Zero Trust Architecture — Never Trust, Always Verify

Every request is authenticated and authorized regardless of network origin — no implicit trust inside the perimeter.

When to use

• Replacing VPN-based perimeter security
• Multi-cloud or hybrid environments
• Internal service-to-service authentication

Tradeoffs

• Complex identity infrastructure required (mTLS, service accounts, certificate rotation)
• Per-request verification adds latency vs perimeter trust

Go

func mtlsServer(certFile, keyFile, caFile string) *http.Server {
    caCert, _ := os.ReadFile(caFile)
    caPool := x509.NewCertPool()
    caPool.AppendCertsFromPEM(caCert)

    tlsCfg := &tls.Config{
        ClientAuth: tls.RequireAndVerifyClientCert,
        ClientCAs:  caPool,
        MinVersion: tls.VersionTLS13,
    }
    srv := &http.Server{
        Addr:      ":8443",
        TLSConfig: tlsCfg,
    }
    srv.ListenAndServeTLS(certFile, keyFile)
    return srv
}

Python

import ssl, http.server

def mtls_server(certfile: str, keyfile: str, cafile: str) -> None:
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    ctx.load_cert_chain(certfile, keyfile)
    ctx.load_verify_locations(cafile)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.minimum_version = ssl.TLSVersion.TLSv1_3

    server = http.server.HTTPServer(("", 8443), http.server.BaseHTTPRequestHandler)
    server.socket = ctx.wrap_socket(server.socket, server_side=True)
    server.serve_forever()

Gotcha: Zero Trust is not a product you buy. It's a posture you build incrementally. Start with service identity (mTLS or service accounts), then layer in policy enforcement.