Zero Trust is not a product you buy; it's a strategy you execute. The move from "trust but verify" to "never trust, always verify" requires a fundamental shift in how we build and deploy infrastructure.
The Core Pillars of Zero Trust
In modern enterprise environments, the traditional network perimeter is disappearing. As workloads move to the cloud and users work from anywhere, we must shift our security focus from the network edge to the individual identity and resource.
My implementation of Zero Trust within DevOps pipelines focuses on three core pillars:
Explicit Verification
Always authenticate and authorise based on all available data points, including user identity, location, device health, and service/workload context.
Least Privilege
Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection to secure both data and productivity.
Assume Breach
Minimise blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences.
Operationalising Policy as Code
One of the most effective ways to enforce Zero Trust is through Policy as Code. By using tools like Azure Policy and Open Policy Agent (OPA), we can prevent non-compliant resources from ever being deployed.
1. Azure Policy Guardrails
We use Azure Policy to enforce architectural standards at scale. For example, denying the creation of public IPs for VMs or ensuring that all storage accounts require HTTPS and have encryption enabled.
2. Open Policy Agent (OPA) in the Pipeline
By integrating OPA into GitHub Actions or Azure Pipelines, we can scan Terraform plans before they are applied. This "shift-left" approach catches security violations long before they reach the cloud environment.
package terraform.security
deny[msg] {
resource := input.resource_changes[_]
resource.type == "azurerm_managed_disk"
resource.change.after.encryption_settings[0].enabled == false
msg := sprintf("Disk %v must have encryption enabled", [resource.address])
}Identity as the Control Plane
In a Zero Trust architecture, Entra ID (Azure AD) serves as the central control plane. Every access request is evaluated by Conditional Access policies that consider the risk level of the user and the health of their device.
For machine-to-machine communication, we've moved away from static secrets in favour of Workload Identity Federation, allowing GitHub Actions and Azure DevOps to authenticate to cloud resources without ever storing a password.
Conclusion
Implementing Zero Trust is a journey of continuous improvement. By integrating security directly into the DevOps lifecycle through automated policies and robust identity management, we create a resilient infrastructure that can withstand modern threats.
Are you looking to strengthen your security posture through Zero Trust? Let's connect to discuss your transformation strategy.
20+ years of enterprise technology leadership across cloud, infrastructure, and digital workplace. Passionate about sharing practitioner knowledge and advancing the profession.