Day 94 - Zero Trust Security in Multi-Cloud Environments#

As organizations embrace multi-cloud strategies, traditional perimeter-based security models become obsolete. Zero Trust architecture, with its “never trust, always verify” principle, provides the framework needed to secure modern distributed infrastructure. Today, we’ll implement Zero Trust security across AWS, Azure, and GCP.

Understanding Zero Trust in Multi-Cloud#

Zero Trust eliminates the concept of trusted networks, devices, or users. In a multi-cloud environment, this means:

No implicit trust based on network location
Continuous verification of every transaction
Least-privilege access enforcement
Assume breach mindset
Microsegmentation across cloud boundaries

Core Components of Multi-Cloud Zero Trust#

1. Identity as the New Perimeter#

Identity becomes the primary security perimeter in Zero Trust architecture.

Unified Identity Management Across Clouds#

1
# Multi-Cloud Identity Federation with Python
2
import boto3
3
from azure.identity import DefaultAzureCredential
4
from google.cloud import iam
5
from google.oauth2 import service_account
6
import jwt
7
import json
8
from datetime import datetime, timedelta
9

10
class MultiCloudIdentityManager:
11
    def __init__(self):
12
        # AWS
13
        self.aws_sts = boto3.client('sts')
14
        self.aws_iam = boto3.client('iam')
15

16
        # Azure
17
        self.azure_credential = DefaultAzureCredential()
18

19
        # GCP
20
        self.gcp_iam = iam.IAMClient()
21

22
    def create_federated_identity(self, user_email, roles):
23
        """Create federated identity across all clouds"""
24

25
        identity_config = {
26
            'user': user_email,
27
            'created_at': datetime.utcnow().isoformat(),
28
            'roles': roles,
29
            'clouds': {}
30
        }
31

32
        # AWS Identity
33
        aws_role = self._create_aws_federated_role(user_email, roles.get('aws', []))
34
        identity_config['clouds']['aws'] = {
35
            'role_arn': aws_role['Arn'],
36
            'trust_policy': aws_role['TrustPolicy']
37
        }
38

39
        # Azure Identity
40
        azure_principal = self._create_azure_service_principal(user_email, roles.get('azure', []))
41
        identity_config['clouds']['azure'] = {
42
            'principal_id': azure_principal['id'],
43
            'tenant_id': azure_principal['tenant_id']
44
        }
45

46
        # GCP Identity
47
        gcp_sa = self._create_gcp_service_account(user_email, roles.get('gcp', []))
48
        identity_config['clouds']['gcp'] = {
49
            'service_account': gcp_sa['email'],
50
            'project_id': gcp_sa['project_id']
51
        }
52

53
        return identity_config
54

55
    def _create_aws_federated_role(self, user_email, permissions):
56
        """Create AWS role with OIDC federation"""
57

58
        trust_policy = {
59
            "Version": "2012-10-17",
60
            "Statement": [{
61
                "Effect": "Allow",
62
                "Principal": {
63
                    "Federated": f"arn:aws:iam::{AWS_ACCOUNT_ID}:oidc-provider/{OIDC_PROVIDER}"
64
                },
65
                "Action": "sts:AssumeRoleWithWebIdentity",
66
                "Condition": {
67
                    "StringEquals": {
68
                        f"{OIDC_PROVIDER}:sub": user_email,
69
                        f"{OIDC_PROVIDER}:aud": "sts.amazonaws.com"
70
                    }
71
                }
72
            }]
73
        }
74

75
        # Create role
76
        role_name = f"federated-{user_email.replace('@', '-').replace('.', '-')}"
77

78
        try:
79
            response = self.aws_iam.create_role(
80
                RoleName=role_name,
81
                AssumeRolePolicyDocument=json.dumps(trust_policy),
82
                Description=f'Federated role for {user_email}',
83
                MaxSessionDuration=3600,  # 1 hour
84
                Tags=[
85
                    {'Key': 'Environment', 'Value': 'production'},
86
                    {'Key': 'ZeroTrust', 'Value': 'enabled'}
87
                ]
88
            )
89

90
            # Attach policies based on permissions
91
            for permission in permissions:
92
                self.aws_iam.attach_role_policy(
93
                    RoleName=role_name,
94
                    PolicyArn=self._get_aws_policy_arn(permission)
95
                )
96

97
            return {
98
                'Arn': response['Role']['Arn'],
99
                'TrustPolicy': trust_policy
100
            }
101

102
        except Exception as e:
103
            print(f"Error creating AWS role: {e}")
104
            raise

Conditional Access Policies#

1
# Azure Conditional Access Policy
2
apiVersion: authorization.azure.com/v1
3
kind: ConditionalAccessPolicy
4
metadata:
5
  name: zero-trust-multi-cloud
6
spec:
7
  displayName: "Zero Trust Multi-Cloud Access"
8
  state: enabled
9
  conditions:
10
    users:
11
      includeUsers:
12
        - All
13
      excludeGroups:
14
        - emergency-access
15
    applications:
16
      includeApplications:
17
        - All
18
    locations:
19
      includeLocations:
20
        - All
21
      excludeLocations:
22
        - trusted-locations
23
    platforms:
24
      includePlatforms:
25
        - all
26
    signInRiskLevels:
27
      - high
28
      - medium
29
  grantControls:
30
    operator: AND
31
    builtInControls:
32
      - mfa
33
      - compliantDevice
34
      - approvedApplication
35
    customAuthenticationFactors: []
36
  sessionControls:
37
    signInFrequency:
38
      value: 1
39
      type: hours
40
    persistentBrowser:
41
      mode: never

2. Microsegmentation Across Clouds#

Implement granular network segmentation that spans cloud boundaries.

1
# Terraform - Multi-Cloud Network Segmentation
2
module "zero_trust_network" {
3
  source = "./modules/zero-trust-network"
4

5
  # AWS VPC Configuration
6
  aws_vpc = {
7
    cidr_block = "10.0.0.0/16"
8
    enable_dns_hostnames = true
9
    enable_flow_logs = true
10

11
    # Microsegmentation with Security Groups
12
    security_groups = {
13
      web_tier = {
14
        description = "Web tier security group"
15
        ingress_rules = [
16
          {
17
            from_port   = 443
18
            to_port     = 443
19
            protocol    = "tcp"
20
            cidr_blocks = ["0.0.0.0/0"]  # Public HTTPS
21
          }
22
        ]
23
        egress_rules = [
24
          {
25
            from_port       = 3306
26
            to_port         = 3306
27
            protocol        = "tcp"
28
            security_groups = ["app_tier"]  # Only to app tier
29
          }
30
        ]
31
      }
32

33
      app_tier = {
34
        description = "Application tier security group"
35
        ingress_rules = [
36
          {
37
            from_port       = 3306
38
            to_port         = 3306
39
            protocol        = "tcp"
40
            security_groups = ["web_tier"]  # Only from web tier
41
          }
42
        ]
43
        egress_rules = [
44
          {
45
            from_port       = 5432
46
            to_port         = 5432
47
            protocol        = "tcp"
48
            security_groups = ["data_tier"]  # Only to data tier
49
          }
50
        ]
51
      }
52

53
      data_tier = {
54
        description = "Data tier security group"
55
        ingress_rules = [
56
          {
57
            from_port       = 5432
58
            to_port         = 5432
59
            protocol        = "tcp"
60
            security_groups = ["app_tier"]  # Only from app tier
61
          }
62
        ]
63
        egress_rules = []  # No outbound connections
64
      }
65
    }
66
  }
67

68
  # Azure Network Security Groups
69
  azure_network = {
70
    address_space = ["10.1.0.0/16"]
71

72
    subnets = {
73
      web = {
74
        address_prefix = "10.1.1.0/24"
75
        network_security_group = {
76
          security_rules = [
77
            {
78
              name                       = "HTTPS"
79
              priority                   = 100
80
              direction                  = "Inbound"
81
              access                     = "Allow"
82
              protocol                   = "Tcp"
83
              source_port_range          = "*"
84
              destination_port_range     = "443"
85
              source_address_prefix      = "*"
86
              destination_address_prefix = "*"
87
            }
88
          ]
89
        }
90
      }
91

92
      app = {
93
        address_prefix = "10.1.2.0/24"
94
        network_security_group = {
95
          security_rules = [
96
            {
97
              name                       = "FromWebTier"
98
              priority                   = 100
99
              direction                  = "Inbound"
100
              access                     = "Allow"
101
              protocol                   = "Tcp"
102
              source_port_range          = "*"
103
              destination_port_range     = "8080"
104
              source_address_prefix      = "10.1.1.0/24"
105
              destination_address_prefix = "*"
106
            }
107
          ]
108
        }
109
      }
110
    }
111
  }
112

113
  # GCP VPC with Firewall Rules
114
  gcp_network = {
115
    auto_create_subnetworks = false
116

117
    subnets = [
118
      {
119
        name          = "web-subnet"
120
        ip_cidr_range = "10.2.1.0/24"
121
        region        = "us-central1"
122
      },
123
      {
124
        name          = "app-subnet"
125
        ip_cidr_range = "10.2.2.0/24"
126
        region        = "us-central1"
127
      }
128
    ]
129

130
    firewall_rules = [
131
      {
132
        name        = "allow-web-to-app"
133
        direction   = "INGRESS"
134
        priority    = 1000
135

136
        source_ranges = ["10.2.1.0/24"]
137
        target_tags   = ["app-tier"]
138

139
        allow = [{
140
          protocol = "tcp"
141
          ports    = ["8080"]
142
        }]
143
      },
144
      {
145
        name        = "deny-all-else"
146
        direction   = "INGRESS"
147
        priority    = 65534
148

149
        source_ranges = ["0.0.0.0/0"]
150

151
        deny = [{
152
          protocol = "all"
153
        }]
154
      }
155
    ]
156
  }
157
}

3. Policy-as-Code with Open Policy Agent (OPA)#

Implement consistent policy enforcement across all clouds.

1
package zero_trust.authorization
2

3
import future.keywords.if
4
import future.keywords.contains
5

6
default allow = false
7

8
# Multi-Cloud Resource Access Policy
9
allow if {
10
    # Verify JWT token
11
    token_valid
12

13
    # Check user authentication
14
    input.user.authenticated == true
15
    input.user.mfa_verified == true
16

17
    # Verify device compliance
18
    input.device.compliant == true
19
    input.device.managed == true
20

21
    # Check network context
22
    network_trusted
23

24
    # Verify least privilege
25
    required_permission in user_permissions
26
}
27

28
# Token validation
29
token_valid if {
30
    [header, payload, _] := io.jwt.decode_verify(
31
        input.token,
32
        {"secret": data.jwt_secret}
33
    )
34

35
    # Check token expiration
36
    payload.exp > time.now_ns() / 1000000000
37

38
    # Verify issuer
39
    payload.iss == data.trusted_issuer
40
}
41

42
# Network trust evaluation
43
network_trusted if {
44
    # Check if request is from internal network
45
    net.cidr_contains("10.0.0.0/8", input.source_ip)
46
} else if {
47
    # Or if VPN connected
48
    input.network.vpn_connected == true
49
    input.network.vpn_compliance == true
50
} else if {
51
    # Or if using verified ZTNA
52
    input.network.ztna_verified == true
53
}
54

55
# Permission checking
56
user_permissions[permission] if {
57
    some role in input.user.roles
58
    some permission in data.rbac[role].permissions
59
}
60

61
required_permission := permission if {
62
    # Map action to permission
63
    action_map := {
64
        "read": "viewer",
65
        "write": "editor",
66
        "delete": "admin"
67
    }
68
    permission := action_map[input.action]
69
}
70

71
# Cloud-specific policies
72
aws_resource_allowed if {
73
    input.cloud == "aws"
74
    input.resource.type in data.aws_allowed_resources
75
    input.resource.tags.environment == input.user.allowed_environments[_]
76
}
77

78
azure_resource_allowed if {
79
    input.cloud == "azure"
80
    input.resource.type in data.azure_allowed_resources
81
    input.resource.resource_group in input.user.allowed_resource_groups
82
}
83

84
gcp_resource_allowed if {
85
    input.cloud == "gcp"
86
    input.resource.type in data.gcp_allowed_resources
87
    input.resource.project_id in input.user.allowed_projects
88
}

4. Service Mesh for Zero Trust Networking#

Deploy Istio service mesh across multi-cloud environments.

1
# Istio Multi-Cloud Configuration
2
apiVersion: install.istio.io/v1alpha1
3
kind: IstioOperator
4
metadata:
5
  name: control-plane
6
spec:
7
  values:
8
    pilot:
9
      env:
10
        PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true
11
        PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: true
12
    global:
13
      meshID: mesh1
14
      multiCluster:
15
        clusterName: aws-cluster
16
      network: network1
17

18
  components:
19
    pilot:
20
      k8s:
21
        env:
22
          - name: PILOT_TRACE_SAMPLING
23
            value: "100"
24
        resources:
25
          requests:
26
            cpu: 1000m
27
            memory: 1024Mi
28

29
    # Enable mTLS everywhere
30
    ingressGateways:
31
      - name: istio-ingressgateway
32
        enabled: true
33
        k8s:
34
          service:
35
            type: LoadBalancer
36
            ports:
37
              - port: 15021
38
                targetPort: 15021
39
                name: status-port
40
              - port: 443
41
                targetPort: 8443
42
                name: https
43
---
44
# PeerAuthentication for mTLS
45
apiVersion: security.istio.io/v1beta1
46
kind: PeerAuthentication
47
metadata:
48
  name: default
49
  namespace: istio-system
50
spec:
51
  mtls:
52
    mode: STRICT
53
---
54
# AuthorizationPolicy for Zero Trust
55
apiVersion: security.istio.io/v1beta1
56
kind: AuthorizationPolicy
57
metadata:
58
  name: zero-trust-policy
59
  namespace: production
60
spec:
61
  selector:
62
    matchLabels:
63
      app: api-service
64
  action: ALLOW
65
  rules:
66
    - from:
67
        - source:
68
            principals: ["cluster.local/ns/production/sa/frontend"]
69
      to:
70
        - operation:
71
            methods: ["GET", "POST"]
72
            paths: ["/api/v1/*"]
73
      when:
74
        - key: request.headers[x-user-id]
75
          values: ["*"]
76
        - key: request.auth.claims[verified]
77
          values: ["true"]
78
        - key: source.ip
79
          notValues: ["0.0.0.0/0"]

5. Continuous Verification and Monitoring#

Implement real-time verification of all access attempts.

1
# Real-time Zero Trust Monitoring System
2
import asyncio
3
from elasticsearch import AsyncElasticsearch
4
from kafka import KafkaProducer, KafkaConsumer
5
import json
6
from datetime import datetime
7
import numpy as np
8
from sklearn.ensemble import IsolationForest
9

10
class ZeroTrustMonitor:
11
    def __init__(self):
12
        # Elasticsearch for log aggregation
13
        self.es = AsyncElasticsearch(['http://localhost:9200'])
14

15
        # Kafka for real-time event streaming
16
        self.producer = KafkaProducer(
17
            bootstrap_servers=['localhost:9092'],
18
            value_serializer=lambda v: json.dumps(v).encode('utf-8')
19
        )
20

21
        # ML model for anomaly detection
22
        self.anomaly_detector = IsolationForest(
23
            contamination=0.1,
24
            random_state=42
25
        )
26

27
        # Risk scoring thresholds
28
        self.risk_thresholds = {
29
            'low': 0.3,
30
            'medium': 0.6,
31
            'high': 0.8,
32
            'critical': 0.95
33
        }
34

35
    async def monitor_access_attempt(self, access_event):
36
        """Monitor and score each access attempt"""
37

38
        # Calculate risk score
39
        risk_score = await self.calculate_risk_score(access_event)
40

41
        # Add risk score to event
42
        access_event['risk_score'] = risk_score
43
        access_event['risk_level'] = self.get_risk_level(risk_score)
44
        access_event['timestamp'] = datetime.utcnow().isoformat()
45

46
        # Store in Elasticsearch
47
        await self.es.index(
48
            index=f"zero-trust-{datetime.utcnow().strftime('%Y.%m.%d')}",
49
            body=access_event
50
        )
51

52
        # Stream to Kafka for real-time processing
53
        self.producer.send('zero-trust-events', access_event)
54

55
        # Take action based on risk
56
        if risk_score > self.risk_thresholds['high']:
57
            await self.handle_high_risk_event(access_event)
58

59
        return {
60
            'allowed': risk_score < self.risk_thresholds['medium'],
61
            'risk_score': risk_score,
62
            'risk_level': access_event['risk_level'],
63
            'additional_verification_required': risk_score > self.risk_thresholds['low']
64
        }
65

66
    async def calculate_risk_score(self, event):
67
        """Calculate risk score using multiple factors"""
68

69
        risk_factors = []
70

71
        # User behavior analysis
72
        user_risk = await self.analyze_user_behavior(event['user_id'])
73
        risk_factors.append(user_risk * 0.3)
74

75
        # Device trust score
76
        device_risk = self.calculate_device_risk(event['device'])
77
        risk_factors.append(device_risk * 0.2)
78

79
        # Network context
80
        network_risk = self.evaluate_network_risk(event['network'])
81
        risk_factors.append(network_risk * 0.2)
82

83
        # Resource sensitivity
84
        resource_risk = self.assess_resource_sensitivity(event['resource'])
85
        risk_factors.append(resource_risk * 0.2)
86

87
        # Time-based anomaly
88
        time_risk = self.detect_time_anomaly(event)
89
        risk_factors.append(time_risk * 0.1)
90

91
        # Combine risk factors
92
        total_risk = sum(risk_factors)
93

94
        # Apply ML anomaly detection
95
        anomaly_score = self.detect_anomaly(event)
96
        if anomaly_score == -1:  # Anomaly detected
97
            total_risk = min(total_risk * 1.5, 1.0)
98

99
        return total_risk
100

101
    async def analyze_user_behavior(self, user_id):
102
        """Analyze user behavior patterns"""
103

104
        # Query historical user behavior
105
        query = {
106
            "query": {
107
                "bool": {
108
                    "must": [
109
                        {"term": {"user_id": user_id}},
110
                        {"range": {"timestamp": {"gte": "now-30d"}}}
111
                    ]
112
                }
113
            },
114
            "aggs": {
115
                "login_times": {
116
                    "date_histogram": {
117
                        "field": "timestamp",
118
                        "calendar_interval": "hour"
119
                    }
120
                },
121
                "accessed_resources": {
122
                    "cardinality": {
123
                        "field": "resource.id"
124
                    }
125
                },
126
                "failed_attempts": {
127
                    "filter": {
128
                        "term": {"success": False}
129
                    }
130
                }
131
            }
132
        }
133

134
        result = await self.es.search(index="zero-trust-*", body=query)
135

136
        # Calculate behavior risk score
137
        failed_ratio = result['aggregations']['failed_attempts']['doc_count'] / max(result['hits']['total']['value'], 1)
138
        resource_diversity = result['aggregations']['accessed_resources']['value']
139

140
        # Higher risk for unusual patterns
141
        if failed_ratio > 0.1:
142
            return 0.8
143
        elif resource_diversity > 100:  # Accessing too many different resources
144
            return 0.6
145
        else:
146
            return 0.2
147

148
    def detect_anomaly(self, event):
149
        """Use ML to detect anomalous access patterns"""
150

151
        # Feature extraction
152
        features = [
153
            event.get('user_risk_score', 0),
154
            event.get('device_trust_score', 0),
155
            1 if event.get('network', {}).get('vpn_connected') else 0,
156
            len(event.get('resource', {}).get('tags', [])),
157
            event.get('request_size', 0),
158
            event.get('response_time', 0)
159
        ]
160

161
        # Predict anomaly
162
        prediction = self.anomaly_detector.predict([features])
163
        return prediction[0]
164

165
    async def handle_high_risk_event(self, event):
166
        """Handle high-risk access attempts"""
167

168
        # Send alert
169
        alert = {
170
            'severity': 'HIGH',
171
            'event': event,
172
            'timestamp': datetime.utcnow().isoformat(),
173
            'actions_required': [
174
                'Block access attempt',
175
                'Notify security team',
176
                'Initiate step-up authentication',
177
                'Log for forensic analysis'
178
            ]
179
        }
180

181
        # Send to security team
182
        self.producer.send('security-alerts', alert)
183

184
        # Block access
185
        await self.block_access(event['session_id'])
186

187
        # Trigger incident response
188
        if event['risk_score'] > self.risk_thresholds['critical']:
189
            await self.trigger_incident_response(event)

6. Automated Incident Response#

Implement automated responses to security events.

1
# Automated Zero Trust Incident Response
2
class IncidentResponseOrchestrator:
3
    def __init__(self):
4
        self.response_playbooks = {
5
            'suspicious_login': self.handle_suspicious_login,
6
            'privilege_escalation': self.handle_privilege_escalation,
7
            'data_exfiltration': self.handle_data_exfiltration,
8
            'lateral_movement': self.handle_lateral_movement
9
        }
10

11
    async def respond_to_incident(self, incident):
12
        """Orchestrate incident response"""
13

14
        incident_type = self.classify_incident(incident)
15

16
        # Execute appropriate playbook
17
        if incident_type in self.response_playbooks:
18
            response = await self.response_playbooks[incident_type](incident)
19
        else:
20
            response = await self.handle_unknown_incident(incident)
21

22
        # Log response
23
        await self.log_incident_response(incident, response)
24

25
        return response
26

27
    async def handle_suspicious_login(self, incident):
28
        """Handle suspicious login attempts"""
29

30
        user_id = incident['user_id']
31
        session_id = incident['session_id']
32

33
        actions = []
34

35
        # 1. Terminate session
36
        await self.terminate_session(session_id)
37
        actions.append('Session terminated')
38

39
        # 2. Disable user account temporarily
40
        await self.disable_user_account(user_id, duration_minutes=30)
41
        actions.append('User account disabled for 30 minutes')
42

43
        # 3. Force password reset
44
        await self.force_password_reset(user_id)
45
        actions.append('Password reset required')
46

47
        # 4. Revoke all tokens
48
        await self.revoke_user_tokens(user_id)
49
        actions.append('All tokens revoked')
50

51
        # 5. Send notification
52
        await self.notify_user(user_id, {
53
            'type': 'security_alert',
54
            'message': 'Suspicious login detected. Your account has been temporarily locked.',
55
            'actions_required': ['Reset password', 'Verify identity']
56
        })
57

58
        return {
59
            'incident_id': incident['id'],
60
            'response_time': datetime.utcnow().isoformat(),
61
            'actions_taken': actions,
62
            'status': 'contained'
63
        }
64

65
    async def handle_lateral_movement(self, incident):
66
        """Handle detected lateral movement"""
67

68
        source_ip = incident['source_ip']
69
        compromised_resources = incident['accessed_resources']
70

71
        actions = []
72

73
        # 1. Isolate affected resources
74
        for resource in compromised_resources:
75
            await self.isolate_resource(resource)
76
            actions.append(f'Isolated resource: {resource["id"]}')
77

78
        # 2. Block source IP across all clouds
79
        await self.block_ip_multicloud(source_ip)
80
        actions.append(f'Blocked IP {source_ip} across all clouds')
81

82
        # 3. Snapshot for forensics
83
        for resource in compromised_resources:
84
            snapshot_id = await self.create_forensic_snapshot(resource)
85
            actions.append(f'Created forensic snapshot: {snapshot_id}')
86

87
        # 4. Deploy honeypot
88
        honeypot = await self.deploy_honeypot(incident['attack_pattern'])
89
        actions.append(f'Deployed honeypot: {honeypot["id"]}')
90

91
        # 5. Enhance monitoring
92
        await self.enhance_monitoring(compromised_resources)
93
        actions.append('Enhanced monitoring on affected resources')
94

95
        return {
96
            'incident_id': incident['id'],
97
            'response_time': datetime.utcnow().isoformat(),
98
            'actions_taken': actions,
99
            'status': 'investigating',
100
            'forensics_enabled': True
101
        }

7. Compliance and Audit#

Maintain continuous compliance across all cloud environments.

1
# Cloud Custodian - Multi-Cloud Compliance Policies
2
policies:
3
  # AWS Zero Trust Compliance
4
  - name: aws-zero-trust-iam-mfa
5
    resource: aws.iam-user
6
    filters:
7
      - type: mfa-device
8
        value: empty
9
    actions:
10
      - type: remove-keys
11
        age: 0
12
      - type: notify
13
        template: zero-trust-violation
14
        subject: "Zero Trust Violation: MFA Not Enabled"
15

16
  - name: aws-zero-trust-sg-ingress
17
    resource: aws.security-group
18
    filters:
19
      - type: ingress
20
        Cidr:
21
          value: "0.0.0.0/0"
22
        OnlyPorts: false
23
    actions:
24
      - type: delete
25
      - type: notify
26
        template: zero-trust-violation
27

28
  # Azure Zero Trust Compliance
29
  - name: azure-zero-trust-network-watcher
30
    resource: azure.networkinterface
31
    filters:
32
      - type: network-flow-logs
33
        enabled: false
34
    actions:
35
      - type: set-flow-logs
36
        enabled: true
37

38
  - name: azure-zero-trust-storage-encryption
39
    resource: azure.storage
40
    filters:
41
      - not:
42
          - type: storage-encryption
43
            enabled: true
44
    actions:
45
      - type: set-encryption
46
        enabled: true
47

48
  # GCP Zero Trust Compliance
49
  - name: gcp-zero-trust-iam-audit
50
    resource: gcp.project
51
    filters:
52
      - type: iam-policy
53
        doc:
54
          bindings:
55
            - members: ["allUsers", "allAuthenticatedUsers"]
56
    actions:
57
      - type: set-iam-policy
58
        remove-bindings:
59
          - members: ["allUsers", "allAuthenticatedUsers"]
60

61
  - name: gcp-zero-trust-vpc-flow-logs
62
    resource: gcp.subnet
63
    filters:
64
      - type: flow-logs
65
        enabled: false
66
    actions:
67
      - type: set-flow-logs
68
        config:
69
          enable: true
70
          aggregationInterval: INTERVAL_5_SEC
71
          flowSampling: 1.0

Best Practices for Multi-Cloud Zero Trust#

1. Start with Identity#

Implement strong authentication (MFA, passwordless)
Use temporary credentials with short TTLs
Enforce least privilege at all levels
Regular access reviews and certification

2. Embrace Automation#

Automate policy enforcement
Use Infrastructure as Code for consistency
Implement automated incident response
Continuous compliance monitoring

3. Monitor Everything#

Collect logs from all cloud services
Correlate events across clouds
Use ML for anomaly detection
Real-time alerting and response

4. Plan for Failure#

Assume breach mentality
Regular disaster recovery testing
Incident response playbooks
Forensic readiness

Conclusion#

Implementing Zero Trust in multi-cloud environments requires a fundamental shift in security thinking. By eliminating implicit trust, continuously verifying every transaction, and enforcing least privilege access, organizations can maintain security across distributed cloud infrastructure.

Key takeaways:

Identity is the new perimeter
Microsegmentation limits blast radius
Policy-as-Code ensures consistency
Continuous verification is essential
Automation enables scale

Zero Trust isn’t a product but a journey. Start with high-value assets, gradually expand coverage, and continuously improve based on lessons learned. In today’s threat landscape, Zero Trust isn’t optional—it’s essential for securing multi-cloud environments.