Skip to main content

Module 5: Zero Trust Security Fundamentals Slides

Slide walkthrough for Module 5 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Identity-based security,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Zero Trust Security Fundamentals - Identity-based security, mTLS, trust domains, and microsegmentation for cloud-native systems
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Zero Trust is not optional for production Kubernetes. Without it, a single compromised pod can access every service in t
  4. Before vs After - The operational shift this module teaches
  5. Zero Trust Principles for Cloud Native - Lesson section from the full module
  6. Mutual TLS (mTLS) - Lesson section from the full module
  7. Microsegmentation - Lesson section from the full module
  8. East-West Security - Lesson section from the full module
  9. Real-World Use Cases - mTLS between all production services, Microsegmentation for PCI-DSS compliance
  10. Common Mistakes to Avoid - 4 mistakes covered
  11. Hands-On Labs - 2 hands-on labs
  12. Key Takeaways - 5 points to remember

Learning Objectives

  • Understand Zero Trust principles for cloud-native systems
  • Implement mutual TLS between services
  • Design trust domains and microsegmentation
  • Plan east-west security for Kubernetes clusters

Why This Module Matters

Zero Trust is not optional for production Kubernetes. Without it, a single compromised pod can access every service in the cluster. With it, compromise is contained and detected. This module gives you the conceptual foundation that SPIFFE, Envoy, and OPA implement in later modules.

Common Mistakes

  • Thinking NetworkPolicies alone = zero trust (they do not encrypt or authenticate)
  • Implementing mTLS but not authorization (authenticated does not mean authorized)
  • Deploying zero trust for external traffic only, ignoring east-west
  • Using long-lived certificates instead of short-lived automatically rotated ones

Key Takeaways

  • Zero Trust = never trust, always verify, regardless of network location
  • mTLS authenticates both client and server — the transport layer of zero trust
  • Microsegmentation limits blast radius by creating fine-grained security boundaries
  • East-west traffic needs the same security as north-south traffic
  • Identity + encryption + authorization = the three layers of zero trust

Hands-On Labs

  1. Implement mTLS Between Services

    Set up manual mTLS between two services to understand the fundamentals.

    30 min - Intermediate

    • Generate CA and service certificates with OpenSSL
    • Configure two services to require client certificates
    • Verify mutual authentication succeeds
    • Test that connections without certificates are rejected

    View lab files on GitHub

  2. Simulate Zero Trust Networking

    Compare flat network vs microsegmented zero trust architecture.

    35 min - Intermediate

    • Deploy services on a flat network — observe unrestricted access
    • Add NetworkPolicies for microsegmentation
    • Add mTLS for encryption and authentication
    • Document the security improvement at each layer

    View lab files on GitHub

Read the full module | Back to course curriculum