Sanitized mirror from private repository - 2026-03-31 12:23:18 UTC

docs/security/zero-trust.md

@@ -0,0 +1,44 @@
+# Zero‑Trust Access Policy
+
+The *Zero‑Trust* concept means **never trust, always verify**.  The following policy documents the controls we enforce across the homelab.
+
+## 1. Identity & Access Management
+
+| Layer | Controls |
+|-------|----------|
+| User provisioning | LDAP/SSO via Authentik – Single sign‑on and MFA enforced. |
+| Role‑based access | Service accounts are scoped with least privilege; use **service principals** for automation. |
+| Temporal access | SSH key turn‑over every 90 days, @ 2FA enforced for remote access. |
+
+## 2. Network Isolation
+
+- **Segmentation** – Hyper‑viser networks (vlan‑101, vlan‑102) separate functional zones.
+- **Private endpoints** – Services expose only required ports to the Internet via Nginx Proxy Manager with Lets‑Encrypt certs.
+- **TLS** – All traffic between hosts uses the latest TLS 1.3 and HSTS.
+
+## 3. Secrets Management
+
+- Store secrets in **Hashicorp Vault** with role‑based ACLs.
+- Never commit secrets to Git. Ensure `.env` files are `.gitignore`‑protected.
+- Use `podman secret` or Docker secrets when running in a Docker Swarm.
+
+## 4. Continuous Verification
+
+- **Automated Compliance Checks** – CI pipeline runs `bandit` and `trivy` scans.
+- **Runtime Monitoring** – Falco and Sysdig detect anomalies.
+- **Audit Log** – All portainer, docker, and system events are forwarded to Loki.
+
+## 5. Incident Response
+
+1. • Detect via alerts (Grafana, Prometheus, Falco).  
+2. • Verify via `docker inspect`, `docker logs`, and the audit app.  
+3. • Isolate compromised container: `docker pause <id>` then identify the VM.  
+4. • Rotate secrets and keys immediately.
+
+> **Policy Owner**: Vish – <email@example.com>
+---
+
+### Quick Reference Links
+- [Secrets Store Guide](../services/secret-store.md)
+- [SSH Hardening](../infrastructure/SSH_ACCESS_GUIDE.md)
+- [Firewall Rules](../infrastructure/port-forwarding-guide.md)