Zero-Trust Architecture Mastery - Expanded Project Guides
Zero-Trust Architecture Mastery - Expanded Project Guides
Goal: Master Zero-Trust Architecture from first principlesโunderstand why perimeter security failed, how identity-based access works, and build production-grade security components that can protect modern distributed systems from both external attackers and insider threats.
Why Zero Trust Matters: The Death of the Perimeter
In 2009, Chinese hackers breached Googleโs internal network through a targeted phishing attack (Operation Aurora). They moved laterally for months, accessing Gmail accounts of Chinese human rights activists. Googleโs response? Rebuild their entire security architecture from scratch, creating what they called โBeyondCorp.โ
The lesson was clear: being inside the network means nothing. An attacker who compromises a single employee laptop gains access to everything that laptop can reach. Traditional security assumed a hard outer shell (firewall) and soft interior (trusted network). Modern attackers proved this model catastrophically wrong.
Traditional Security Model ("Castle and Moat"):
===============================================
INTERNET (Untrusted)
โ
โโโโโโโโดโโโโโโโ
โ Firewall โ โโโ "If you're past this, you're trusted"
โโโโโโโโฌโโโโโโโ
โ
โโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CORPORATE NETWORK โ
โ โ
โ โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโ โ
โ โ Laptop โ โ Server โ โ Databaseโ โ
โ โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโ โ
โ โฒ โฒ โฒ โ
โ โโโโโโโโโโโโโโดโโโโโโโโโโโโโ โ
โ ALL TRUSTED โ
โ (Anyone here can reach anything) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PROBLEM: Once an attacker gets past the firewall (phishing,
compromised VPN, malicious insider), they can move ANYWHERE.
Zero Trust Model ("Never Trust, Always Verify"):
===============================================
INTERNET
โ
โ (No inherent trust based on network location)
โ
โโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ALL NETWORKS โ
โ (Treated as untrusted) โ
โ โ
โ โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโ โ
โ โ Laptop โ โ Server โ โ Databaseโ โ
โ โโโโโโฌโโโโโ โโโโโโฌโโโโโ โโโโโโฌโโโโโ โ
โ โ โ โ โ
โ โผ โผ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ POLICY DECISION POINT (PDP) โ โ
โ โ โ โ
โ โ For EVERY request, verify: โ โ
โ โ 1. WHO is requesting? (Identity) โ โ
โ โ 2. WHAT device? (Device health) โ โ
โ โ 3. FROM WHERE? (Context) โ โ
โ โ 4. TO WHAT? (Resource sensitivity) โ โ
โ โ 5. WHY? (Business justification) โ โ
โ โ โ โ
โ โ Only then: ALLOW or DENY โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
RESULT: Even if laptop is compromised, access to database
requires proving identity, device health, and policy approval
FOR EACH REQUEST.
The Financial Reality:
- Average cost of a data breach: $4.45 million (IBM, 2023)
- Average time to identify a breach: 204 days
- Average time to contain a breach: 73 days
- Organizations with Zero Trust architecture: $1.76 million lower breach costs
Zero Trust isnโt just a security improvementโitโs the only architecture that works in a world of:
- Remote work (employees connecting from anywhere)
- Cloud services (no physical perimeter to defend)
- Supply chain attacks (third-party software access)
- Advanced persistent threats (attackers who live in your network for months)
The Five Pillars of Zero Trust Architecture
NIST SP 800-207 defines Zero Trust around five core principles. Every project in this sprint maps to one or more of these pillars:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ THE FIVE PILLARS OF ZERO TRUST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ 1. IDENTITY 2. DEVICE โ
โ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โ
โ Who is this user/service? Is this device trusted? โ
โ How strongly authenticated? Is it managed/healthy? โ
โ What groups/roles? What's its security posture? โ
โ โ
โ โ Project 1: Identity Proxy โ Project 5: Device Attestation โ
โ โ Project 6: Continuous Auth โ Project 5: Health Checks โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ 3. NETWORK 4. APPLICATION โ
โ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โ
โ Micro-segmentation App-level access control โ
โ Encrypted channels API security โ
โ No implicit trust by location Resource protection โ
โ โ
โ โ Project 3: Micro-segmentation โ Project 2: Policy Engine โ
โ โ Project 4: mTLS Mesh โ Project 9: ZTNA Tunnel โ
โ โ Project 7: SDP Controller โ Project 8: JIT Access โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ 5. DATA โ
โ โโโโโโโโโโโโโโโโโ โ
โ Classify sensitive data โ
โ Protect at rest and in transit โ
โ Access based on classification โ
โ โ
โ โ Cross-cutting concern in all projects โ
โ โ Project 10: Capstone integrates all โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Control Plane vs Data Plane: The Core Architectural Split
Every Zero Trust system separates two fundamental concerns:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CONTROL PLANE vs DATA PLANE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ CONTROL PLANE DATA PLANE โ
โ (The Brain) (The Enforcer) โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ
โ Makes decisions: Enforces decisions: โ
โ - Should this access be allowed? - Permits/denies connections โ
โ - What policy applies? - Routes traffic โ
โ - What level of access? - Logs access โ
โ โ
โ Components: Components: โ
โ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Policy Decision Pointโ โ Policy Enforcement โ โ
โ โ (PDP) โ โ Point (PEP) โ โ
โ โ โ โ โ โ
โ โ - Policy Engine โโโโโโโโโโโโโถโ - Reverse Proxy โ โ
โ โ - Identity Provider โ Decision โ - API Gateway โ โ
โ โ - Risk Engine โ โ - Network Firewall โ โ
โ โ - Context Evaluator โ โ - eBPF filters โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ NEVER in the data path ALWAYS in the data path โ
โ Can be slow (complex logic) Must be fast (every packet) โ
โ Centralized decision making Distributed enforcement โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Request Flow: โ
โ โ
โ User โโโถ [PEP: "Is this allowed?"] โโโถ [PDP: "Let me check..."] โ
โ โ โ โ
โ โโโโโ "Allow with conditions" โโ โ
โ โ โ
โ โผ โ
โ [PEP enforces: route to resource, log access, apply rate limits] โ
โ โ โ
โ โผ โ
โ Resource (Server, Database, API) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Why This Separation Matters:
-
Scalability: PEPs are distributed (at every network edge), but they consult a centralized PDP. You can have thousands of PEPs with one PDP.
-
Flexibility: Changing policy in the PDP immediately affects all PEPs. No need to update every firewall rule individually.
-
Security: The PDP never handles actual data traffic. Compromising a PEP doesnโt give you the policy logic.
-
Performance: PEPs cache decisions. Simple requests donโt hit the PDP every time.
Authentication vs Authorization: The Critical Distinction
Many engineers conflate these concepts. In Zero Trust, the distinction is paramount:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AUTHENTICATION (AuthN) vs AUTHORIZATION (AuthZ) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ AUTHENTICATION (AuthN) AUTHORIZATION (AuthZ) โ
โ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโ โ
โ "WHO are you?" "WHAT can you do?" โ
โ โ
โ Verifies IDENTITY: Grants PERMISSIONS: โ
โ - Username/password - Read file X โ
โ - Certificate - Access API endpoint Y โ
โ - Biometric - Delete database Z โ
โ - MFA token - Admin role on service W โ
โ โ
โ Answers: Answers: โ
โ "Is this really Alice?" "Can Alice do this action?" โ
โ โ
โ Technologies: Technologies: โ
โ - OAuth 2.0 / OpenID Connect - RBAC (Role-Based) โ
โ - SAML - ABAC (Attribute-Based) โ
โ - mTLS certificates - PBAC (Policy-Based) โ
โ - JWT tokens - ReBAC (Relationship-Based) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ EXAMPLE: โ
โ โ
โ Alice presents JWT token PDP evaluates: โ
โ โ - Alice's role: "engineer" โ
โ โผ - Resource: "production-db" โ
โ [VERIFY SIGNATURE] โโโโโโโถ OK - Action: "DELETE" โ
โ [CHECK EXPIRY] โโโโโโโโโถ OK - Context: "Friday 3pm" โ
โ [VALIDATE CLAIMS] โโโโโโถ OK - Device: "unmanaged laptop" โ
โ โ โ โ
โ โผ โผ โ
โ AuthN PASSED: This is Alice AuthZ DENIED: Engineers cannot โ
โ DELETE production data from โ
โ unmanaged devices โ
โ โ
โ Strong authentication does NOT imply authorization! โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
The Zero Trust Principle: Just because you can prove who you are (AuthN) doesnโt mean you can do what youโre asking (AuthZ). Every request must pass BOTH checks.
RBAC vs ABAC vs PBAC: Choosing Your Authorization Model
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AUTHORIZATION MODEL COMPARISON โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ RBAC (Role-Based Access Control) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Users โโโถ Roles โโโถ Permissions โ
โ โ
โ Alice โโโถ "Engineer" โโโถ [read:code, write:code, read:docs] โ
โ Bob โโโถ "Admin" โโโถ [read:*, write:*, delete:*] โ
โ โ
โ โ Simple to understand โ
โ โ Easy to audit ("who has admin?") โ
โ โ Role explosion in complex orgs โ
โ โ Doesn't handle context (time, location) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ ABAC (Attribute-Based Access Control) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Policy: IF user.department == resource.owner.department โ
โ AND time.hour BETWEEN 9 AND 17 โ
โ AND device.managed == true โ
โ THEN allow โ
โ โ
โ โ Extremely flexible โ
โ โ Handles context naturally โ
โ โ Supports Zero Trust requirements โ
โ โ Complex to write and debug โ
โ โ Harder to audit ("why was this denied?") โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ PBAC (Policy-Based Access Control) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Combines RBAC simplicity with ABAC flexibility: โ
โ โ
โ Policy "production-access": โ
โ subjects: โ
โ - role: "engineer" โ
โ - group: "team-platform" โ
โ resources: โ
โ - type: "database" โ
โ environment: "production" โ
โ conditions: โ
โ - device.trust_score >= 80 โ
โ - user.mfa_verified == true โ
โ - time.business_hours == true โ
โ actions: ["read"] โ
โ effect: "allow" โ
โ โ
โ โ Human-readable policies โ
โ โ Composable (combine multiple policies) โ
โ โ Auditable ("show me all production policies") โ
โ โ Zero Trust ready โ
โ โ
โ This is what you'll build in Project 2. โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Lateral Movement: The Attack Youโre Defending Against
Lateral movement is the primary attack pattern in modern breaches. Understanding it is essential:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ANATOMY OF LATERAL MOVEMENT โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ ATTACK TIMELINE: โ
โ โ
โ Day 1: Initial Compromise โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Attacker sends phishing email to employee โ โ
โ โ Employee clicks link, malware installed on laptop โ โ
โ โ Attacker now has foothold: Alice's laptop โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Day 2-30: Reconnaissance โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ From Alice's laptop, attacker: โ โ
โ โ - Scans internal network (what services are reachable?) โ โ
โ โ - Dumps credentials from memory (Mimikatz) โ โ
โ โ - Reads configuration files (passwords, API keys) โ โ
โ โ - Identifies high-value targets (databases, admin systems) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Day 31-60: Lateral Movement โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ โ
โ โ Alice's โโโถ File โโโถ Domain โโโถ Database โโโถ Crown โ โ
โ โ Laptop Server Controller Server Jewels โ โ
โ โ โ โ โ โ โ โ โ
โ โ โ SSH โ RDP โ SQL โ ??? โ โ โ
โ โ โโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโ โ โ
โ โ โ โ
โ โ Each hop: Use credentials stolen from previous hop โ โ
โ โ Each hop: Gain access to more systems and credentials โ โ
โ โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Day 61+: Data Exfiltration โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Attacker reaches sensitive database โ โ
โ โ Slowly exfiltrates data to avoid detection โ โ
โ โ Or deploys ransomware for immediate impact โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ HOW ZERO TRUST STOPS THIS: โ
โ โ
โ At EVERY hop, the attacker would need to: โ
โ โ Prove identity (stolen password isn't enoughโneed MFA) โ
โ โ Prove device health (malware-infected laptop fails check) โ
โ โ Match policy (Alice can't access Domain Controller) โ
โ โ Justify access (no legitimate reason for this connection) โ
โ โ
โ RESULT: Attack stops at first hop. Even if Alice's laptop is โ
โ compromised, it can only access what Alice is authorized for, โ
โ from a healthy device, with proper context. โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Key Insight: Traditional security asks โIs this connection from the corporate network?โ Zero Trust asks โIs this specific user, on this specific device, authorized for this specific action, right now?โ The second question stops lateral movement.
Concept Summary Table
| Concept Cluster | What You Need to Internalize |
|---|---|
| Zero Trust Principles | โNever trust, always verifyโ isnโt a sloganโitโs an architectural requirement. Every request is untrusted until proven otherwise. Network location is NOT identity. |
| Control Plane / Data Plane | Separate the brain (policy decisions) from the muscles (enforcement). PDP makes decisions; PEP enforces them. This separation enables scale and flexibility. |
| AuthN vs AuthZ | Authentication proves identity; authorization grants permissions. Strong authentication doesnโt imply any authorization. Both must pass for every request. |
| Identity-Based Security | Replace โyouโre on the VPNโ with โyouโve proven youโre Alice, from a healthy device, for a specific purpose.โ Identity is cryptographically verified. |
| Micro-segmentation | Donโt trust the network. Every host enforces its own policies. East-west traffic is treated like north-south. Use iptables, eBPF, mTLS. |
| Device Trust | A valid user on a compromised device is still a threat. Verify device health: encryption, firewall, patch level, no malware. |
| Continuous Verification | Authentication at login isnโt enough. Continuously monitor behavior, context, and device health. Revoke access when conditions change. |
| Least Privilege | Grant minimum access needed for the task. Time-bound access. Just-in-time provisioning. Never standing privileges. |
| Lateral Movement Defense | Every hop requires re-authentication and re-authorization. Compromise of one system doesnโt give access to others. |
| Policy as Code | Policies are version-controlled, testable, auditable. Not firewall rules scattered across devices. Central policy, distributed enforcement. |
Deep Dive Reading by Concept
This section maps each concept to specific book chapters for deeper understanding. Read these before or alongside the projects to build strong mental models.
Zero Trust Fundamentals (The Philosophy)
| Concept | Book & Chapter |
|---|---|
| Why perimeter security fails | โZero Trust Networksโ by Gilman & Barth โ Ch. 1: โZero Trust Fundamentalsโ |
| NIST Zero Trust definition | NIST SP 800-207 โ Sections 2-3 (free PDF from NIST) |
| Googleโs BeyondCorp | โBeyondCorp: A New Approach to Enterprise Securityโ โ Google Research Papers (free online) |
| The threat landscape | โSecurity in Computing, 5th Editionโ by Pfleeger โ Ch. 1: โIntroduction to Computer Securityโ |
Identity and Authentication
| Concept | Book & Chapter |
|---|---|
| Authentication fundamentals | โSecurity in Computingโ by Pfleeger โ Ch. 3: โAuthenticationโ |
| OAuth 2.0 and OpenID Connect | โOAuth 2 in Actionโ by Richer & Sanso โ Ch. 1-5 |
| JWT tokens in depth | โSerious Cryptography, 2nd Editionโ by Aumasson โ Ch. 14: โAuthenticationโ |
| PKI and certificates | โSerious Cryptographyโ by Aumasson โ Ch. 13: โTLSโ |
| mTLS for service identity | โZero Trust Networksโ by Gilman & Barth โ Ch. 6: โNetwork Securityโ |
Authorization and Policy
| Concept | Book & Chapter |
|---|---|
| RBAC vs ABAC | โSecurity in Computingโ by Pfleeger โ Ch. 4: โAccess Controlโ |
| Policy languages (Rego, Cedar) | โLearning Open Policy Agentโ by Lopes & Russo (for OPA) |
| XACML and policy architecture | NIST SP 800-162 โ Guide to ABAC (free PDF) |
| Policy enforcement patterns | โZero Trust Networksโ by Gilman & Barth โ Ch. 4: โMaking Authorization Decisionsโ |
Network Security and Micro-segmentation
| Concept | Book & Chapter |
|---|---|
| iptables fundamentals | โThe Linux Programming Interfaceโ by Kerrisk โ Appendix on networking |
| eBPF for security | โLearning eBPFโ by Liz Rice โ Ch. 1-6 |
| Network namespaces | โLinux Kernel Networkingโ by Benvenuti โ Ch. 14: โNamespacesโ |
| Service mesh concepts | โIstio in Actionโ by Posta & Maloku โ Ch. 2-3 |
| WireGuard internals | โWireGuard: Next Generation Kernel Network Tunnelโ โ Jason Donenfeldโs whitepaper |
Device Trust and Endpoint Security
| Concept | Book & Chapter |
|---|---|
| Endpoint security architecture | โZero Trust Networksโ by Gilman & Barth โ Ch. 7: โEndpoint Securityโ |
| TPM and hardware attestation | โTCG TPM 2.0 Specificationโ โ Trusted Computing Group (reference) |
| OS security internals | โThe Linux Programming Interfaceโ by Kerrisk โ Ch. 3-4 on permissions |
| macOS security | โmacOS Internalsโ by Jonathan Levin โ Security chapters |
Cryptography Essentials
| Concept | Book & Chapter |
|---|---|
| TLS handshake deep dive | โSerious Cryptography, 2nd Editionโ by Aumasson โ Ch. 13: โTLSโ |
| Public key infrastructure | โSecurity in Computingโ by Pfleeger โ Ch. 7.2: โPKIโ |
| Digital signatures | โSerious Cryptographyโ by Aumasson โ Ch. 12: โRSAโ & Ch. 11: โDigital Signaturesโ |
| Certificate management | โBulletproof SSL and TLSโ by Ristic โ Ch. 4-6 |
Systems Programming for Security
| Concept | Book & Chapter |
|---|---|
| Linux system calls | โThe Linux Programming Interfaceโ by Kerrisk โ Ch. 2-3 |
| Network programming | โTCP/IP Sockets in Cโ by Donahoo & Calvert โ Full book |
| Process and permissions | โThe Linux Programming Interfaceโ by Kerrisk โ Ch. 9: โProcess Credentialsโ |
| Secure coding in C | โEffective Cโ by Seacord โ Ch. 7: โSecurityโ |
Essential Reading Order
For maximum comprehension, read in this order:
- Foundation (Week 1):
- Zero Trust Networks Ch. 1-3 (fundamentals)
- Security in Computing Ch. 3-4 (AuthN/AuthZ)
- NIST SP 800-207 Sections 2-3 (definitions)
- Identity & Crypto (Week 2):
- Serious Cryptography Ch. 11-13 (signatures, TLS)
- Zero Trust Networks Ch. 6 (network security)
- Systems (Week 3):
- The Linux Programming Interface Ch. 2-4, 9 (system programming)
- Zero Trust Networks Ch. 7 (endpoints)
- Advanced (Weeks 4+):
- Learning eBPF (for Project 3)
- Zero Trust Networks Ch. 4-5 (policy decisions)
- Google BeyondCorp papers (real-world implementation)
What Youโll Learn
By completing these projects, you will:
- Internalize the Control Plane vs Data Plane separation - The foundation of all modern security architecture
- Master Identity-based security over obsolete Network-based security
- Implement Least Privilege at the packet level using iptables, eBPF, and mTLS
- Build systems that resist Lateral Movement - The #1 attack pattern in modern breaches
- Create a portfolio demonstrating expert-level security engineering
Project Index
| # | Project | Difficulty | Time | Key Skills |
|---|---|---|---|---|
| 1 | Identity-Aware Reverse Proxy | Intermediate | Weekend | Go, HTTP, JWT, OAuth2 |
| 2 | Policy Decision Engine | Advanced | 1-2 Weeks | Rust/Go, ABAC, Rule Engines |
| 3 | Host-Level Micro-segmentation | Expert | 2 Weeks | C, iptables, eBPF |
| 4 | Mutual TLS Mesh | Advanced | 1 Week | Go, PKI, X.509, SPIFFE |
| 5 | Device Trust & Health Attestation | Intermediate | Weekend | Go/Python, OS APIs, TPM |
| 6 | Continuous Authentication Monitor | Expert | 2 Weeks | Python, UEBA, Analytics |
| 7 | Software Defined Perimeter Controller | Master | 1 Month | Go, WireGuard, SPA |
| 8 | Just-In-Time Access Broker | Advanced | 1 Week | Go, SQL, Credential Mgmt |
| 9 | ZTNA App Tunnel | Expert | 2 Weeks | Rust, SOCKS5, mTLS |
| 10 | The Secure Enclave (Capstone) | Master | 2 Weeks | All Previous |
Recommended Learning Paths
Path 1: Security Professional (Recommended)
Best for: Those with networking/security background
Project 1 โ Project 2 โ Project 5 โ Project 6 โ Advanced (7, 8, 9)
Path 2: Systems Programmer
Best for: Linux/C enthusiasts
Project 3 โ Project 7 โ Project 4 โ Projects 1, 2, 5, 6
Path 3: Application Developer
Best for: Backend developers transitioning to security
Project 1 โ Project 8 โ Project 9 โ Projects 2, 4, 5, 6
Path 4: The Completionist
Best for: Building a complete Zero Trust lab
Phase 1 (Weeks 1-2): Projects 1, 2
Phase 2 (Weeks 3-4): Projects 3, 4
Phase 3 (Weeks 5-6): Projects 5, 6
Phase 4 (Weeks 7-10): Projects 7, 8, 9
Phase 5 (Week 11): Project 10 (Capstone)
Prerequisites
Before starting, ensure you have:
Required Skills
- Proficiency in Go, Python, Rust, or C
- Understanding of HTTP/REST APIs
- Basic networking (TCP/IP, HTTP/HTTPS, DNS)
- Linux terminal proficiency
- Security basics (Authentication vs Authorization)
Required Tools
- Linux machine (Ubuntu 22.04 or Debian 12 recommended)
- Programming language runtime (Go 1.21+, Python 3.11+, or Rust 1.70+)
openssl,curl,docker
Self-Assessment
Youโre ready if you can answer โyesโ to:
- Can you write a simple HTTP server in your chosen language?
- Do you know what happens when you type a URL in your browser?
- Can you explain the difference between a password and a cryptographic key?
How Each Guide is Structured
Every expanded project guide contains:
- Learning Objectives - What youโll master
- Deep Theoretical Foundation - Comprehensive concept education
- Complete Project Specification - What youโre building
- Solution Architecture - Design guidance without implementation
- Phased Implementation Guide - Structured approach to building
- Testing Strategy - How to verify your implementation
- Common Pitfalls - Mistakes to avoid
- Extensions & Challenges - Ways to deepen your learning
- Real-World Connections - How this applies in production
- Self-Assessment Checklist - Verify your understanding
Additional Resources
Standards & Specifications
- NIST SP 800-207: Zero Trust Architecture
- CISA Zero Trust Maturity Model
- CSA Software-Defined Perimeter Specification v2.0
Core Books
- โZero Trust Networksโ by Evan Gilman and Doug Barth
- โSecurity in Computingโ by Charles Pfleeger
- โThe Linux Programming Interfaceโ by Michael Kerrisk
- โSerious Cryptography, 2nd Editionโ by Jean-Philippe Aumasson
Get Started
Begin with Project 1: Identity-Aware Reverse Proxy for the recommended path, or choose based on your background using the learning paths above.
Remember: Zero Trust is not a product you buyโitโs an architecture you build. These projects will give you the skills to build it from first principles.