Zero Trust Architecture — Notes
Core Principles
- Never trust, always verify — authenticate every request regardless of source
- Least privilege access — grant minimum permissions required
- Assume breach — design systems assuming attackers are already inside
Zero Trust on Azure — Building Blocks
Identity
- Entra ID (Azure AD) as the identity plane
- Conditional Access policies (MFA, compliant devices, location)
- Managed Identities for service-to-service (no passwords)
- Privileged Identity Management (PIM) for just-in-time admin access
Network
- Private Endpoints for all PaaS services
- NSGs as secondary controls
- Azure Firewall for east-west inspection
- No public IPs on VMs
Data
- Encryption at rest (platform-managed or customer-managed keys)
- Encryption in transit (TLS everywhere)
- Azure Key Vault for secret management
- Data classification and labelling
Monitoring
- Microsoft Defender for Cloud
- Microsoft Sentinel (SIEM)
- Log Analytics workspace
- Diagnostic settings on all resources
Implementation Order
- Month 1: Managed identities + private endpoints for new workloads
- Month 2: Conditional access + PIM for admin accounts
- Month 3: Azure Policy enforcement (audit → deny)
- Month 4-6: Retrofit existing workloads, Defender, Sentinel
Notes from implementing Zero Trust patterns in enterprise environments.