--- id: security-zero-trust title: Zero Trust β€” Never trust / Always verify category: Coding status: draft source_trust_level: B verification_status: conceptual created_at: 2026-05-09 updated_at: 2026-05-09 tags: [security, zero-trust, vibe-coding] tech_stack: { language: "Various", applicable_to: ["Security"] } applied_in: [] aliases: [Zero Trust, BeyondCorp, perimeterless, SSO, MFA, identity-based] --- # Zero Trust > "Trust no one, verify everything". **Network perimeter X β€” identity + context every request**. Google BeyondCorp, Cloudflare Access, Tailscale. ## πŸ“– 핡심 κ°œλ… - μ˜›: Network perimeter (VPN, internal = trusted). - Zero trust: 맀 request κ°€ identity + context. - Continuous verification. - Least privilege. ## πŸ’» μ½”λ“œ νŒ¨ν„΄ ### μ˜› vs new ``` μ˜› (perimeter): - VPN connect - Internal network = trusted - λͺ¨λ“  service κ°€ trust Zero trust: - 맀 request κ°€ 인증 + κΆŒν•œ - "Internal" / "external" μ—†μŒ - Public internet 가도 μ•ˆμ „ ``` ### Components ``` 1. Identity provider (Google, Okta, Auth0, Azure AD) 2. Device trust (managed device check) 3. Access proxy (Cloudflare Access, Zscaler) 4. Service authentication (mTLS, signed) 5. Policy engine (allowlist + context) 6. Continuous monitoring ``` ### Cloudflare Access (κ°€μž₯ λΉ λ₯Έ μ‹œμž‘) ```yaml # Application - Domain: internal.example.com - Identity: Google + Okta - Policy: - Email domain @company.com - 2FA required - Device: managed - Country: US, KR, JP ``` ``` μ‚¬μš©μž: 1. Visit internal.example.com 2. Cloudflare κ°€ Google login 3. Policy check (email, 2FA, device) 4. 톡과 β†’ tunnel to actual service ``` β†’ VPN 없이 internal app access. 1μ‹œκ°„ setup. ### Tailscale (mesh VPN, modern) ```bash # λͺ¨λ“  device 에 install tailscale up --auth-key=... # μžλ™ mesh β€” λͺ¨λ“  device 끼리 직접 connect # WireGuard 기반 ``` ```yaml # ACL { "groups": { "group:admins": ["alice@", "bob@"], "group:dev": ["dev-team@"], }, "acls": [ { "action": "accept", "src": ["group:admins"], "dst": ["*:*"] }, { "action": "accept", "src": ["group:dev"], "dst": ["dev-server:22"] }, ], } ``` β†’ Private network without VPN concentrator. ### mTLS (service-to-service) ``` [[Security_mTLS_Patterns]]: Service A β†’ Service B: - A 의 cert + B κ°€ 검증 (μ–‘λ°©) - μ—†μœΌλ©΄ connection refuse β†’ Zero trust within cluster. ``` ### Identity 맀 request ```ts // Middleware app.use(async (req, res, next) => { const token = req.headers.authorization?.replace('Bearer ', ''); if (!token) return res.status(401).end(); const user = await verifyJwt(token); if (!user) return res.status(401).end(); req.user = user; next(); }); // 맀 endpoint κ°€ user 검증. // "Internal network 이라 μ•ˆμ „" κ°€μ • X. ``` ### Context-aware (BeyondCorp) ```ts function checkAccess(user: User, request: Request, resource: Resource): boolean { // 1. Identity if (!user.authenticated) return false; // 2. Device trust const device = getDevice(request); if (!device.managed || !device.encrypted) return false; // 3. Network (location, but not exclusive) if (request.ip === 'tor' || isHighRiskCountry(request.geoIp)) return false; // 4. Behavior (anomaly) if (anomalyScore(user, request) > 0.8) return false; // 5. Resource (least privilege) if (!user.permissions.includes(resource.requiredPermission)) return false; return true; } ``` β†’ Multi-factor decision. ### Service mesh (mTLS within K8s) ``` Istio / Linkerd: - λͺ¨λ“  service κ°„ mTLS μžλ™ - AuthorizationPolicy κ°€ access - μ‚¬μš©μž identity propagate (header) ``` β†’ [[DevOps_Service_Mesh_Deep]]. ### Identity propagation ```ts // User κ°€ frontend β†’ API β†’ backend service // 맀 hop 에 identity propagate // Frontend β†’ API const r = await fetch('/api/orders', { headers: { 'Authorization': `Bearer ${userToken}` }, }); // API β†’ Backend service async function getOrders(req) { const userId = req.user.id; // mTLS auth + user header return fetch('http://orders-service/list', { headers: { 'X-User-ID': userId, 'X-Trace-ID': req.headers['x-trace-id'], }, }); } // Backend service κ°€ user-scoped query async function listOrders(userId: string) { return db.orders.findMany({ where: { userId } }); } ``` ### Workload identity ``` Service-to-service auth: - mTLS cert - SPIFFE / SPIRE - IAM role (cloud) - AWS IRSA (K8s + IAM) ``` ```yaml # K8s ServiceAccount + IAM apiVersion: v1 kind: ServiceAccount metadata: name: my-app annotations: eks.amazonaws.com/role-arn: arn:aws:iam::123:role/my-app ``` β†’ Pod κ°€ IAM role μžλ™. ### Secret access (need-to-know) ```ts // Vault / Doppler / 1Password const secret = await vault.read(`apps/${env}/db-password`); // Token-based access: // - Service A token: read apps/prod/db-password // - Service B token: read apps/prod/api-key // - λ‹€λ₯Έ κ±° μ•ˆ 됨 ``` β†’ Least privilege. ### Continuous monitoring ``` - Anomaly detection (μ‚¬μš© νŒ¨ν„΄) - New device alert - Unusual location - Failed auth attempts - Data exfiltration patterns Tools: Splunk, Datadog SIEM, Elastic SIEM, Panther. ``` ### Just-in-time access ``` μ‚¬μš©μž κ°€ sensitive resource ν•„μš”: 1. Request access (reason λͺ…μ‹œ) 2. Approval (manager / on-call) 3. Time-limited grant (1 hour) 4. Auto revoke 5. Audit log Tools: AWS SSM Session Manager, ConductorOne, Sym, Opal. ``` β†’ Standing permission μ•ˆ β€” temporary 만. ### Endpoint security ``` Device trust: - MDM (Mobile Device Management) - Disk encryption - OS up-to-date - Antivirus active Tools: Jamf, Kandji, Intune. ``` ### Phishing-resistant MFA ``` Phishable: - SMS (SIM swap) - TOTP (man-in-the-middle) Phishing-resistant: - WebAuthn / Passkey - FIDO2 hardware key - Smart card β†’ Modern MFA = Passkey. ``` β†’ [[Security_2FA_TOTP_WebAuthn]]. ### SSO + SAML / OIDC ```ts // Server import { Strategy as SamlStrategy } from 'passport-saml'; passport.use(new SamlStrategy({ entryPoint: 'https://idp.example.com/sso', issuer: 'my-app', cert: '...', }, (profile, done) => { done(null, { id: profile.nameID, email: profile.email }); })); ``` β†’ νšŒμ‚¬ IdP (Okta, Azure AD) κ°€ λͺ¨λ“  app 의 auth. ### SCIM (μžλ™ provision) ``` μ‚¬μš©μž hire / fire: 1. HR system λ³€κ²½ 2. SCIM κ°€ λͺ¨λ“  app 에 propagate 3. Account auto create / disable β†’ μ†μœΌλ‘œ 맀 app deactivate μ•ˆ 함. ``` ### Migration to zero trust ``` Phase 1 (Quick wins): - SSO λͺ¨λ“  app - MFA κ°•μ œ - VPN 제거 (Cloudflare Access) Phase 2: - Service mesh (mTLS) - Workload identity - Secret manager Phase 3: - Just-in-time access - Continuous monitoring - Endpoint trust ``` ### Cost ``` Cloudflare Access: $3/user/month Tailscale: $5/user/month Okta: $2-15/user/month Auth0: $23/month + per user Vault: self-host or HashiCorp Cloud ``` ### Common μ˜€ν•΄ ``` "Zero trust = always more secure" μ‹€μ œ: 잘 implement μ‹œ 더 μ•ˆμ „. 잘λͺ» implement = λΉ„μŠ·. "Zero trust = no VPN" μ‹€μ œ: VPN κ°€ component κ°€λŠ₯ (Tailscale λ“±). "Zero trust = expensive" μ‹€μ œ: SaaS κ°€ cheap. 큰 enterprise λŠ” λ‹€μ–‘ layer. ``` ### NIST 800-207 (US standard) ``` Tenets: 1. All data sources / services = resources. 2. All communication = secured (location 무관). 3. Per-session access (no persistent). 4. Dynamic policy. 5. Asset integrity monitor. 6. All authentication / authorization = dynamic, strict. 7. As much information collected as possible. ``` β†’ Government / compliance-heavy. ### Network λΆ„λ¦¬λŠ” μ—¬μ „ κ°€μΉ˜ ``` Zero trust = identity-based. Defense in depth = network 도. Best: - Zero trust (identity) - + Network 뢄리 (defense) - + Least privilege - + λͺ¨λ“  layer 검증 ``` ### Logging / audit ```ts // 맀 access decision log log.info('access', { userId, resource, action, decision: 'allowed', reason: 'admin role', context: { ip, device, country, time }, }); ``` β†’ Forensic + compliance. ### Identity provider (IdP) 선택 ``` Workforce: - Okta: best ecosystem - Azure AD: Microsoft 365 stack - Google Workspace: Google stack - Auth0 / Keycloak: developer-friendly Customer: - Auth0 - Clerk - Cognito - Supabase Auth β†’ B2B (workforce) vs B2C (customer) 닀름. ``` ### Compliance 와 link ``` SOC 2: identity, access control κ°•μ œ HIPAA: PHI access control PCI DSS: cardholder data GDPR: data subject rights β†’ Zero trust κ°€ μžμ—° align. ``` ## πŸ€” μ˜μ‚¬κ²°μ • κΈ°μ€€ | 상황 | μΆ”μ²œ | |---|---| | μž‘μ€ startup | Cloudflare Access (λΉ λ₯Έ) | | K8s | Service mesh + Tailscale | | Enterprise | Okta / Azure AD + Vault + ZTNA | | Internal app 만 | Cloudflare Access / Pomerium | | λͺ¨λ“  μ ‘κ·Ό | NIST 800-207 framework | ## ❌ μ•ˆν‹°νŒ¨ν„΄ - **VPN 만 + internal trust**: μ˜› β€” 침투 μ‹œ λͺ¨λ‘ μœ„ν—˜. - **MFA SMS only**: SIM swap. - **Standing admin permission**: just-in-time ꢌμž₯. - **Audit log μ—†μŒ**: forensic 어렀움. - **Workload identity 무**: hardcoded secret. - **Endpoint 무 trust**: μ–΄λ–€ device 도 access. - **λͺ¨λ“  κ±° ν•œ λ²ˆμ— migrate**: 점진. ## πŸ€– LLM ν™œμš© 힌트 - Cloudflare Access / Tailscale = quick zero trust. - mTLS + workload identity = service. - Phishing-resistant MFA (Passkey). - Just-in-time + audit log. ## πŸ”— κ΄€λ ¨ λ¬Έμ„œ - [[Security_OAuth_Flows]] - [[Security_mTLS_Patterns]] - [[Security_2FA_TOTP_WebAuthn]]