Zero Trust Network Access)
- Assessing security posture
Core Principles
Zero Trust Pillars:
1. Never Trust, Always Verify
โโโ Every request is verified regardless of origin
โโโ No implicit trust based on network location
โโโ Continuous authentication and authorization
2. Least Privilege Access
โโโ Minimum permissions required for the task
โโโ Just-in-time access when possible
โโโ Just-enough-access for the operation
3. Assume Breach
โโโ Design as if attackers are already inside
โโโ Minimize blast radius of any compromise
โโโ Continuous monitoring and verification
4. Explicit Verification
โโโ Verify user identity
โโโ Verify device health
โโโ Verify request context
โโโ Make access decisions at each request
Architecture Components
Identity Layer
Identity Provider (IdP):
โโโ Multi-factor authentication (MFA)
โโโ Single sign-on (SSO)
โโโ Federated identity
โโโ Privileged access management (PAM)
User Identity:
- Strong authentication required
- Continuous session validation
- Risk-based authentication
- Context-aware access decisions
Service Identity:
- Machine identity management
- Service accounts with rotation
- Certificate-based authentication
- Workload identity
Device Layer
Device Trust Assessment:
โโโ Device health attestation
โโโ Endpoint detection and response (EDR)
โโโ Mobile device management (MDM)
โโโ Certificate-based device identity
โโโ Posture assessment
Device Trust Signals:
- Is the device managed/enrolled?
- Is the OS up to date?
- Is security software running?
- Are there known vulnerabilities?
- Is there anomalous behavior?
Network Layer
Microsegmentation:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Traditional โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Flat Internal Network โ โ
โ โ Trust everything inside โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ Zero Trust โ
โ โโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโ โ
โ โ Seg โ โ Seg โ โ Seg โ โ Seg โ โ
โ โ A โ โ B โ โ C โ โ D โ โ
โ โโโโฌโโโ โโโโฌโโโ โโโโฌโโโ โโโโฌโโโ โ
โ โ โ โ โ โ
โ All traffic verified at each hop โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Network Controls:
- Software-defined perimeter (SDP)
- Network access control (NAC)
- DNS security
- Encrypted communications (mTLS)
Application Layer
Application Security:
โโโ API gateway with authentication
โโโ Service mesh for service-to-service
โโโ Web application firewall (WAF)
โโโ Runtime application self-protection (RASP)
โโโ Secure software supply chain
Access Control:
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- Policy-based access control
- Just-in-time access provisioning
Data Layer
Data Protection:
โโโ Classification and labeling
โโโ Encryption at rest and in transit
โโโ Data loss prevention (DLP)
โโโ Rights management
โโโ Tokenization/masking
Data Access:
- Need-to-know basis
- Fine-grained access control
- Audit logging for all access
- Data residency compliance
Implementation Patterns
Pattern 1: Identity-Aware Proxy
โโโโโโโโโโโโโโโโโโโโโ
โ Identity Proxy โ
โ (BeyondCorp-style)โ
โโโโโโโโโโโฌโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โโโโโโผโโโโโ โโโโโโผโโโโโ โโโโโโผโโโโโ
โ User โ โ Device โ โ Context โ
โ Identityโ โ Trust โ โ Eval โ
โโโโโโฌโโโโโ โโโโโโฌโโโโโ โโโโโโฌโโโโโ
โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโผโโโโโโโโโโ
โ Access Decision โ
โโโโโโโโโโโฌโโโโโโโโโโ
โ
โโโโโโโโโโโผโโโโโโโโโโ
โ Application โ
โโโโโโโโโโโโโโโโโโโโโ
How it works:
1. User requests access to application
2. Proxy checks user identity (authentication)
3. Proxy evaluates device trust score
4. Proxy considers context (location, time, behavior)
5. Policy engine makes access decision
6. If approved, proxy provides access
Pattern 2: Service Mesh Zero Trust
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Control Plane โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ Policy โ โ Cert โ โ Config โ โ
โ โ Engine โ โ Authorityโ โ Store โ โ
โ โโโโโโฌโโโโโโ โโโโโโฌโโโโโโ โโโโโโฌโโโโโโ โ
โโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโ
โ โ โ
โโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโ
โ Data Plane โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ Service A โโโโmTLSโโโบโ Service B โ โ
โ โ โโโโโโโโโ โ โ โโโโโโโโโ โ โ
โ โ โ Proxy โ โ โ โ Proxy โ โ โ
โ โ โโโโโโโโโ โ โ โโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Service mesh provides:
- mTLS between all services
- Fine-grained authorization policies
- Service-to-service identity
- Traffic encryption everywhere
- Policy enforcement at the proxy
Pattern 3: ZTNA (Zero Trust Network Access)
Traditional VPN:
User โโโบ VPN โโโบ Full Network Access
ZTNA (Zero Trust Network Access):
User โโโบ ZTNA Broker โโโบ Specific App Only
โ
โโโโโโโผโโโโโโ
โ Evaluate: โ
โ - Identityโ
โ - Device โ
โ - Context โ
โ - Policy โ
โโโโโโโฌโโโโโโ
โ
Access to ONE application
(not entire network)
ZTNA Benefits:
- Application-level access, not network-level
- Invisible infrastructure (no exposed IPs)
- Consistent policy regardless of location
- Reduced attack surface
Trust Evaluation
Continuous Trust Scoring
Trust Score Components:
User Trust:
โโโ Authentication strength [0-25 points]
โโโ Session age/freshness [0-15 points]
โโโ Behavioral anomalies [0-20 points]
โโโ Historical patterns [0-10 points]
Device Trust:
โโโ Device management status [0-20 points]
โโโ Security posture [0-20 points]
โโโ Patch level [0-15 points]
โโโ Certificate validity [0-10 points]
Context Trust:
โโโ Network location [0-15 points]
โโโ Geolocation [0-10 points]
โโโ Time of access [0-10 points]
โโโ Request patterns [0-15 points]
Total Score: 0-185 points
Policy Example:
- Score > 150: Full access
- Score 100-150: Limited access + step-up auth
- Score 50-100: Read-only access
- Score < 50: Block access
Risk-Based Access Decisions
Access Decision Matrix:
โ Low-Risk Resource โ High-Risk Resource
โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโ
High Trust Score โ Allow โ Allow
Medium Trust Score โ Allow โ MFA Challenge
Low Trust Score โ MFA Challenge โ Block + Alert
Dynamic Factors:
- Time-based: Unusual access hours?
- Location-based: Unusual geography?
- Behavior-based: Unusual patterns?
- Resource-based: Sensitive data access?
Implementation Roadmap
Phase 1: Visibility and Identity
Duration: 3-6 months
Steps:
1. Inventory all users, devices, applications
2. Implement strong identity management
3. Enable MFA everywhere
4. Deploy comprehensive logging
5. Establish baseline behaviors
Success Criteria:
โก 100% user MFA coverage
โก Complete asset inventory
โก Centralized authentication
โก Security event visibility
Phase 2: Device Trust
Duration: 3-6 months
Steps:
1. Implement device management (MDM/UEM)
2. Deploy endpoint security (EDR)
3. Establish device trust policies
4. Enable device health attestation
5. Enforce device compliance
Success Criteria:
โก All devices managed/enrolled
โก Device posture assessment active
โก Non-compliant devices blocked
โก Certificate-based device identity
Phase 3: Microsegmentation
Duration: 6-12 months
Steps:
1. Map application dependencies
2. Define segmentation policies
3. Implement network controls
4. Deploy software-defined perimeter
5. Enable east-west traffic inspection
Success Criteria:
โก Critical apps microsegmented
โก East-west traffic encrypted
โก Lateral movement restricted
โก Segment-level monitoring
Phase 4: Adaptive Access
Duration: 3-6 months
Steps:
1. Implement risk scoring
2. Deploy policy decision points
3. Enable continuous authentication
4. Implement just-in-time access
5. Automate access decisions
Success Criteria:
โก Risk-based access decisions
โก Context-aware policies
โก Automated access reviews
โก Just-in-time privileged access
Anti-Patterns
Zero Trust Anti-Patterns:
1. "Zero Trust In Name Only"
โ Adding MFA and calling it zero trust
โ Comprehensive identity + device + network + data controls
2. "Perimeter Replacement"
โ Replacing VPN with ZTNA without other controls
โ ZTNA as part of comprehensive architecture
3. "Trust The Internal Network"
โ Applying zero trust only at the edge
โ Verify all traffic, including internal
4. "One-Time Verification"
โ Verify at login, trust for session duration
โ Continuous verification throughout session
5. "Security Theater"
โ Complex controls that users bypass
โ Frictionless security that's hard to bypass
Technology Options
Identity & Access:
- Azure AD / Entra ID
- Okta
- Ping Identity
- Google Identity
ZTNA Solutions:
- Zscaler Private Access
- Cloudflare Access
- Palo Alto Prisma Access
- Tailscale
Service Mesh:
- Istio
- Linkerd
- Consul Connect
- AWS App Mesh
Device Management:
- Microsoft Intune
- Jamf
- VMware Workspace ONE
- Google Endpoint Management
Related Skills
api-security- OAuth, OIDC, JWT patternsmtls-service-mesh- Service-to-service securitysecrets-management- Credential and secret handlingobservability-patterns- Security monitoring and detection
Repository
melodic-software
Author
melodic-software/claude-code-plugins/plugins/systems-design/skills/zero-trust-architecture
3
Stars
0
Forks
Updated4d ago
Added1w ago