Introduction

The “Castle and Moat” security model is dead. If you trust your Local Area Network (LAN), you are already breached. Zero Trust is not a marketing buzzword. It is Cryptographic Enforcement of State.

The Axiom: “All network traffic is hostile. Even localhost.”

---

Part 1: Identity Physics (mTLS)

In Zero Trust, IP addresses are meaningless. Identity is cryptographic. Mutual TLS (mTLS) ensures two-way verification.

The Handshake Physics:

1. Client: “Here is my Certificate signed by Internal CA.”
2. Server: “I verify your signature. Here is my Certificate.”
3. Client: “I verify your signature.”
4. Result: An encrypted tunnel where Identity is proven mathematically.

Code (SPIFFE ID): Every workload gets a SPIFFE ID (e.g., spiffe://acme.com/billing-service). If the certificate doesn’t match the ID, the connection is terminated at the TCP level.

---

Part 2: Authorization Physics (JWT Propagation)

Identity is not enough. You need Permission. JSON Web Tokens (JWT) carry the “State of Authority” across the network.

The Physics of Propagation:

1. User calls Frontend. (Auth: User JWT).
2. Frontend calls Backend. (Auth: Frontend mTLS + User JWT).
3. Backend calls Database. (Auth: Backend mTLS).

The “User Context” (Subject) must propagate through the call chain. The Trap: If Frontend drops the User Token and calls Backend as “Root”, you have broken Zero Trust (Privilege Escalation).

---

Part 3: Blast Radius Physics

Traditional networks are flat. One breach = All Access. Zero Trust is a partitioned graph.

Mathematics of Blast Radius ($R$): In a flat network of $N$ nodes: $R = N$. In a Zero Trust network with $S$ segments of size $M$: $R = M$ (where $M \ll N$).

Implementation policy (OPA/Rego):

# Open Policy Agent (Rego)
allow {
    input.method == "POST"
    input.path == ["/api", "payments"]
    input.user.role == "finance_admin"
    input.device.is_managed == true
}

If this evaluates to false, the request is rejected at the Sidecar Proxy (Envoy) before it ever touches the application.

---

Practice Exercises

Exercise 1: mTLS Fail (Beginner)

Task: Configure a client to call a server without a Client Certificate. Result: SSL_ERROR_BAD_CERT_ALERT. The handshake fails at the TLS layer. No application logs are even generated.

Exercise 2: The Sidecar Pattern (Intermediate)

Task: Deploy a service with Envoy Proxy. Action: Block access to /admin via Envoy config. Result: The application code doesn’t need to know about auth. The infrastructure handles it.

Exercise 3: Blast Radius Calculation (Advanced)

Task: You have 1,000 servers. Scenario A: Flat VLAN. Attacker compromises 1 server. Can scan 999 others. Scenario B: Zero Trust (mTLS). Attacker compromises 1 server. Can only talk to 3 whitelisted services. Reduction: 99.7% reduction in attack surface.

---

Knowledge Check

1. Why is an IP address not a valid identity?
2. What does mTLS verify that standard TLS does not?
3. What is a Sidecar Proxy?
4. If the User JWT is lost in the middle of a call chain, what happens?
5. How does Zero Trust stop lateral movement?

Answers

1. Spoofable & Dynamic. IPs change (cloud) and packets can be forged. Certificates are cryptographic.
2. The Client’s Identity. Standard TLS only verifies the Server.
3. A helper process (Envoy) that handles network traffic/auth for a service.
4. Context Loss. The downstream service doesn’t know who initiated the request.
5. Default Deny. Even if you are on the network, you cannot connect to a port unless whitelisted by mTLS policy.

---

Summary

• mTLS: Machines authenticate machines.
• JWT: Users authenticate across machines.
• Micro-segmentation: Mathematical limit on lateral movement.

---