Zero Trust

6 min readJun 11, 2019

How do you make a home secure? Lock everything and only you hold the key. This is kind of the Zero Trust Architecture concept

Typically, for most websites and centralized digital frameworks, once you login with the correct credentials you then have access to the sphere of hosted functions. This sphere is classified as the site’s ‘trusted perimeter’

Security models set their perimeters using say encryption, login protocols and firewalls. Somewhat like a gate around a physical property, inside that gate is the trusted perimeter

The trouble is once someone knows your login details or possibly controls your unlocked device, concurrently, they could access the ‘trusted perimeter’. They’re able to login. In other words, they use the obtained key to open the gate

The potential unknown of someone doing just this is a long recognized stumbling point for various types of collaboration processes, even for a body like the UN [215] While there are ongoing advancements in layering login protocols, increased complexity for verification as well as cross device checks, such as two-factor authentication, the possibly unknown actor problem persists

Instead of concentrating on one centralized access point, there is a way to further segment functions, to make each function or activity a gate itself. This applies to the first trusted perimeter and equally to all newly set ‘gates’ that follow. And with Zero Trust Architecture, the concept of “never trust, always verify” becomes its guiding ethos

We logically touch on microservices when shifting away from centralization. The microservice structure is one where each time you perform a different segmented function, you have the ability to call out to a different and even a unique location. Microservices will be detailed throughout following articles while here we focus primarily on Zero Trust Architecture

To make the Zero Trust Architecture concept more tangible, as a thought experiment, imagine that you’re invited to a house party. Let’s look at two possible security scenarios of attending this house party, using traditional or Zero Trust Architecture;

Traditional Architecture

You’re on the invite list. You give your name to the doorman and that’s your key through the front gate. Once inside, you can walk up to the house. You now have full access to every room in the house. You make your way to the kitchen and grab a drink, you walk out to the porch and strike up a conversation with another guest

Then you make your way to the bathroom (taking a moment to rummage through the medicine cabinet, just out of curiosity), and finally end up having a nice discussion whilst lounging on the living room couch. Easy. Done. Great party

The trouble is, should anyone else give your name at the gate, sufficiently fooling or bypassing the doorman, this person has utilized your key. They would have almost unrestricted access to the entire spread, as you would if it was actually you

Zero Trust Architecture

You have a personalized key, which can be of varying complexity, even say device specific with double passwords and biometric signatures plus geo-location certification, or so on. You use your personalized key with the doorman. You pass the front gate

Then you use your key to open the kitchen door and again to take a drink. Then you use your key to open the door that leads out to the porch. Then you use your key again with the person your chatting to, so that you both know who is who

Then you use your key to open the bathroom door. Then again for the medicine cabinet, and again when entering the living room, and so on. Roughly and figuratively this could be referred to as granular perimeter security. Every [granular] function becomes segmented [having its own perimeter] thereby acting as a gate itself with each gate confirming your key

Making physical comparisons explains the principle but overlooks the benefits of digital implementation-

Meaning, if one had to physically perform all those additional actions during unlocking then, obviously, it would increase the time and energy required. It would be a hassle, no doubt. Extra steps would entail extra work and, therefore, this constant re-checking would become laboriously counterproductive. However, from a digital standpoint, Zero Trust key use can be imperceptibly fast

Goliaths such as Siemens and Google have been using variations of Zero Trust structures for a long time. The segmentation allows for compartmentalization of data as well as lateral tracking

Lateral tracking security analysis is made possible by the increased gates and associated ledger data. From a security perspective, the capacity for analysis processes like lateral tracking has multiple benefits


Your key may grant access to some areas but may not be authorized to get into others. Key providers and holders set as well as have the ability to review types of access, on a granular level


Automated and potentially private pattern recognition can prompt additional verification as required during unusual behaviour or possible breaches, whilst concurrently minimizing loss exposure throughout

A red flag could be instantly raised if for years you’ve used your key like clockwork to follow a preferred usage pattern but, one day and out of the blue, your key is suddenly or unusually used to collate highly sensitive data or dig into never before touched areas

Because the key is used for each granular portion or function, there is a much better chance and now an existing method to stop unauthorized use



The structuring of one’s personal and identity data can be hosted across multiple points. Even a breach to one of the sources holding a portion of the personal information would not give the full key

More broadly, particularly from a trust and reputation based marketplace example, there are long standing proposals for machine learning and economic advantages being derived [216] The ramifications of such could, when widely adopted, influence entire economic systems of trade and politics [217]

Extending this segmented and granular methodology is where microservices come in. Let’s break this out once more for microservices. Making a comparison between traditional centralized structures just imagine a functional website, say most any popular social media platform or online banking service;

Traditional Centralized Web Service

Your key gives you access to the front gate and you have access to whatever is inside. When the site wants to renovate, add a new service or fix up an old one, then each such task constitutes a massive undertaking

While the required work is happening these significant restructurings or renovations can have knock-on effects and various negative ramifications on usability for the rest of the site

Micro-Services + Zero Trust Architecture

Your key gives you access but is used again and again for following functions. Each function acts as a gate which you unlock

This is where the structure gets exciting. As there is little distance between calling a service from one location or another, each gate can be set in its own individual or unique space. Each gate doesn’t have to rely on the same centralized host

So in using microservices, restructurings or renovations can be done specifically to one portion without affecting the usability of others. Each function, with all supporting peripherals, are able to act independently

Next articles will go into details and benefits of microservices, as well as the cross over functionalities with various distributed ledger technologies, digital security tokens and cryptocurrency use

This granular segmentation principle has amazingly beneficial implementations, for everything from direct real world engagement to actualized payments. It is a core philosophy behind the TOF® Biosphere

It has implementations into the realms of law, copyrighting, intellectual property control and beyond. Remember, throughout the real ‘key’ remains in always making choice personal

Thank you to those around the globe for all the kind words and support. You’re plucking awesome