Skip to main content
C
CIPHRX
All articles
Security··2 min read

Zero-trust architecture for modern web applications

Perimeter security is dead. A practical playbook for applying zero-trust patterns to modern web stacks.

C
CIPHRX
Engineering team

The castle-and-moat model of security does not work when the workforce is remote, the infrastructure is multi-cloud, and the APIs are public. Stop trusting networks. Start verifying every request.

Principles

Zero-trust has three core principles:

  1. Never trust, always verify: Every access request is fully authenticated and authorized
  2. Assume breach: Design systems as if an attacker is already inside
  3. Least privilege: Users and services get minimum necessary access

Identity layer

Standardize on OAuth 2.0 + OIDC with short-lived tokens:

  • Access tokens: 15-minute TTL
  • Refresh tokens: 7-day TTL with rotation
  • ID tokens: Verified on every request
  • Device binding: Tokens tied to device fingerprints

Multi-factor authentication is mandatory for all admin roles. Use WebAuthn/FIDO2 where possible, TOTP as fallback.

Service-to-service communication

Internal APIs should not trust based on IP address. Every service call should include:

  • mTLS: Mutual TLS with SPIFFE identity
  • JWT service tokens: Short-lived, scope-limited
  • Request signing: HMAC-SHA256 of request body and headers

A service mesh like Istio is the usual way to automate mTLS and collect telemetry across an internal fleet.

Network segmentation

Even inside the VPC, enforce segmentation:

  • Micro-segmentation: Each service has explicit allow-lists
  • East-west inspection: Traffic between internal services is inspected
  • No flat networks: Production, staging, and development are isolated

Data protection

  • Encryption at rest: AES-256 for all persistent storage
  • Encryption in transit: TLS 1.3 minimum
  • Field-level encryption: PII encrypted before database insertion
  • Key rotation: Automatic 90-day rotation with HashiCorp Vault

Monitoring and response

Zero-trust without visibility is blindness. Implement:

  • Structured audit logs: Every access decision logged with context
  • Anomaly detection: ML-based detection of unusual access patterns
  • Automated response: Suspicious sessions terminated automatically
  • Quarterly access reviews: All permissions reviewed and justified

The cost

Zero-trust adds latency. mTLS handshakes cost a few milliseconds. Token validation adds another small amount. Request signing adds another.

The cost is acceptable. The alternative is a breach that costs exponentially more.

Getting started

You do not need to rebuild everything. Start with:

  1. Enforce MFA for all privileged accounts
  2. Replace VPN with identity-aware proxy
  3. Implement mTLS for internal APIs
  4. Add request signing to critical endpoints
  5. Log every access decision

Security is a process, not a product.

SecurityZero TrustArchitectureOAuthmTLS