零信任安全架构

Architecture

零信任安全架构图，展示设备态势检查、MFA 身份验证、基于风险的策略决策、短期 JWT 令牌、微分段、mTLS 加密、最小权限执行和持续监控。该模板模拟「永不信任，始终验证」的安全范式，无论网络位置如何，每个请求都经过身份验证和授权。对于在云原生环境中实施现代零信任框架的安全架构师至关重要。

下载 .fz 文件

完整 FlowZap 代码

User { # User / Device
n1: circle label:"Access Request"
n2: rectangle label:"Device Posture Check"
n3: rectangle label:"Identity Verification (MFA)"
n4: rectangle label:"Receive Access Decision"
n5: circle label:"Access Granted or Denied"
n1.handle(right) -> n2.handle(left)
n2.handle(right) -> n3.handle(left) [label="Device Compliant"]
n3.handle(bottom) -> PolicyEngine.n6.handle(top) [label="Authenticate"]
n4.handle(right) -> n5.handle(left)
}
PolicyEngine { # Policy Decision Point
n6: rectangle label:"Evaluate Identity Context"
n7: rectangle label:"Check Risk Score"
n8: diamond label:"Trust Level Sufficient?"
n9: rectangle label:"Issue Short-Lived Token"
n10: rectangle label:"Deny and Log"
n11: rectangle label:"Step-Up Authentication"
n6.handle(right) -> n7.handle(left) [label="Context"]
n7.handle(right) -> n8.handle(left)
n8.handle(right) -> n9.handle(left) [label="Trusted"]
n8.handle(bottom) -> n10.handle(top) [label="Denied"]
n8.handle(left) -> n11.handle(right) [label="Elevated"]
n9.handle(bottom) -> Enforcement.n12.handle(top) [label="JWT (5 min TTL)"]
n10.handle(top) -> User.n4.handle(bottom) [label="403"]
n11.handle(top) -> User.n3.handle(bottom) [label="Re-Verify"]
}
Enforcement { # Policy Enforcement Points
n12: rectangle label:"Micro-Segmentation Gateway"
n13: rectangle label:"Encrypt All Traffic (mTLS)"
n14: rectangle label:"Least-Privilege Access"
n15: rectangle label:"Continuous Monitoring"
n12.handle(right) -> n13.handle(left) [label="Segment"]
n13.handle(right) -> n14.handle(left) [label="Encrypted"]
n14.handle(bottom) -> Resources.n16.handle(top) [label="Scoped Access"]
n15.handle(top) -> PolicyEngine.n7.handle(bottom) [label="Risk Signal"]
}
Resources { # Protected Resources
n16: rectangle label:"Application Service"
n17: rectangle label:"Database"
n18: rectangle label:"API Endpoint"
n19: rectangle label:"Audit Log"
n16.handle(right) -> n17.handle(left) [label="Query"]
n16.handle(right) -> n18.handle(left) [label="Call"]
n16.handle(bottom) -> n19.handle(top) [label="Log Access"]
n16.handle(top) -> User.n4.handle(bottom) [label="Response"]
}

为什么需要这个工作流？

Traditional perimeter-based security assumes everything inside the network is trusted—a dangerous assumption when attackers can breach the perimeter or insiders can be compromised. Zero trust verifies every request regardless of network location, using device posture, identity, and risk signals to make continuous access decisions.

工作原理

Step 1: The user device undergoes a posture check (OS version, encryption, compliance).
Step 2: Multi-factor authentication verifies the user identity.
Step 3: The policy engine evaluates identity context, risk score, and access requirements.
Step 4: If trust level is sufficient, a short-lived JWT token (5-minute TTL) is issued.
Step 5: Micro-segmentation and mTLS encryption protect all service-to-service communication.
Step 6: Continuous monitoring feeds risk signals back to the policy engine for real-time re-evaluation.

替代方案

VPN-based perimeter security is simpler but assumes internal trust. Identity-aware proxies (BeyondCorp) implement zero trust at the network level. This template shows the complete zero trust architecture from device to resource.

Key Facts

Template Name	零信任安全架构
Category	Architecture
Steps	6 workflow steps
Format	FlowZap Code (.fz file)