Interactive demonstrations of Zero Trust concepts and implementations
{
"userId": "user-12345",
"timestamp": "2025-12-25T10:30:00Z",
"userTrust": {
"identityScore": 95,
"authenticationMethod": "mfa",
"behaviorScore": 88,
"riskFactors": {
"unusualLocation": false,
"unusualTime": false,
"newDevice": false,
"failedAttempts": 0
},
"overallScore": 91.5
}
}
{
"deviceId": "device-67890",
"timestamp": "2025-12-25T10:30:00Z",
"deviceTrust": {
"complianceScore": 92,
"securityPosture": {
"osVersion": "up-to-date",
"encryptionEnabled": true,
"antivirusActive": true,
"firewallEnabled": true,
"lastPatchDate": "2025-12-20"
},
"deviceHealth": 95,
"registrationStatus": "managed",
"overallScore": 93.5
}
}
{
"sessionId": "session-abc123",
"timestamp": "2025-12-25T10:30:00Z",
"networkContext": {
"sourceIP": "192.168.1.100",
"location": {
"country": "US",
"city": "San Francisco",
"latitude": 37.7749,
"longitude": -122.4194
},
"networkType": "corporate-wifi",
"vpnActive": true,
"threatIntel": {
"ipReputation": "clean",
"knownThreats": false
},
"networkTrustScore": 88
}
}
// Weighted trust score calculation
function calculateTrustScore(factors) {
const weights = {
identity: 0.30, // 30%
device: 0.25, // 25%
behavior: 0.25, // 25%
network: 0.20 // 20%
};
let score =
factors.identity * weights.identity +
factors.device * weights.device +
factors.behavior * weights.behavior +
factors.network * weights.network;
// Apply risk modifiers
score = applyRiskModifiers(score, factors.riskFactors);
return Math.min(100, Math.max(0, score));
}
function applyRiskModifiers(score, riskFactors) {
if (riskFactors.unusualLocation) score -= 15;
if (riskFactors.unusualTime) score -= 10;
if (riskFactors.newDevice) score -= 20;
if (riskFactors.failedAttempts > 0) score -= (riskFactors.failedAttempts * 5);
return score;
}
// Re-verify trust every N minutes
function continuousVerification(session) {
const VERIFICATION_INTERVAL = 5 * 60 * 1000; // 5 minutes
setInterval(async () => {
const currentTrust = await calculateCurrentTrustScore(session);
if (currentTrust < MINIMUM_TRUST_THRESHOLD) {
// Revoke access immediately
await revokeAccess(session);
await notifyUser(session.userId, 'ACCESS_REVOKED');
} else if (currentTrust < STEP_UP_THRESHOLD) {
// Require additional authentication
await requireStepUpAuth(session);
}
// Log for audit
await auditLog({
sessionId: session.id,
trustScore: currentTrust,
timestamp: new Date().toISOString()
});
}, VERIFICATION_INTERVAL);
}
function assessRisk(accessRequest) {
let riskScore = 0;
// Analyze access patterns
if (isAnomalousAccess(accessRequest)) {
riskScore += 30;
}
// Check threat intelligence
if (isKnownThreatIP(accessRequest.sourceIP)) {
riskScore += 40;
}
// Evaluate resource sensitivity
const resourceSensitivity = getResourceSensitivity(accessRequest.resource);
riskScore += resourceSensitivity * 0.3;
// Time-based risk
if (isOutsideBusinessHours(accessRequest.timestamp)) {
riskScore += 15;
}
// Geographic risk
if (isUnusualLocation(accessRequest.location)) {
riskScore += 20;
}
return {
score: riskScore,
level: getRiskLevel(riskScore),
factors: identifyRiskFactors(accessRequest)
};
}
function getRiskLevel(score) {
if (score >= 70) return 'CRITICAL';
if (score >= 50) return 'HIGH';
if (score >= 30) return 'MEDIUM';
return 'LOW';
}
Every access request goes through a complete verification process, regardless of the source.
User/Device Policy Engine Resource
| | |
|-- 1. Access Request ---->| |
| | |
| |-- 2. Verify Identity |
| | |
| |-- 3. Check Device |
| | Compliance |
| | |
| |-- 4. Assess Context |
| | (location, time) |
| | |
| |-- 5. Calculate Trust |
| | Score |
| | |
| |-- 6. Apply Policies |
| | |
|<-- 7. Decision ----------| |
| (Allow/Deny/StepUp) | |
| | |
|-- 8. Access Resource ----|--------------------->|
| | |
| |-- 9. Continuous |
| | Monitoring |
| | |
POST /api/v1/access/request
Content-Type: application/json
{
"requestId": "req-abc123",
"userId": "user-12345",
"deviceId": "device-67890",
"resource": {
"type": "application",
"id": "app-finance-dashboard",
"action": "read"
},
"context": {
"sourceIP": "192.168.1.100",
"userAgent": "Mozilla/5.0...",
"timestamp": "2025-12-25T10:30:00Z"
},
"authentication": {
"method": "mfa",
"token": "eyJhbGciOiJIUzI1NiIs..."
}
}
Response:
{
"decision": "ALLOW",
"trustScore": 91.5,
"conditions": {
"maxDuration": 3600,
"requireReauth": false,
"allowedActions": ["read"],
"monitoringLevel": "standard"
},
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"expiresAt": "2025-12-25T11:30:00Z"
}
// When trust score is below threshold but above minimum
{
"decision": "STEP_UP_REQUIRED",
"trustScore": 72.5,
"reason": "Unusual location detected",
"requiredActions": [
{
"type": "additional_mfa",
"method": "biometric",
"challenge": "fingerprint_required"
},
{
"type": "security_question",
"question": "What is your mother's maiden name?"
}
],
"challengeId": "challenge-xyz789",
"expiresAt": "2025-12-25T10:35:00Z"
}
// Integration with IAM systems (Okta, Azure AD, etc.)
class IAMIntegration {
async verifyIdentity(token) {
// Validate JWT token with IAM provider
const decoded = await this.iamProvider.validateToken(token);
// Fetch user attributes
const userAttributes = await this.iamProvider.getUserAttributes(decoded.userId);
// Check group memberships
const groups = await this.iamProvider.getUserGroups(decoded.userId);
return {
userId: decoded.userId,
attributes: userAttributes,
groups: groups,
mfaVerified: decoded.amr?.includes('mfa'),
identityTrustScore: this.calculateIdentityScore(decoded, userAttributes)
};
}
async enforcePolicy(userId, resource) {
// Check RBAC policies
const roles = await this.iamProvider.getUserRoles(userId);
const permissions = await this.iamProvider.getRolePermissions(roles);
// Apply ABAC policies
const attributes = await this.getUserAttributes(userId);
const contextualPolicies = await this.evaluatePolicies(attributes, resource);
return {
allowed: this.checkPermissions(permissions, resource),
policies: contextualPolicies
};
}
}
// Send zero trust events to SIEM
class SIEMIntegration {
async logAccessEvent(event) {
const siemEvent = {
timestamp: new Date().toISOString(),
eventType: 'zero_trust_access',
severity: this.calculateSeverity(event),
source: {
userId: event.userId,
deviceId: event.deviceId,
ip: event.sourceIP,
location: event.location
},
target: {
resource: event.resource,
action: event.action
},
decision: event.decision,
trustScore: event.trustScore,
riskFactors: event.riskFactors,
rawEvent: event
};
// Send to SIEM (Splunk, ELK, etc.)
await this.siemProvider.sendEvent(siemEvent);
// Trigger alerts if needed
if (event.trustScore < ALERT_THRESHOLD) {
await this.siemProvider.createAlert({
title: 'Low Trust Score Detected',
description: `User ${event.userId} has trust score ${event.trustScore}`,
severity: 'HIGH',
event: siemEvent
});
}
}
}
// Integrate with EDR for device health assessment
class EDRIntegration {
async getDeviceHealth(deviceId) {
// Query EDR agent on device
const edrData = await this.edrProvider.getDeviceStatus(deviceId);
return {
deviceId: deviceId,
compliance: {
osVersion: edrData.os.version,
osPatched: edrData.os.lastPatchDate,
antivirusActive: edrData.antivirus.running,
antivirusUpdated: edrData.antivirus.lastUpdate,
firewallEnabled: edrData.firewall.enabled,
encryptionEnabled: edrData.encryption.enabled
},
threats: {
activeThreat: edrData.threats.active.length > 0,
threatCount: edrData.threats.active.length,
lastScan: edrData.lastScan,
quarantinedItems: edrData.quarantine.length
},
healthScore: this.calculateDeviceHealthScore(edrData)
};
}
async enforceDevicePolicy(deviceId, policy) {
// Push policy to EDR agent
await this.edrProvider.applyPolicy(deviceId, {
requireEncryption: policy.encryption,
requireAntivirus: policy.antivirus,
allowedApplications: policy.applicationWhitelist,
blockedApplications: policy.applicationBlacklist
});
}
}
┌─────────────────────────────────────────────────────────────┐
│ Zero Trust Policy Engine │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Trust │ │ Policy │ │ Risk │ │ Access │ │
│ │ Scoring │ │ Engine │ │ Engine │ │ Control │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────┘
│ │ │ │
▼ ▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ IAM │ │ SIEM │ │ EDR │ │ Firewall │
│ (Identity) │ │ (Logging) │ │ (Endpoint) │ │ (Network) │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
└──────────────┴──────────────┴──────────────┘
│
▼
Protected Resources
W3C standard for cryptographically verifiable digital credentials that can prove trust status.
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://wia.org/credentials/zero-trust/v1"
],
"id": "https://wia.org/credentials/zt/12345",
"type": ["VerifiableCredential", "ZeroTrustCredential"],
"issuer": {
"id": "did:wia:issuer:corporate-policy-engine",
"name": "Corporate Zero Trust Policy Engine"
},
"issuanceDate": "2025-12-25T10:30:00Z",
"expirationDate": "2025-12-25T11:30:00Z",
"credentialSubject": {
"id": "did:wia:user:12345",
"trustScore": {
"overall": 91.5,
"identity": 95,
"device": 92,
"behavior": 88,
"network": 88
},
"deviceCompliance": {
"deviceId": "device-67890",
"compliant": true,
"osPatched": true,
"antivirusActive": true,
"encryptionEnabled": true
},
"accessGrant": {
"resources": ["app-finance-dashboard"],
"actions": ["read"],
"conditions": {
"maxDuration": 3600,
"requireContinuousVerification": true
}
}
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2025-12-25T10:30:00Z",
"verificationMethod": "did:wia:issuer:corporate-policy-engine#key-1",
"proofPurpose": "assertionMethod",
"proofValue": "z3FXQsWzG...base64encoded..."
}
}
// Verify Zero Trust Credential
async function verifyZeroTrustCredential(vc) {
// 1. Verify cryptographic proof
const proofValid = await verifyProof(vc.proof, vc.credentialSubject);
// 2. Check expiration
const now = new Date();
const expiration = new Date(vc.expirationDate);
const notExpired = now < expiration;
// 3. Verify issuer is trusted
const issuerTrusted = await verifyIssuer(vc.issuer.id);
// 4. Check revocation status
const notRevoked = await checkRevocationStatus(vc.id);
// 5. Validate trust score meets minimum
const trustScoreValid = vc.credentialSubject.trustScore.overall >= MINIMUM_TRUST;
return {
valid: proofValid && notExpired && issuerTrusted && notRevoked && trustScoreValid,
checks: {
proofValid,
notExpired,
issuerTrusted,
notRevoked,
trustScoreValid
}
};
}