ASSESSING THE IMPACT OF ZERO TRUST ON INCIDENT LOCALIZATION IN CONTAINERIZED MICROSERVICE ENVIRONMENTS
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1192Keywords:
мікросервісна архітектура, Kubernetes, бічний рух, мікросегментація, DevSecOps, безпека контейнерів, емпірична валідація, NetworkPolicy.Abstract
In containerized microservice architectures, the compromise of a single service can become a starting point for lateral movement deeper into the infrastructure because internal service interactions often preserve an excessive level of implicit trust. The Zero Trust approach requires service-to-service mutual authentication, least privilege, enforced microsegmentation, and explicit verification of each request; however, publicly available guidance still lacks a formalized method for quantitative comparison of system states before and after such controls are introduced. This paper proposes a model environment with three services, a threat scenario based on a compromised app-service, and three evaluation metrics: impact radius R, defined as the share of reachable access objects; lateral movement depth D, defined as the maximum number of sequential transitions; and policy operational complexity C, defined as the number of security artifacts that must be maintained in an up-to-date state. Model-based calculations show that implementing Zero Trust reduces R from 0.93 to 0.21, decreases D from 2 to 1, and increases C from 2 to 13. For an extended five-service nonlinear topology, the same trend is observed: R decreases from 0.83 to 0.17, D again decreases from 2 to 1, and C rises to 28, indicating that the localization effect remains stable in a more complex architecture. Empirical validation on a local Kubernetes cluster with Calico CNI showed that 17 of 17 access tests were successful in the baseline state, whereas only 6 of 17 remained successful after Zero Trust hardening. These results confirm the model predictions and also demonstrate that complete restriction at the level of individual operations requires L7 authorization, typically provided through a service mesh. Overall, the findings indicate that enforced Zero Trust controls substantially reduce the propagation potential of an attack, improve the architecture’s ability to localize the consequences of compromise, and provide a useful basis for further quantitative security assessment of cloud-native systems. At the same time, this security improvement is accompanied by a noticeable increase in the operational burden associated with maintaining policies, certificates, segmentation rules, and related security artifacts.
Downloads
References
Souppaya, M., & Scarfone, K. (2017). Application container security guide (NIST Special Publication 800-190). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-190
MITRE Corporation. (2022). MITRE ATT&CK for containers. https://attack.mitre.org/matrices/enterprise/containers/
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (NIST Special Publication 800-207). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207
National Security Agency, & Cybersecurity and Infrastructure Security Agency. (2022). Kubernetes hardening guidance (Version 1.2). https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
Amazon Web Services. (2024). Amazon EKS best practices guide for security. https://docs.aws.amazon.com/eks/latest/best-practices/security.html
European Union Agency for Cybersecurity. (2023). ENISA threat landscape 2023. https://doi.org/10.2824/782573
Cloud Native Computing Foundation. (2022). Cloud-native security whitepaper (Version 2). https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md
Cybersecurity and Infrastructure Security Agency. (2023). Zero trust maturity model (Version 2.0). https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model
Chandramouli, R. (2022). Implementation of DevSecOps for a microservices-based application with service mesh (NIST Special Publication 800-204C). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204C
Center for Internet Security. (2024). CIS Kubernetes benchmark (Version 1.8). https://www.cisecurity.org/benchmark/kubernetes
U.S. Department of Defense. (2022). Department of Defense zero trust reference architecture (Version 2.0). Office of the DoD Chief Information Officer. https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf
Palo Alto Networks. (2024). Unit 42 cloud threat report: Volume 7—Navigating the expanding attack surface. https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-volume-7
Chandramouli, R., Kautz, F., & Torres-Arias, S. (2023). Strategies for the integration of software supply chain security in DevSecOps CI/CD pipelines (NIST Special Publication 800-204D). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204D
Chandramouli, R. (2019). Security strategies for microservices-based application systems (NIST Special Publication 800-204). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204
IBM Security. (2024). X-Force threat intelligence index 2024. IBM Corporation. https://www.ibm.com/reports/threat-intelligence
Istio Project Authors. (2024). Security best practices (Version 1.22). https://istio.io/latest/docs/ops/best-practices/security/
U.S. Department of Defense Chief Information Officer. (2023). DoD zero trust strategy and roadmap. https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
FIRST.Org, Inc. (2023). Common vulnerability scoring system v4.0: Specification document. https://www.first.org/cvss/v4-0/
Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.
Jha, S., Sheyner, O., & Wing, J. (2002). Two formal analyses of attack graphs. In Proceedings of the 15th IEEE Computer Security Foundations Workshop (pp. 49–63). IEEE. https://doi.org/10.1109/CSFW.2002.1021806
Ward, R., & Beyer, B. (2014). BeyondCorp: A new approach to enterprise security. ;login: The USENIX Magazine, 39(6), 6–11. https://research.google/pubs/pub43231/
Red Hat, Inc. (2023). Understanding compliance. In OpenShift container platform security and compliance documentation. https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/security_and_compliance/index
Cloud Security Alliance. (2023). Cloud-native application protection platforms (CNAPP): Survey results and analysis. https://cloudsecurityalliance.org/research/topics/cnapp
Molnar, V. (2026). Zero trust empirical validation: Kubernetes manifests and test scripts [Software repository]. GitHub. https://github.com/j9mbo/zero-trust-empirical-validation
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Віталій Молнар, Олексій Грушковський
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
