1.9 KiB
1.9 KiB
Zero‑Trust Access Policy
The Zero‑Trust concept means never trust, always verify. The following policy documents the controls we enforce across the homelab.
1. Identity & Access Management
| Layer | Controls |
|---|---|
| User provisioning | LDAP/SSO via Authentik – Single sign‑on and MFA enforced. |
| Role‑based access | Service accounts are scoped with least privilege; use service principals for automation. |
| Temporal access | SSH key turn‑over every 90 days, @ 2FA enforced for remote access. |
2. Network Isolation
- Segmentation – Hyper‑viser networks (vlan‑101, vlan‑102) separate functional zones.
- Private endpoints – Services expose only required ports to the Internet via Nginx Proxy Manager with Lets‑Encrypt certs.
- TLS – All traffic between hosts uses the latest TLS 1.3 and HSTS.
3. Secrets Management
- Store secrets in Hashicorp Vault with role‑based ACLs.
- Never commit secrets to Git. Ensure
.envfiles are.gitignore‑protected. - Use
podman secretor Docker secrets when running in a Docker Swarm.
4. Continuous Verification
- Automated Compliance Checks – CI pipeline runs
banditandtrivyscans. - Runtime Monitoring – Falco and Sysdig detect anomalies.
- Audit Log – All portainer, docker, and system events are forwarded to Loki.
5. Incident Response
- • Detect via alerts (Grafana, Prometheus, Falco).
- • Verify via
docker inspect,docker logs, and the audit app. - • Isolate compromised container:
docker pause <id>then identify the VM. - • Rotate secrets and keys immediately.
Policy Owner: Vish – email@example.com