2021 6th International Conference for Convergence in Technology (I2CT)

Pune, India. Apr 02-04, 2021

Building A Zero Trust Architecture Using

Kubernetes
Daniel D'Silva Dayanand D. Ambawade
Electronics and Telecommunication Electronics and Telecommunication
Sardar Patel Institute of Technology Sardar Patel Institute of Technology
Mumbai, Maharashtra Mumbai, Maharashtra
daniel.dsilva@spit.ac.in dd_ambawade@spit.ac.in

Abstract— In the twenty-first century, trust has become an first introduced by Forrester Research analyst John
influential factor in people and organizations. As the world is Kindervag becoming the beginning of a Zero Trust. [1]
advancing digitally, mobile and cloud services have become the
principal drivers of this era. The conventional frameworks to Zero Trust is a cybersecurity paradigm focused on
protect such an environment have dissolved. There existed a resource protection and the premise that trust must not grant
period where organization resources were put away inside the implicitly [2] and frequently evaluated. The current
infrastructure relies on a solution that helps restrict privileged
2021 6th International Conference for Convergence in Technology (I2CT) | 978-1-7281-8876-8/21/$31.00 ©2021 IEEE | DOI: 10.1109/I2CT51068.2021.9418203

secure perimeter and regarded as safe. Moreover, the recent

work-from-home culture provides attackers with a rather access, and its core is Privileged Access Management
significant opportunity to breach security controls. Everybody (PAM). It merely works by limiting access to a particular
is deemed trustworthy inside the network, allowing an intruder service by account authentication and authorization. Should a
to gain escalated access inside the perimeter. These fortresses user need access to a domain, he is not permitted; the user
currently permit clients to get sustained information from must request authorization and finally get the approval.
outside the fortification since everybody is ‘trusted Legacy Privileged Access Management’s design was to work
excessively.’ making our current foundation defenseless to for systems and resources inside an enterprise or
attackers. This paper proves ‘Zero Trust’ as another organization network. The framework executives would have
worldview of online protection. It explores the previous work a solitary independent ‘root’ account that they would use
related to Zero Trust implementation and its research. It
from a secret vault [3] to get to the organization’s assets.
discusses Zero Trust as a potential for future network security.
Those mentioned were safe when no data or resources, or
It uses containers to implement the architecture, which
responds to various types of attacks. It focuses on security at credentials needed access from outside the network.
every OSI model layer and the advantages and disadvantages However, the upsurge in today’s generation and the
of Zero Trust Architecture. introduction of cloud computing have made PAM
challenges. Fifty-three percent of organizations host at least
Keywords—Zero Trust, Kubernetes, Access Control, half of their cloud infrastructure. [4] More and more data and
Keycloak, Proxy. resources get used from outside the network than inside it.

I. INTRODUCTION An attacker can easily compromise the entire system by

gaining access to the network, masquerading themselves as
Networks and technology have taken a significant leap in legitimate users to access control policy. Perhaps through
terms of advancement and automation over the years. social engineering, a trusted user’s negligence, ignorance, or
However, the job of ensuring their safe communication innocence. After that, it is as simple to reset passwords and
without getting attacked has been a significant concern. In gain nearly unlimited access. [5] Despite spending an
the early days of the internet, organizations used to store estimated $137 billion on various security technologies in
their data within the enterprise, thus creating a perimeter. 2019, two out of three enterprises experience data breaches
This network topology was highly fortified. Thus, it was not at an average of five breaches per organization. [3] In 2015, a
easy for an attacker to breach the organization’s fifteen-year-old British kid effectively hacked his way into
infrastructure and assets. Technology has allowed us to the records of CIA boss John Brennan, FBI chief Mark
access data from outside the enterprise space’s four corners Giuliano, and US Homeland Security Secretary Jeh Johnson.
in recent years. He could take government insight reports, reset staff iPads,
In 2004, before Zero Trust had uniqueness, the idea of and show provoking messages on Johnson’s home TV. [5]
deperimiterization was initiated by Jon Measham and Hackers from a foreign land attempted 40,300 cyber attacks
promoted by the Jericho Forum from OpenGroup. The on India’s Information Technology infrastructure and
information security officers at this organization developed banking sector [6] in about five days in June 2020.
the Jericho Forum Commandments, which established the According to CISCO Annual Cyber Security Report 2019,
areas and policies observed while looking at a de- Eurofins Scientific, a forensic firm used by police forces
permiterized future. Paul Simmonds from International across the country, suffered a massive targeted ransomware
Consults and Investigation (ICI) had determined that there is attack. The firm deals with more than seventy-thousand
a need for a new security model. He decided that de- criminal cases every year. Due to the cyberattack scale,
permitierization is a concept that solves enterprise needs several court cases were made to be adjourned. [7]
without a tightened perimeter, which would bring rise to the According to CISCO Annual Cyber Security Report 2018,
potential for new opportunities. The author’s thinking fifty-three percent of all cyberattacks led to more than
brought in the era of a renewed model called ‘Zero Trust.’ $500,000, including, but not limited to, lost revenue,
customers, opportunities, and out-of-pocket expenses. [4]

978-1-7281-8876-8/21/$31.00 ©2021 IEEE 1

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
Many of the organizations are unaware of how the breach cryptographic token, such as a smart card or FIDO key.
has occurred [8]. Those authenticators can then be used in combination with a
password or personal identification number (PIN). Access to
Zero Trust aims to protect people, property, and
admins must be given through an administrative jump box
infrastructure (PPI) from attackers that can potentially
[3].
threaten enterprise or organization data. As civilization
evolves to connect through technology’s inevitable ubiquity The author mentioned some pivotal points that define the
increasingly, securing systems, networks, and data on which 2020 Zero Trust model, such as; using a network
we rely has become pre-eminent. [5] This paper gives a segmentation gateway (SG), designed to be the nucleus of
detailed summary of Zero Trust, its evolution, where it the network compared to the existing unified threat
stands today, and how it reshapes the future trust landscape. management system (UTM). Its job is to combine multiple
standalone security products of the existing infrastructure
II. RELATED WORK and act as one central module. The SG must handle a 10
Advancement of research in networking has brought Gigabit connection while providing Quality of Service (QoS)
about the current infrastructure all of us live in and network to maintain performance. Having an SG would mean it must
with each other; however, a fundamental property under define the global policy and enforcement rules. Zero Trust
jeopardy is trust. Now, let’ define trust. As per the Oxford would require the network divided into switching zones.
English Dictionary, it means to have confidence in Another new interface suggested that is mandatory is
somebody and believe that somebody is good, sincere, Microcore and Perimeter (MCAP). The job of an MCAP is
honest. [9] With the existing infrastructure, it has been nearly to manage the zone and the resources within the area. As
impossible to differentiate between trusted and untrusted discussed earlier, every zero trust model must have its data
interfaces. A lucrative opportunity for hackers is that trust logged. That is the job of an all-new network called the Data
does not apply to packets essentially means that IP and MAC Acquisition Network (DAN). DAN’s function is to have a
address perhaps are candidly exposed through a packet log of the network and analyze it in real theoretical time.
sniffer. Moreover, packets cannot trust, and likewise, Three properties that define every Zero Trust network are
network engineers cannot trust them. (i) All resources need to be accessed securely, regardless of
Focusing mainly on trust and inserting into the minds of their physical or logical location, (ii) Have stringent access
network engineers, the authors [12] proposed a model that control policies, and finally (iii) Capture and Log all network
would essentially revolutionize the past decade and make traffic. [14]
various companies, most notably Google, rethink their
network infrastructure and opt for a relatively advanced one.
The model proposed is called ‘Zero Trust.’ A model that
trusts nobody from the inside or trusted network, and the
external or untrusted network. By default, it assumes that the
attacker is present on the network and deems all network
traffic untrusted. The first idea of Zero Trust was an Fig. 1. NIST Concept of Zero Trust
information-driven organization plan that utilized micro-
segmentation [13] to enforce more granular guidelines and Figure 1. describes a concept of Zero Trust by NIST. The
limit the attack possibilities. Since its beginning, the idea of resource, that is, System, Data, or Application, and the client,
Zero Trust and its advantages have developed essentially. a middle man, acts as a proxy between the two. The proxy or
These days, Zero Trust is being utilized by associations to broker path is assumed to be untrusted, albeit the path
drive key security activities and empower business chiefs between the proxy and the resource must be an ‘absolute
and IT pioneers to execute soberminded anticipation, trust zone’. Wherein all the broker’s inputs are trusted;
discovery, and reaction measures. The initial mantra of Zero however, it still needs to be checked. The broker’s role is to
Trust proposed by [12] was ‘never trust, always verify.’ The subjugate two primary functions, i.e., Policy Decision Point
researchers in [3] have renewed this mantra to ‘never trust, (PDP) and Policy Enforcement Point (PEP). [15] The part of
always verify, enforce least privilege.’. Unfortunately, this is PDP is to ensure that the traffic flowing under it is trusted. In
still a common practice. A study revealed that sixty-three hindsight, zero trust provides protocols and conceptualizes
percent of responders mentioned that their companies usually moving the PDP and PEP closer to the resource. It would
take more than one day to shut off privileged access for specifically authenticate and authorize all subjects, asses, and
employees who leave the company. workflows that make up the enterprise. [15] The authors
define a hypothesis concerning zero trust:-
One of the critical steps of Zero Trust is to have multiple
steps to authenticate a user. While executing multi factor 1. Every data source, as well as computational
authentication (MFA), one must authorize National Institute services, are recognized as resources.
[3] for Standards and Technology (NIST) Authentication
2. Communication, in any form, must be secured,
Assurance Level 2 (AAL2), characterized in NIST Special
notwithstanding network location.
Publication (SP) 800-63 for all administrators. NIST AAL2
requires “possession and control of two distinct 3. Every resource within the enterprise must be
authentication factors”: something one must know and have. granted solely on a session basis and regulated
A good example is a password combined with a push by a policy.
notification to a user’s smartphone or a one-time password
(OTP) generated by your smartphone. [3] For critical assets, 4. The enterprise must monitor and measure the
NIST AAL3 is recommended, where possible. NIST AAL3 integrity as well as the security posture of all
requires proof of possession of a hardware-based assets.

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
 5. Every resource must be dynamic and IV. PROPOSED MODEL
scrupulously authorized and authenticated
before access to it is allowed.
As always, when it comes to network planning and
deployment, there are assumptions to be made. For Zero
Trust Access, these are the following assumptions:
1. The local area network inside an enterprise
should not be considered as an implicit trust
zone. Fig. 2. Block Diagram of Proposed Architecture

2. With the recent trend of bring-your-own device In this section, we propose a Zero Trust model for a
(BYOD) implemented in enterprises, it is cloud computing environment with practical
assumed that devices being connected to the experimentation. In this era, where everyone is accessing
network are not an entity of the enterprise since information outside of the organization, cloud-based services
any device can be compromised. have increasingly become a security pinnacle. The existing
3. Resources are never trusted, i.e., from a security or rather traditional organization, based around a perimeter,
standpoint, every asset or resource must be fails to provide user and application security. Zero-Trust is
continuously evaluated and must only be subject fit for cloud-based services and network security within the
to use as long as it is needed. organization since it trusts nobody and no service. A Zero
Trust strategy enforces strict and specific access control to
4. Cloud services have become an essential part of advance cloud security while maintaining records or logs of
every enterprise network, making it evident that every activity within the network.
all the enterprise resources are not inside the
enterprise-owned infrastructure. Figure 2. shows the system architectural overview of the
work conducted. It can be seen that the client connects to the
5. All connection requests outside the enterprise, proxy server. The proxy server configuration to be a reverse
such as Remote Desktop, must be authorized proxy; hence the user does not know the real IP address of
and authenticated. All data must be the Authentication and Authorization Server. The proxy
communicated with respect, confidentiality, server then redirects the client to the Authentication and
integrity, and source authentication. Authorization Server. Access Control decides if the user is
6. Based on the assumptions mentioned above, the allowed or denied access to the application. Once the user is
crucial one is that all assets and data successfully authenticated, he has the authorization to access
communications between enterprise and non- the application. The authentication and authorization server
enterprise infrastructure must continuously be continually checks for certificates to ensure that no
under security strategy and stance. compromised user enters the system.
A. Client
III. ZERO TRUST: THE APPROACH TO REDEFINING
CYBERSECURITY The client is any client having a web browser.
Zero Trust is a cybersecurity paradigm that trusts B. Proxy Server
nobody, no device, and no application yet supports all of The proxy server is responsible for passing the request
them by periodically verifying their authenticity and from the client to the Kubernetes cluster. It must be a
authority. A Zero Trust Architecture (ZTA) can either be physical machine having the ability to reverse proxy. The
implemented over an existing infrastructure or wholly proxy server chosen for performing this work Is Squid
redesigned from the ground up. The scope of such an
Proxy version 4.13, an open-source proxy server with
architecture is to provide uttermost security keeping in mind
the safeguarding of all assets under Protected Personal caching.
Information (PPI). C. AAA Server
Three components of Zero Trust architecture are user and The architecture’s core block is the authentication,
application authentication, device authentication, and most authorization, and application server. It acts as the only
importantly, trust. Unlike the existing infrastructure, wherein mediator between the proxy server and the application. At
a user is authenticated just once. A ZTA keeps checking the the heart of this server lies Kubernetes, an open-source
user’s authenticity, monitors the user’s devices, and checks platform for managing containerized workloads and services.
for any location change initiated by the user device. [16] Every application in this architecture is inside a
Moreover, it also regularly checks for any discrepancies in container. This server doubles up to manage containers and
the application that the user would be using. Should there be is given a second name, the Kubernetes Master Server. A
any form of alteration, the architecture must terminate the container is a standard unit of software that packages up code
connection with immediate effect. In the case of any data and all its dependencies, so it runs quickly and reliably from
manipulation, data is restored through the backup while one computing environment to another. [17] Applications
keeping logs of every minuscule activity. that are in containers are the frontend React JS, the back-end
application SQL database. The work implements Keycloak, a
containerized authentication, and authorization tool for
devices and clients.

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
D. Access Control Kubernetes Ingress then forwards the request to the
The Access Control block is built within the application exposed authentication service. In this case, Red Hat
and authorization server but deserves its place exclusively. Keycloak is given the request. Keycloak is configured to use
This work implements Role-Based Access Based Access Gatekeeper, an adapter that integrates with the Keycloak
Control, a hybrid of the traditional and overused RBAC, and authentication service. Gatekeeper is a sidecar container
the new advancement of ABAC access control. It means that deployed on the Kubernetes pod. A pod is simply an instance
a client is given the authority he has within an organization of a process actively running. Our application, the webpage,
but is given a specific attribute within that authority. first points to Gatekeeper rather than to itself. This creates a
natural proxy for incoming requests. Gatekeeper is
E. Application responsible for communicating with Keycloak about user
The application is clustered within the Kubernetes credentials. Should a user be already logged in and Keycloak
cluster. The applications sit on another virtual machine gets a request to login again, it logs out from the previous
together. However, they are connected to the Kubernetes via session and asks to re-validate the user.
permanently assigned bearer tokens, making them a slave of We chose to implement XACML (eXtensible Access
the Kubernetes master node. Control Markup Language), developed by OASIS
V. INSIDE THE AAA SERVER (Organizaton for the Advancement of Structured Information
Standards), developed for user authentication. [18] XACML
The following are the tools and services used to is an attribute-based access control (ABAC) system. An
implement this architecture: attribute is given to the user that decides whether a user has
1) Lightweight Ubuntu v20.4.1 access to a given resource. RBAC is implemented, but as a
specialization of ABAC.
2) OpenID Connect v1.0
1) Policy Administration Point (PAP): PAP provides a UI
3) Kubernetes v1.19.3 based on the Keycloak Administration Console to manage
4) Docker v19.03 the resources, scopes, permissions, and policies.

5) Keycloak v11.0.3 2) Policy Decision Point (PDP): The PDP provides a

distributable policy decision point to where authorization
6) React js v17.0.1 requests are sent. Policies are evaluated according to the
requested permissions.
7) Nginx v1.18.0
3) Policy Enforcement Point (PEP): PEP provides
8) Squid proxy v4.13 implementations for different environments to enforce
9) Mozilla Firefox v82.0.3 authorization decisions at the resource server-side [19].

Fig. 3. Authentication and Authorization Process

The entire work is done on Ubuntu, a Linux distribution.

We use control groups to constrain resources allocated to Fig. 4. XACML Working
processes. Systemd, is the default init system for a Linux
distribution. However, the init process generates a root For any Kubernetes communication, the work uses
control group called cgroup and acts as a cgroup manager. OpenID Connect, which incorporates OAuth 2.0. Every
Systemd has tight integration with cgroups and allocates a service account, such as the Kubernetes Dashboard, is
cgroup per systemd unit [16]. verified with OAuth. OAuth protocol works on the
fundamentals of requesting an access token from the
The application server and authentication server use Kubernetes Authorization server. The auth server then
Docker CE, since it is most compatible with Kubernetes. responds with an access token and id token, combined to
When the request is passed from the proxy server to the make JWT (JSON Web Tokens). [20] The service account
Authentication Server, it is welcomed by the Kubernetes then uses the JWT to access the API server. These tokens
Ingress. The Kubernetes Ingress, controlled by the NGINX expire as per a set amount of time.
Ingress Controller, is configured to act as a load balancer for This architecture also uses Single Sign On (SSO) to
multiple requests coming into the Kubernetes cluster. authenticate users with various applications only by a

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
specific credential. Given the example of a Google Account, 1) The client requests a particular web page by typing the
the flow looks like this: Domain Name System (DNS) Name.
1) User browses to the website or application hosted. 2) The proxy server keeps track of the client page who
has requested the page and forwards the Kubernetes cluster
2) The user is redirected to Keycloak, who then sends request.
back a token containing some information to the SSO,
simply known as the Identity Provider. 3) Within the Kubernetes cluster, the Ingress accepts the
request and forwards it to the Keycloak and Gatekeeper
3) The Identity Provider checks to see if the user has service.
previously been authenticated. If a user is logged in, the
following step is ignored. 4) Keycloak then validates the user through basic
authentication such as ID and Password and verifies the
4) If a user is not logged in, the user is prompted to machine's authenticity through X.509 certificates.
provide the identity provider's username and password.
5) Once the user is verified, it informs Kubernetes to
5) Once the Identity Provider validates the credentials, it redirect the request to the application.
sends back a token to Keycloak confirming that
authentication is a success. 6) During this time, the Kubernetes cluster keeps track of
the certificates and continually checks their authenticity.
6) The token is returned to the service provider through
the user's browser. VI. RESPONSE TO ATTACKS
7) If a token received is legitimate, the user is granted There are various types of cyber attacks. These attacks
access to the website's resources. are mainly classified as follows:
It is essential to keep every minute activity recorded. It is A. Infection based attacks
recommended to use every component in the architecture to
These attacks are executed through malicious code
log data. Kubernetes and Keycloak both maintain logs
written and installed in a user’s computer through Phishing,
periodically of every small activity, essential for Zero Trust.
Malvertising, and Drive-by downloads. The repercussions of
Figure 5 demonstrates the flow chart of the implemented such attacks are identity theft, data being stolen, and
work. The algorithmic flow is mentioned in the steps below: privileged access.
Before an attacker can infiltrate the network, he/she has
to pass the security perimeter. The main focus of Zero Trust
is to create a secure perimeter. Should an attacker enter
employee credentials that the attacker obtained by social
engineering, the attacker is limited by the simple two-factor
authentication, used while deploying this infrastructure.
Suppose the attacker can, for some reason, get the OTP
or PIN of a legitimate employee. In that case, RBAC-
ABAC’s combination proves to be difficult for the attacker
to penetrate due to unprivileged access given to the
employee. If an attacker gets credentials, let us say its CEO
account and try to copy data from a database or manipulate
it. The role of that account is to view and not edit. The
automatic backed-up data must be live.
B. Explosion attacks
Explosion attacks are exploits made in the system due to
previous ignorance. Examples of such attacks are buffer
overflow attacks wherein an attacker exploits an
application’s memory, which results in changes in the main
execution path, leading to damage of files or critical
information.
Assuming that an attacker passes the secure perimeter,
the second line of defense against such attacks is the
application of health monitoring within Kubernetes. Should
any package not be updated, that causes a buffer overflow.
The pod gets immediately destroyed if any discrepancies
occur, thus keeping at bay explosion attacks.
C. Probe Attack
A probe attack, commonly known as a sniffing attack, is
the continual monitoring of traffic on a or multiple ports to
look out for an opportunity to attack the network. Probe
attacks, for example, are done on layer 7 of the OSI model.
Fig. 5. Flow chart of the implemented work

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
 To defend against probing attacks, it is ensured to close combination of Uppercase, lowercase letters, numbers, and
all ports in Kubernetes using Network Policies. If a port special characters.
needs to be open, it remains open for as long as the session is
active. Password length and complexity are essential
components of an accounting policy. [21] Nowadays, there is
D. Cheating Attack an urge for stronger passwords by organizations to
An attack is called a cheating attack when an attacker employees. Organizations recommend incorporating a
impersonates a genuine user. Such attacks are more combination of Uppercase, lowercase letters, numbers, and
commonly known as cheating attacks. The methodology to special characters.
counter such attacks is the same as a probing attack. A user can choose to keep their password unchanged
Suppose an attacker spoofs MAC address, a typical indefinitely. However, a user gets a prompt on whether he or
implementation done for cheating. In that case, the she would like to update their password. Finding a balance is
architecture tracks users based on IP address location as a critical between user productivity and an appropriate level of
security measure. The result of which is a comparison as to security. [21]
how did a legitimate user change location so quickly. Hence, It is ensured that every package is up-to-date as outdated
this will also be logged and raise the alarm to the root. Thus packages are one of the main reasons for a cyber breach
ensuring that even if an attacker tries to probe, he is during this work.
suppressed.
A layer seven load balancer distributes requests based
E. Traverse Attack upon data found in this layer protocols, such as HyperText
Traverse attacks are, if not the most common types of Transfer Protocol (HTTP) and HTTP Secure (HTTPS).
attacks on any network. A traverse attack is a brute force
B. Presentation Layer
attack wherein an attacker will submit a skew of passwords
having faith that either one of the passwords is correct. The Presentation Layer ensures that data is in a usable
Attackers fundamentally also change the header agents format and encrypts the data. Keycloak is responsible for
during this instance. encrypting data using XACML, OpenID Connect tokens,
OAuth 2.0, and JSON Object Signing and Encryption or
Changing header agents or an IP address triggers an JOSE specifications. The reason for selection is because a
alarm in the authentication service. It keeps track of every sophisticated encryption algorithm makes it difficult to gain
logged-in user activity in the network. Currently set to the access.
limit of two, if an IP address or header agent is changed more
than twice, even a legitimate user is temporarily suspended. At the Presentation layer is where we also check for
authorization or access control. With Keycloak, a
F. Concurrency Attack combination of Role-Based Access Control (RBAC) and
A concurrency attack is a type of attack wherein a user Attribute-Based Access Control (ABAC) is implemented. It
transmits concurrent rapid packets of data to temporarily ensures maximum access control with minimal chances of
compromise all the users trying to access a particular service. gaining privileged access.
These attacks can first be detected at the Hardware layer At this layer, the work uses Transport Layer Security
(Network Layer) or Transport Layer. (TLS) certificates signed by a Certificate Authority (CA)
The proxy server is well equipped to handle such controlled by us. These certificates and CA are used to
concurrent attacks by dropping rapid packages with establish trust. For the most part, this work uses tokenization.
minuscule flood drop thresholds. However, we use CA and Certificate Signing Requests
(CSR) for service accounts such as the Kubernetes
VII. LAYERED SECURITY Dashboard and the ‘root’ account. For user accounts,
This section discusses the work securing the asset at XACML authentication uses a set of policies also defined by
various layers of the Open System Interconnect (OSI) model. us.

A. Application Layer C. Session Layer

The seventh layer of the OSI model refers to applications The session layer is responsible for maintaining
that support end-user functions. Here, the most common connections, controlling ports, and sessions. Kubernetes and
form of authentication is a username and password. [21] This Keycloak are configured to ensure that the connection is safe
work emphasizes multifactor authentication (MFA). A user and not tampered with. Should Kubernetes find out that there
needs to be authenticated with a username and password and is a discrepancy or unusual connection between the client
a simple One Time Password (OTP). Another and the application pods, it immediately terminates the
implementation of MFA, which was discussed and not session. Keycloak, on the other hand, continually checks for
proposed, is PIN. A secure PIN alongside a username and X.509 certificates, and should there be any modifications, it
password proves vital. However, since it is difficult to get an also immediately terminates the connection.
OTP, it was chosen. A combination of username and D. Transport Layer
password and either one of the two authenticates the user and
grants the user access. The transport layer, also known as the OSI model’s heart,
is responsible for bridging the gap between the previously
Password length and complexity are essential mentioned software layers and the forthcoming hardware
components of an accounting policy. [21] Nowadays, there is layers. Securing this layer is a must. One of the essential
an urge for stronger passwords by organizations to components of determining security on this layer is the proxy
employees. Organizations recommend incorporating a server. The proxy acts as a natural firewall or De-militarized

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
done (DMZ) between an untrusted client and the secure challenging since the network must be active and
network. It is ensured to disable any open ports made known functioning during the transition. Rebuilding the network
to us by the VAPT test at this layer. Keeping the transport from the ground up seems like a much easier solution.
layer security is essential since it is an open gateway to trojan 2) Versatile management of dynamic users: Users need
and other viruses. Layer 4 also provides the ability to control to be monitored at every activity they perform. One user
traffic, by not just IP and Mac Address of the lower layers, cannot gain access to another attribute. Moreover, users who
but also by specific applications incorporating the OSI are not employees must not have special access to the
model’s upper layers. [21] network. Hence, policies need to be redesigned and be
A secondary proxy server, commonly known as the Load attribute and role-specific.
Balancer (LB), distributes application traffic across several 3) More devices to cater: In the era of digital devices,
Kubernetes cluster services. Kubernetes Ingress is configured being at everyone’s table, desk, and pockets, managing
to be an LB service. [21]. devices has become challenging. Users do not have one
device but plenty of devices. Each device has its hardware
E. Network Layer
and software properties, its exclusive communication
In this layer, the router is responsible for forwarding the protocols, all of which need to be monitored.
untrusted user request to the Zero trust Architecture. 4) Complex application management: Applications
However, inside the Kubernetes cluster, Calico is responsible nowadays are not just a web server but multiple servers and
for defining network policies and acts as a frontline before
software, each serving its purpose. Some interact with
the data is sent to the upper layers.
thirdparty applications as well. Keeping such applications in
F. Data Link Layer mind, a Zero Trust Architecture must be planned,
The type of connection made to the architecture, be it monitored, and exclusively designed for such needs.
wired or wireless, makes no difference since all the data 5) Meticulous Data Security: With user data stored at
conjugates at Layer 4. multiple locations, each location needs to be well guarded.
Every piece of information stored must also be secured with
G. Physical Layer the highest security standards and framework.
Should this model be deployed, the most prominent way
of securing this layer; is by using redundant power supplies, IX. DISCUSSIONS
redundant NIC cards, and redundant Ethernet cables to Zero Trust has a whole, has no governing authority.
ensure immediate availability at a time of failure. Hence we believe that plenty of changes can be made in the
VIII.ADVANTAGES AND DISADVANTAGES OF ZERO TRUST upcoming years. This work has focused on integrating Zero
Trust with the existing security infrastructure.
A. Advantages Concerning the existing infrastructure, Zero Trust proves
[22] a cutting-edge security paradigm with hardline policies to
1) Strong policies for user authentication and access: A ensure that no asset remains compromised. The existing
Zero Trust Architecture ensures strong management of users infrastructure still uses the traditional Role-Based Access
inside its network, thus making their accounts secure. Using Control to assign roles. However, RBAC is acceptable; it
two-factor authentication or MFA is an optimal way to keep proves to be inadequate since it is easy to earn privileged
accounts safe. Using a combination of access control policies access. Zero Trust relies on a combination of access
can ensure minimal compromise to grant access to a specific controls, thus ensuring difficulty for attackers to penetrate
task. the perimeter.
2) Data Segmentation: In a ZTA, a big chunk of data is Containerization is the future of the cyber spectrum.
segmented into types, sensitivity, and use case, which Everything from applications to authentication is in the
provides additional security. It, in turn, limits users to access development of containers. Keeping this in mind, it is
the data given for the tasks assigned to them. needed to develop infrastructure as per such norms as
containers can isolate themselves and are managed by a
3) Lesser Chance of Vulnerability: Based on the above
master orchestrator.
two features, there is a much lesser chance of having
However, everything cannot be software. Physical
vulnerabilities leading to attacks.
firewalls and proxy servers play an essential role for years to
4) Tight data protection: Zero trust keeps data protected come. Shifting to Zero Trust is a bold transition and one that
during the exchange of information, as well as storage. That takes time. Organizations have progressed to make soft
includes automated backups and tightly encrypted message versions of a ZTA implementation on their networks. We
transmission. see Zero Trust as the future of the internet and cloud
5) Excellent security orchestration: Much like container computing.
orchestration, data orchestration is securing all elements; The implementation of the work done is available in
while making them work together efficiently and effectively. [23].
ZTA must leave no open vents so that it is nearly impossible
for adversaries to penetrate. X. CONCLUSION
This paper discussed micro-segmentation through
B. Disadvantages
containerizing applications and implemented it in a Zero
1) Tedious effort and time consuming: Suppose an Trust Architecture (ZTA) using Kubernetes. We chose to
organization is upgrading to even a partial ZTA. Making follow the fundamental guidelines given to us by various
more robust policies and reorganizing them can be leading organizations and researchers. We developed our

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.
architecture to enhance the future cybersecurity paradigm. It [10] John Kindervag,' Clarifying What Zero Trust Is – and Is Not.'
Accessed on: 29th August, 2020. Available:
is discovered that ZTA provides a more robust architecture https://blog.paloaltonetworks.com/2018/08/clarifying-zero-trust-not/
to redefine cybersecurity. Moreover, with Single Sign-On’s [11] "74% Of Data Breaches Involve Privileged Credential Abuse."
rise becoming more and more popular, it was critical to Accessed, 24th August, 2020. Available:
implement it in our architecture. https://www.itsecurityguru.org/2019/02/26/74-of-data-breaches-
Other alternatives to Keycloak, such as the Gluu server involveprivileged-credential-abuse/
for authentication and authorization, can also be [12] No More Chewy Centers: Introducing the Zero Trust Model of
Information Security," Forrester Research, Tech. Rep., 2010.
implemented, keeping in mind the use case. We believe that
[13] S. Mehraj and M. T. Banday," Establishing a Zero Trust Strategy in
this architecture needs more research, most notably, the use Cloud Computing Environment," 2020 International Conference on
of HashiCorp Vault for more secure access control, tokens, Computer Communication and Informatics (ICCCI), Coimbatore,
passwords, and certificates. It is important to note that this India, 2020, pp. 1-6, doi: 10.1109/ICCCI48352.2020.9104214.
model is opensource and needs regular updating, as [14] J. Kindervag, "Building Security into Your Networks DNA: The Zero
Trust Network Architecture," Forrester Research, Tech. Rep., 2010.
discussed earlier.
[15] Zaghdoudi, Bilel and Kaffel-Ben Ayed, Hella and Harizi, Wafa,
REFERENCES "Generic Access Control System for Ad Hoc MCC and Fog
Computing," Springer International Publishing, 2016, pp. 400-415.
[1] Andrew Goodman, What Is Zero Trust?. Accessed on: June 25, 2019.
[16] Kubernetes Documentation, Accessed on: 1st August, 2020.
Available: https://dzone.com/articles/what-is-zero-trust
Available: https://www.kubernetes.io/docs ,
[2] Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly, 'Zero
[17] Get Started with Docker Accessed on: 1st August, 2020. Available:
Trust Architecture,' NIST, DOI: https://doi.org/10.6028/NIST.SP.800- https://www.docker.com/resources/ ,
207 .
[18] Altice Labs White Paper,' Identity and Access Management',
[3] Lawrence Miller and Torsten George, Zero Trust Priviledge for December 2014. Accessed, 25th October, 2020.
dummies, Special Edition, 2019, Centrify, Accessed 29th October,
2020. [19] Keycloak - Documentation, Accessed on: 28th July, 2020. Available:
https://www.keycloak.org/docs/
[4] Cisco 2018, Annual Cybersecurity Report, Accessed 16th September,
2020. [20] Prabath Siriwardena. 2014.' Advanced API Security: Securing APIs
with OAuth 2.0, OpenID Connect, JWS, and JWE.' Apress.
[5] Pandey, Praful and Mishra, Srishti and Rai, Pooja and Anand,
Abhineet," Social Engineering and Exploit Development", [21] Kari A. Pace,' A Layered Security Model: OSI and Information
International Journal of Scientific Research in Computer Science Security', Global Information Assurance Certification Paper,
Applications and Management Studies IJSRCSAMS Volume 8, Issue Accessed 29th November, 2020.
5 (September 2019). [22] K.K. Tucker, Pros and Cons of the Zero Trust Model. Accessed on:
[6] https://www.dnaindia.com/india/report-40000-cyber-attacks- 12th, November, 2020.
attemptedby-chinese-hackers-on-indian-banking-it-sector-in-five- Available: https://www.infusedinnovations.com/blog/secure-
days-2829381, Accessed on: 1st October, 2020. intelligentworkplace/pros-and-cons-of-the-zero-trust-model
[7] Cisco 2019, Threats of the Year, Accessed on: 19th August, 2020. [23] https://github.com/dannyboydsilva/Zero-Trust-Network-With-
[8] ] CGI 2013,' Developing a Framework to Improve Critical Kubernetes
Infrastructure' Cybersecurity, NIST.
[9] Oxford Advanced Learner's Dictionary. Accessed on: 15th July, 2020.
https://www.oxfordlearnersdictionaries.com/definition/english/trust,

Authorized licensed use limited to: Sardar Patel Institute of Technology. Downloaded on October 20,2022 at 10:45:54 UTC from IEEE Xplore. Restrictions apply.