Zero Trust Architecture 2025
"Never Trust, Always Verify" - Geleneksel perimeter-based güvenlik modeli artık yetersiz. Zero Trust Architecture (ZTA) geleceğin güvenlik modeli.
Zero Trust Nedir?
Traditional Security:
Internet ─→ Firewall ─→ [Trusted Internal Network]
└─ Servers, Users, Data
Problem: Perimeter'i geçen her şey güvenilir kabul edilir.
Zero Trust:
Internet ─→ Identity Verification ─→ Device Check ─→
Context Analysis ─→ Least Privilege Access ─→ Resource
Principle: Hiçbir şeye varsayılan olarak güvenme.
Core Principles
1. Verify Explicitly
Every access request must be:
✓ Authenticated (Who?)
✓ Authorized (What can they do?)
✓ Encrypted (Secure channel?)
✓ Inspected (Threat check?)
2. Least Privilege Access
User permissions:
❌ Full admin access
✅ Just enough for the task
✅ Time-limited
✅ Context-aware
3. Assume Breach
Design as if:
• Attackers are already inside
• Every network is hostile
• Continuous monitoring required
Zero Trust Components
┌─────────────────────────────────────────┐
│ 1. Identity & Access Management (IAM) │
│ - Multi-factor authentication │
│ - Conditional access policies │
│ - Privileged access management │
├─────────────────────────────────────────┤
│ 2. Device Security │
│ - Endpoint detection (EDR) │
│ - Device compliance check │
│ - Mobile device management (MDM) │
├─────────────────────────────────────────┤
│ 3. Network Segmentation │
│ - Micro-segmentation │
│ - Software-defined perimeter (SDP) │
│ - Zero Trust Network Access (ZTNA) │
├─────────────────────────────────────────┤
│ 4. Data Protection │
│ - Encryption (rest & transit) │
│ - Data loss prevention (DLP) │
│ - Information rights management │
├─────────────────────────────────────────┤
│ 5. Threat Protection │
│ - SIEM/SOAR │
│ - Threat intelligence │
│ - Behavioral analytics (UEBA) │
└─────────────────────────────────────────┘
Implementation
Phase 1: Visibility
# Asset discovery
import nmap
import socket
def discover_assets(network):
nm = nmap.PortScanner()
nm.scan(hosts=network, arguments='-sn')
assets = []
for host in nm.all_hosts():
asset = {
'ip': host,
'hostname': socket.getfqdn(host),
'status': nm[host].state(),
'last_seen': datetime.now()
}
assets.append(asset)
return assets
# User activity monitoring
def monitor_user_activity(user_id):
activities = db.query("""
SELECT
timestamp,
action,
resource,
location,
device
FROM user_activities
WHERE user_id = %s
ORDER BY timestamp DESC
LIMIT 100
""", user_id)
# Detect anomalies
anomalies = detect_anomalies(activities)
if anomalies:
alert_security_team(user_id, anomalies)
Phase 2: Micro-segmentation
# Kubernetes Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-access-policy
namespace: production
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
- Egress
ingress:
# Only allow API server
- from:
- podSelector:
matchLabels:
app: api-server
ports:
- protocol: TCP
port: 5432
egress:
# Block all outbound
- to:
- podSelector:
matchLabels:
app: backup-service
Phase 3: Conditional Access
// Microsoft Azure AD Conditional Access
const policy = {
displayName: "Require MFA for admins",
state: "enabled",
conditions: {
users: {
includeRoles: [
"62e90394-69f5-4237-9190-012177145e10" // Global Admin
]
},
applications: {
includeApplications: ["All"]
},
locations: {
excludeLocations: ["AllTrusted"] // Office network
},
deviceStates: {
includeStates: ["All"],
excludeStates: ["Compliant", "DomainJoined"]
}
},
grantControls: {
operator: "AND",
builtInControls: [
"mfa", // Multi-factor auth
"compliantDevice" // Device compliance
]
},
sessionControls: {
signInFrequency: {
value: 1,
type: "hours"
}
}
};
Phase 4: Continuous Verification
# Risk-based authentication
def evaluate_access_request(request):
risk_score = 0
# 1. User behavior analysis
if is_unusual_location(request.user, request.location):
risk_score += 30
if is_unusual_time(request.user, request.timestamp):
risk_score += 20
# 2. Device posture check
if not is_device_compliant(request.device_id):
risk_score += 40
if not is_device_encrypted(request.device_id):
risk_score += 30
# 3. Resource sensitivity
resource_sensitivity = get_resource_sensitivity(request.resource)
risk_score += resource_sensitivity * 0.5
# 4. Threat intelligence
if is_ip_suspicious(request.ip):
risk_score += 50
# Decision
if risk_score < 30:
return "ALLOW"
elif risk_score < 70:
return "MFA_REQUIRED"
else:
return "DENY"
# Usage
decision = evaluate_access_request(request)
if decision == "ALLOW":
grant_access(request)
elif decision == "MFA_REQUIRED":
require_mfa(request)
else:
deny_access(request)
alert_security_team(request)
Zero Trust Network Access (ZTNA)
# Cloudflare Access policy
policies:
- name: "Production Database"
decision: allow
include:
- email_domain:
domain: company.com
- group:
id: "dba-team"
require:
- mfa: true
- country:
country_code: ["US", "GB"]
exclude:
- email:
email: contractor@external.com
application:
domain: db.company.internal
session_duration: 4h
purpose_justification:
required: true
prompt: "Why do you need database access?"
Software Defined Perimeter (SDP)
# SDP Controller
class SDPController:
def authenticate_client(self, client_id, credentials):
# 1. Verify identity
user = self.iam.verify_credentials(credentials)
if not user:
return None
# 2. Check device posture
device = self.device_manager.get_device(client_id)
if not device.is_compliant():
return None
# 3. Evaluate context
risk = self.risk_engine.evaluate(user, device)
if risk > THRESHOLD:
return None
# 4. Generate SPA packet
spa_packet = self.generate_spa_packet(user, device)
return spa_packet
def generate_spa_packet(self, user, device):
# Single Packet Authorization
return {
'user_id': user.id,
'device_id': device.id,
'timestamp': time.time(),
'authorized_services': user.get_authorized_services(),
'ttl': 3600, # 1 hour
'signature': self.sign(user, device)
}
Monitoring & Analytics
-- User and Entity Behavior Analytics (UEBA)
WITH user_baseline AS (
SELECT
user_id,
AVG(login_count) as avg_logins,
STDDEV(login_count) as stddev_logins,
AVG(data_download_mb) as avg_download,
STDDEV(data_download_mb) as stddev_download
FROM daily_user_activity
WHERE date >= CURRENT_DATE - INTERVAL '30 days'
GROUP BY user_id
),
today_activity AS (
SELECT
user_id,
COUNT(*) as login_count,
SUM(data_download_mb) as data_download_mb
FROM user_activities
WHERE date = CURRENT_DATE
GROUP BY user_id
)
-- Detect anomalies (> 3 standard deviations)
SELECT
t.user_id,
t.login_count,
b.avg_logins,
(t.login_count - b.avg_logins) / b.stddev_logins as login_z_score,
t.data_download_mb,
b.avg_download,
(t.data_download_mb - b.avg_download) / b.stddev_download as download_z_score
FROM today_activity t
JOIN user_baseline b ON t.user_id = b.user_id
WHERE
ABS((t.login_count - b.avg_logins) / b.stddev_logins) > 3
OR ABS((t.data_download_mb - b.avg_download) / b.stddev_download) > 3;
Migration Roadmap
Month 1-2: Assessment
- Inventory assets
- Map data flows
- Identify critical systems
Month 3-4: Quick Wins
- Enable MFA everywhere
- Implement least privilege
- Deploy EDR
Month 5-8: Core Implementation
- Micro-segmentation
- ZTNA deployment
- SIEM/SOAR integration
Month 9-12: Advanced
- UEBA implementation
- Automated response
- Continuous optimization
ROI & Benefits
Security Benefits:
- 70% reduction in breach impact
- 60% faster threat detection
- 50% reduction in lateral movement
Business Benefits:
- Support remote work
- Faster onboarding
- Compliance (GDPR, SOC 2)
Cost Savings:
- Reduce VPN infrastructure
- Lower insurance premiums
- Avoid breach costs ($4.45M average)
Zero Trust implementation: iletisim@cesayazilim.com 🛡️
