3. Continuous Monitoring and Validation

Zero Trust requires continuous monitoring and validation of access requests, not just at the time of initial authentication.

Implementation Example: Real-time Access Monitoring with Envoy and OPA

# Envoy configuration with OPA integration
static_resources:
  listeners:
  - name: main_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 8080
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: service_backend
          http_filters:
          - name: envoy.filters.http.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              grpc_service:
                envoy_grpc:
                  cluster_name: opa_server
                timeout: 0.5s
              failure_mode_allow: false
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  
  clusters:
  - name: service_backend
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_backend
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: backend_service
                port_value: 8080
  
  - name: opa_server
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    http2_protocol_options: {}
    load_assignment:
      cluster_name: opa_server
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: opa
                port_value: 9191

OPA policy for continuous validation:

package envoy.authz

import input.attributes.request.http as http_request

default allow = false

# Allow the request if the JWT is valid and has required permissions
allow {
    # Verify JWT is valid (handled by external JWT validation)
    is_valid_token
    
    # Check if user has required permissions for this path
    has_required_permissions
    
    # Check if request is within allowed time window
    within_allowed_time_window
    
    # Check if request is from an allowed location
    from_allowed_location
    
    # Check if device is compliant
    is_compliant_device
}

# Helper rules
is_valid_token {
    http_request.headers.authorization
    startswith(http_request.headers.authorization, "Bearer ")
}

has_required_permissions {
    # Extract path and method
    path := http_request.path
    method := http_request.method
    
    # Get permissions from JWT claims (passed in context)
    permissions := token.payload.permissions
    
    # Define required permissions for each path and method
    required_permission := sprintf("%s:%s", [method, path])
    
    # Check if user has the required permission
    permissions[_] == required_permission
}

within_allowed_time_window {
    # Check if request is within allowed working hours
    time.now_ns() < token.payload.exp * 1000000000
    time.now_ns() > token.payload.nbf * 1000000000
}

from_allowed_location {
    # Check if request is from an allowed IP range
    cidr.contains("10.0.0.0/8", http_request.headers["x-forwarded-for"])
}

is_compliant_device {
    # Check device compliance status from headers
    http_request.headers["x-device-compliance"] == "compliant"
}

4. Encryption Everywhere

Zero Trust requires encryption for all data, both in transit and at rest, regardless of the network location.

Implementation Example: mTLS with Istio Service Mesh

# Istio PeerAuthentication for mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
---
# Istio DestinationRule for mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: api-service
  namespace: production
spec:
  host: api-service
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

5. Least Privilege Access

Least privilege ensures that users and services have only the minimum permissions necessary to perform their functions.

Implementation Example: AWS IAM Roles with Fine-Grained Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/readonly/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/Department": "Analytics"
        },
        "DateGreaterThan": {
          "aws:CurrentTime": "2025-09-01T00:00:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "2025-09-30T23:59:59Z"
        }
      }
    }
  ]
}

Implementing Zero Trust in Distributed Systems

Let’s explore practical approaches to implementing Zero Trust across different layers of distributed systems.

1. Service-to-Service Communication

In microservices architectures, securing service-to-service communication is critical for Zero Trust implementation.

Continue Your Learning

This is part 2 of 5 in the comprehensive guide.

← Previous Introduction Guide Overview See all 5 parts Next → Advanced Patterns and Techniques