Zero-trust architecture for modern web applications
Perimeter security is dead. A practical playbook for applying zero-trust patterns to modern web stacks.
The castle-and-moat model of security does not work when the workforce is remote, the infrastructure is multi-cloud, and the APIs are public. Stop trusting networks. Start verifying every request.
Principles
Zero-trust has three core principles:
- Never trust, always verify: Every access request is fully authenticated and authorized
- Assume breach: Design systems as if an attacker is already inside
- Least privilege: Users and services get minimum necessary access
Identity layer
Standardize on OAuth 2.0 + OIDC with short-lived tokens:
- Access tokens: 15-minute TTL
- Refresh tokens: 7-day TTL with rotation
- ID tokens: Verified on every request
- Device binding: Tokens tied to device fingerprints
Multi-factor authentication is mandatory for all admin roles. Use WebAuthn/FIDO2 where possible, TOTP as fallback.
Service-to-service communication
Internal APIs should not trust based on IP address. Every service call should include:
- mTLS: Mutual TLS with SPIFFE identity
- JWT service tokens: Short-lived, scope-limited
- Request signing: HMAC-SHA256 of request body and headers
A service mesh like Istio is the usual way to automate mTLS and collect telemetry across an internal fleet.
Network segmentation
Even inside the VPC, enforce segmentation:
- Micro-segmentation: Each service has explicit allow-lists
- East-west inspection: Traffic between internal services is inspected
- No flat networks: Production, staging, and development are isolated
Data protection
- Encryption at rest: AES-256 for all persistent storage
- Encryption in transit: TLS 1.3 minimum
- Field-level encryption: PII encrypted before database insertion
- Key rotation: Automatic 90-day rotation with HashiCorp Vault
Monitoring and response
Zero-trust without visibility is blindness. Implement:
- Structured audit logs: Every access decision logged with context
- Anomaly detection: ML-based detection of unusual access patterns
- Automated response: Suspicious sessions terminated automatically
- Quarterly access reviews: All permissions reviewed and justified
The cost
Zero-trust adds latency. mTLS handshakes cost a few milliseconds. Token validation adds another small amount. Request signing adds another.
The cost is acceptable. The alternative is a breach that costs exponentially more.
Getting started
You do not need to rebuild everything. Start with:
- Enforce MFA for all privileged accounts
- Replace VPN with identity-aware proxy
- Implement mTLS for internal APIs
- Add request signing to critical endpoints
- Log every access decision
Security is a process, not a product.