Zero Trust Architecture Implementation

# =============================================
+# Zero Trust Identity Policy
+# =============================================

+# Azure AD Conditional Access (translated)

+# Policy 1: Require MFA
+IF user.role != "service_account"
+AND app.risk != "low"
+THEN require_mfa()
+AND require_compliant_device()

+# Policy 2: Block legacy auth
+IF client_app == "IMAP" OR "POP3" OR "SMTP"
+THEN block()

+# Policy 3: Risk-based access
+IF sign_in_risk == "high" THEN block()
+IF sign_in_risk == "medium" THEN require_mfa()
+AND require_password_change()

+# Policy 4: Session management
+IF app.sensitivity == "high"
+THEN max_session = 1_hour
+AND require_reauthentication()

# =============================================
+# Microsegmentation — Kubernetes NetworkPolicy
+# =============================================

+# Default deny all
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: production
+spec:
+  podSelector: {}
+  policyTypes: [Ingress, Egress]

+# Allow frontend to backend only
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: frontend-to-backend
+  namespace: production
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: frontend
+      ports:
+        - port: 8080

+# Allow backend to database only
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: backend-to-db
+spec:
+  podSelector:
+    matchLabels:
+      app: database
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: backend
+      ports:
+        - port: 5432

# =============================================
+# Zero Trust Implementation Roadmap
+# =============================================

+# PHASE 1: Foundation (Bulan 1-3)
+# ✅ Asset inventory
+# ✅ Data classification
+# ✅ Identity consolidation — SSO + MFA
+# ✅ Device management — MDM
+# ✅ Logging foundation

+# PHASE 2: Identity & Access (Bulan 3-6)
+# ✅ Conditional Access policies
+# ✅ Privileged Access Management
+# ✅ Just-In-Time access
+# ✅ RBAC implementation

+# PHASE 3: Network Segmentation (Bulan 6-12)
+# ✅ Microsegmentation
+# ✅ ZTNA deployment
+# ✅ East-West traffic inspection
+# ✅ DNS filtering

+# PHASE 4: Data Protection (Bulan 12-18)
+# ✅ DLP policies
+# ✅ Encryption at rest & transit
+# ✅ CASB for SaaS apps

+# PHASE 5: Continuous Monitoring (Bulan 18-24)
+# ✅ UEBA
+# ✅ SOAR automated response
+# ✅ Threat hunting program
+# ✅ Maturity assessment

# =============================================
+# Device Compliance & Trust Policy
+# =============================================

+# Device Trust Requirements:
+# Level 1: Basic (all devices)
+# - OS version >= minimum
+# - Antivirus active & updated
+# - Firewall enabled
+# - Disk encryption enabled
+
+# Level 2: Enhanced (corporate devices)
+# - All Level 1 requirements
+# - MDM enrolled
+# - Company certificate installed
+# - Approved OS build
+# - No jailbreak/root
+
+# Level 3: High Security (privileged access)
+# - All Level 2 requirements
+# - Hardware TPM/FIDO2 key
+# - Specific network location
+# - Recent security scan passed
+# - No USB peripherals (optional)

+# Azure AD Conditional Access — Device filter
+# IF device.trustType == "ServerAD"
+# OR device.isCompliant == true
+# THEN allow_access()
+# ELSE redirect_to_portal("Register your device")

+# Intune Compliance Policy
+# Minimum OS: Windows 10 22H2
+# BitLocker: Required
+# Defender: Real-time protection ON
+# Password: Min 12 chars, complexity
+# Jailbreak: Block compromised devices

# =============================================
+# Automated Access Review Script
+# =============================================

+import datetime
+from dataclasses import dataclass
+
+@dataclass
+class AccessReview:
+    user: str
+    role: str
+    last_activity: datetime.datetime
+    granted_date: datetime.datetime
+    approver: str
+    risk_level: str
+
+def review_access(access_records):
+    # Flag access that needs review.
+    now = datetime.datetime.now()
+    alerts = []
+
+    for record in access_records:
+        # Rule 1: Inactive access (> 90 days no activity)
+        days_inactive = (now - record.last_activity).days
+        if days_inactive > 90:
+            alerts.append({
+                "user": record.user,
+                "issue": f"Inactive for {days_inactive} days",
+                "action": "REVOKE"
+            })
+
+        # Rule 2: Stale access grants (> 365 days)
+        days_granted = (now - record.granted_date).days
+        if days_granted > 365:
+            alerts.append({
+                "user": record.user,
+                "issue": f"Access granted {days_granted} days ago",
+                "action": "RE-APPROVE"
+            })
+
+        # Rule 3: High-risk access without recent review
+        if record.risk_level == "high":
+            alerts.append({
+                "user": record.user,
+                "issue": "High-risk access needs quarterly review",
+                "action": "MANAGER_REVIEW"
+            })
+
+    return alerts
+
+# Generate report
+# alerts = review_access(all_access_records)
+# for alert in alerts:
+#     send_notification(alert["user"], alert["issue"])

# =============================================
+# Zero Trust Remote Work Policy
+# =============================================

+# Network Access Policy:
+# 1. Remote workers connect via ZTNA (bukan VPN)
+# 2. Device compliance checked before access
+# 3. Per-app access (bukan full network)
+# 4. Session recording untuk sensitive apps

+# ZTNA Connection Flow:
+# 1. User opens browser/app
+# 2. ZTNA agent checks:
+#    - Device identity (certificate)
+#    - Device compliance (OS, AV, encryption)
+#    - User identity (MFA)
+#    - Location risk score
+# 3. Policy engine evaluates:
+#    - Is user allowed to access this app?
+#    - Is device compliant enough?
+#    - Is current risk acceptable?
+# 4. If approved: encrypted tunnel to app only
+# 5. If denied: clear error message + remediation steps

+# Home Network Security Recommendations:
+# - Separate VLAN for work devices
+# - Updated router firmware
+# - Strong WiFi password (WPA3)
+# - Disable WPS
+# - Enable router firewall
+# - Use DNS filtering (1.1.1.3 / 9.9.9.9)

# =============================================
+# Zero Trust Maturity Assessment
+# =============================================

+# IDENTITY (Score: 0-5)
+# □ All users have unique identity
+# □ MFA enabled for all users (not just admin)
+# □ MFA is phishing-resistant (FIDO2)
+# □ SSO across all applications
+# □ Just-in-time privileged access
+# □ Regular access reviews (quarterly)
+# □ Service account inventory & rotation
+# □ No shared accounts
+
+# DEVICES (Score: 0-5)
+# □ All devices inventoried
+# □ MDM enrolled (corporate devices)
+# □ Device compliance policies enforced
+# □ Endpoint detection & response deployed
+# □ Automated patching
+# □ Disk encryption mandatory
+# □ BYOD policy with container isolation
+# □ No unmanaged devices access sensitive data
+
+# NETWORK (Score: 0-5)
+# □ Microsegmentation implemented
+# □ All traffic encrypted (TLS 1.3)
+# □ DNS filtering active
+# □ East-west traffic inspection
+# □ No implicit trust for internal traffic
+# □ ZTNA replacing VPN
+# □ DDoS protection
+# □ Network anomaly detection
+
+# APPLICATIONS (Score: 0-5)
+# □ Secure SDLC implemented
+# □ API security controls
+# □ WAF deployed
+# □ SaaS access through CASB
+# □ Application-level access control
+# □ Secrets management (no hardcoded)
+# □ Regular security testing
+# □ Dependency vulnerability scanning
+
+# DATA (Score: 0-5)
+# □ Data classification complete
+# □ Encryption at rest & in transit
+# □ DLP controls active
+# □ Data access logging
+# □ Retention policies enforced
+# □ Backup & recovery tested
+# □ Data sovereignty compliance
+# □ No sensitive data in unprotected locations
+
+# SCORING:
+# 0 = Not started
+# 1 = Initial (ad-hoc)
+# 2 = Developing (some implementation)
+# 3 = Defined (consistent implementation)
+# 4 = Managed (measured & controlled)
+# 5 = Optimized (automated & continuous improvement)
+#
+# Total Score: ___/40
+# Maturity Level: Traditional (0-10) | Advanced (11-25) | Optimal (26-40)