Security: Zero Trust Architecture

[!WARNING] The Old Model: “Hard outer shell, soft gooey center.” (Firewall protects everything). The New Model (Zero Trust): “Trust no one. Authenticate every request.”

In a modern distributed system, the network is hostile. An attacker might be inside your VPC. You must encrypt traffic in transit (TLS) and verify identity for every single call (mTLS/OAuth).

1. TLS 1.3: The Speed of Security

Transport Layer Security (TLS) encrypts data between Client and Server. Old versions (SSL, TLS 1.0, 1.1) are dead. TLS 1.2 is standard. TLS 1.3 is the future.

1.1 Why TLS 1.3?

  1. Faster Handshake: 1-RTT (Round Trip Time) instead of 2-RTT.
    • The client sends its key shares immediately in the first message (“Client Hello”).
  2. Forward Secrecy: If an attacker steals your server’s private key today, they cannot decrypt traffic captured yesterday.
    • Keys are ephemeral (generated per session).
  3. 0-RTT Resumption: If you talked to the server recently, you can send data immediately (0-RTT). Fast, but vulnerable to Replay Attacks.

Interactive Visualizer: TLS 1.3 Handshake

Watch the packets fly. See how the keys are exchanged.

TLS 1.3 Handshake Simulator

Phase: Idle

💻
Client
🔑 Share A
☁️
Server
🔑 Share B
> Ready to connect.

2. mTLS: Zero Trust for Microservices

We trust the server (via its Certificate). But does the server trust the client? In Mutual TLS (mTLS), both sides present a certificate.

  • Service A (Order) has cert_A.
  • Service B (Payment) has cert_B.
  • If Order calls Payment, Payment verifies cert_A.
  • If a Hacker calls Payment (no cert), the connection is dropped at the TCP layer.

[!TIP] Implementation: Use a Service Mesh (Istio/Linkerd). They handle mTLS automatically (sidecar proxy) so your application code doesn’t have to deal with certificates.

3. OAuth 2.0 & OIDC

Authentication (AuthN): “Who are you?” (User ID). Authorization (AuthZ): “What can you do?” (Scopes: read:email, write:order).

3.1 The Analogy: The Valet Key

You give a Valet your car key.

  • Master Key: Can open trunk, glovebox, drive anywhere. (Password)
  • Valet Key: Can only start the engine and drive 5 miles. (Access Token)

OAuth 2.0 issues Valet Keys (Access Tokens). You never give your Master Key (Password) to a 3rd party app.

3.2 The Flows

  1. Authorization Code Flow (For Web Apps):
    • User clicks “Login with Google”.
    • Redirect to Google -> User logs in -> Google returns code.
    • App exchanges code for access_token (Server-to-Server).
    • Secure: The token is never exposed to the browser url.
  2. Client Credentials Flow (For Microservices):
    • Service A sends client_id + client_secret to Auth Server.
    • Auth Server returns access_token.
    • Service A calls Service B with Authorization: Bearer <token>.

3.3 JWT (JSON Web Token)

A Stateless token. It contains the data (Claims) signed by the server.

Structure: Header.Payload.Signature

// Header
{ "alg": "HS256", "typ": "JWT" }

// Payload (Claims)
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1516239022
}

// Signature
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)
  • Pros: No DB lookup needed to verify user.
  • Cons: Hard to revoke (Need specific Deny List or short TTL).

4. Summary

Protocol Purpose Key Feature
TLS 1.3 Encryption in Transit 1-RTT Handshake. Forward Secrecy.
mTLS Service-to-Service Auth Both sides verify certificates. Zero Trust.
OAuth 2.0 Authorization Delegated access (Valet Key).
OIDC Authentication Adds Identity Layer (ID Token) on top of OAuth.
JWT Stateless Token Self-contained. Verify signature to trust data.

Next: Deployment Strategies (Blue/Green & Canary) ->