CodersSecret

Module 5 of 16

Zero Trust Security Fundamentals

Identity-based security, mTLS, trust domains, and microsegmentation for cloud-native systems

3 hours2 labsFree
Watch as Slides Course overview Lab code

Start here

Learning objectives

  • Understand Zero Trust principles for cloud-native systems
  • Implement mutual TLS between services
  • Design trust domains and microsegmentation
  • Plan east-west security for Kubernetes clusters

Before

  • Trust the network
  • Unencrypted east-west traffic
  • IP-based access control
  • Perimeter-only security
  • Implicit trust inside the cluster

After

  • Verify every request
  • mTLS on all connections
  • Identity-based policies
  • Defense in depth everywhere
  • Cryptographic proof of identity
ZERO TRUST: EVERY REQUEST VERIFIEDService AService BService CmTLS verifiedmTLS verifiedZero Trust Verification Stack1. IdentityWho is this service?2. AuthenticationProve it cryptographically3. EncryptionmTLS for every connection4. AuthorizationPolicy says: allowed?Every request goes through all four layers. No exceptions. No implicit trust.

Zero Trust is not a product. It is an architecture principle: never trust, always verify. Every request — regardless of where it comes from — must be authenticated, encrypted, and authorized before it is processed.

Zero Trust Principles for Cloud Native

  1. Identity is the new perimeter: Cryptographic workload identity replaces network location
  2. Encrypt everything: mTLS for all service-to-service communication
  3. Verify continuously: Not just at connection establishment — on every request
  4. Least privilege: Services access only what they need, verified by policy
  5. Assume breach: Design so a compromised service cannot access everything

Mutual TLS (mTLS)

Regular TLS only verifies the server. mTLS verifies both sides. The client presents a certificate proving its identity, and the server verifies it before accepting the connection. This is the transport-layer foundation of zero trust.

Microsegmentation

Instead of one large trusted network, microsegmentation creates fine-grained security boundaries around individual services or groups of services. Combined with identity-based policies, it limits the blast radius of any breach to the compromised segment.

East-West Security

North-south traffic (external to cluster) gets security attention by default — load balancers, WAFs, API gateways. East-west traffic (service to service inside the cluster) is often unencrypted and unauthenticated. Zero trust means east-west traffic gets the same security treatment as north-south.

Real world

Where this shows up

  • mTLS between all production services
  • Microsegmentation for PCI-DSS compliance
  • East-west encryption in financial services
  • Zero trust architecture for healthcare data

Common mistakes

What usually breaks

  • Thinking NetworkPolicies alone = zero trust (they do not encrypt or authenticate)
  • Implementing mTLS but not authorization (authenticated does not mean authorized)
  • Deploying zero trust for external traffic only, ignoring east-west
  • Using long-lived certificates instead of short-lived automatically rotated ones

Key terms

Vocabulary used in this module

mTLS

Mutual TLS — both client and server verify certificates

Microsegmentation

Fine-grained network boundaries around individual services

East-West Traffic

Service-to-service communication inside the cluster

North-South Traffic

External traffic entering/leaving the cluster

Zero Trust

Security model: never trust, always verify, regardless of source

Labs

Hands-on labs

30 minIntermediate

Implement mTLS Between Services

Set up manual mTLS between two services to understand the fundamentals.

  1. Generate CA and service certificates with OpenSSL
  2. Configure two services to require client certificates
  3. Verify mutual authentication succeeds
  4. Test that connections without certificates are rejected
View lab on GitHub
35 minIntermediate

Simulate Zero Trust Networking

Compare flat network vs microsegmented zero trust architecture.

  1. Deploy services on a flat network — observe unrestricted access
  2. Add NetworkPolicies for microsegmentation
  3. Add mTLS for encryption and authentication
  4. Document the security improvement at each layer
View lab on GitHub

Recap

Key takeaways

  • Zero Trust = never trust, always verify, regardless of network location
  • mTLS authenticates both client and server — the transport layer of zero trust
  • Microsegmentation limits blast radius by creating fine-grained security boundaries
  • East-west traffic needs the same security as north-south traffic
  • Identity + encryption + authorization = the three layers of zero trust

Related resources

Keep learning across CodersSecret

Related guides

Read practical engineering walkthroughs that connect this lesson to real systems.

Cheatsheets

Keep command references and production checklists close while you practice.

Interactive labs

Practice infrastructure decisions through short, scenario-driven exercises.

Glossary terms

Build the vocabulary needed to explain architecture clearly in reviews.