Skip to main content
C
CIPHRX
All articles
Security··2 min read

Zero-trust architecture for modern web applications

Perimeter security is dead. We implemented zero-trust patterns across 12 client deployments. Here is the practical playbook.

JR
James Rodriguez
Security Engineer

The castle-and-moat model of security does not work when your workforce is remote, your infrastructure is multi-cloud, and your APIs are public. We stopped trusting networks and started verifying every request.

Principles

Zero-trust has three core principles:

  1. Never trust, always verify: Every access request is fully authenticated and authorized
  2. Assume breach: Design systems as if an attacker is already inside
  3. Least privilege: Users and services get minimum necessary access

Identity layer

We standardized on OAuth 2.0 + OIDC with short-lived tokens:

  • Access tokens: 15-minute TTL
  • Refresh tokens: 7-day TTL with rotation
  • ID tokens: Verified on every request
  • Device binding: Tokens tied to device fingerprints

Multi-factor authentication is mandatory for all admin roles. We use WebAuthn/FIDO2 where possible, TOTP as fallback.

Service-to-service communication

Internal APIs do not trust based on IP address. Every service call includes:

  • mTLS: Mutual TLS with SPIFFE identity
  • JWT service tokens: Short-lived, scope-limited
  • Request signing: HMAC-SHA256 of request body and headers

We use a service mesh (Istio) to automate mTLS and collect telemetry.

Network segmentation

Even inside the VPC, we enforce segmentation:

  • Micro-segmentation: Each service has explicit allow-lists
  • East-west inspection: Traffic between internal services is inspected
  • No flat networks: Production, staging, and development are isolated

Data protection

  • Encryption at rest: AES-256 for all persistent storage
  • Encryption in transit: TLS 1.3 minimum
  • Field-level encryption: PII encrypted before database insertion
  • Key rotation: Automatic 90-day rotation with HashiCorp Vault

Monitoring and response

Zero-trust without visibility is blindness. We implement:

  • Structured audit logs: Every access decision logged with context
  • Anomaly detection: ML-based detection of unusual access patterns
  • Automated response: Suspicious sessions terminated automatically
  • ** quarterly access reviews**: All permissions reviewed and justified

The cost

Zero-trust adds latency. mTLS handshakes cost ~5ms. Token validation adds ~2ms. Request signing adds ~1ms.

We accept this cost. The alternative is a breach that costs exponentially more.

Getting started

You do not need to rebuild everything. Start with:

  1. Enforce MFA for all privileged accounts
  2. Replace VPN with identity-aware proxy
  3. Implement mTLS for internal APIs
  4. Add request signing to critical endpoints
  5. Log every access decision

Security is a process, not a product.

SecurityZero TrustArchitectureOAuthmTLS