Skip to content

Zero Trust Architecture in Edge Access

Zero trust security represents a fundamental shift from perimeter-based security models to identity-centric access control. This document explains how Peakhour's Edge Access implements zero trust principles and the architectural decisions behind this approach.

Core Zero Trust Principles

Never Trust, Always Verify

Traditional network security operates on implicit trust - users inside the corporate network are trusted by default. Zero trust eliminates this assumption by requiring verification of every access request, regardless of the user's location or network context.

Implementation in Edge Access:

  • Every HTTP request triggers policy evaluation
  • User identity is verified through authentication providers
  • Context-aware decisions based on location, device, and behavior
  • Continuous evaluation throughout the session lifecycle

Least Privilege Access

Users receive the minimum access necessary to perform their functions, with permissions granted on a need-to-know basis rather than broad network access.

Implementation in Edge Access:

  • Granular policies control access to specific applications and paths
  • Rule-based access control using Wirefilter expressions
  • Policy actions range from complete blocking to conditional authentication
  • Session-based access with configurable timeouts

Assume Breach

Zero trust architecture assumes that attackers may already have network access, requiring verification of all activities rather than relying on network boundaries.

Implementation in Edge Access:

  • Continuous session validation
  • Behavioral analysis through access patterns
  • Geographic and device fingerprint anomaly detection
  • Real-time policy enforcement at the edge

Edge Access Architecture Components

Authentication Layer

Edge Access supports multiple authentication methods tailored to different use cases:

Email OTP Authentication

  • Use Case: Human user access requiring strong identity verification
  • Implementation: Time-limited one-time passwords sent via email
  • Advantages: No infrastructure requirements, universally accessible
  • Session Management: JWT/PASETO tokens for persistent sessions

Service Token Authentication

  • Use Case: API access, service-to-service communication
  • Implementation: Bearer tokens with configurable scopes and expiration
  • Advantages: Programmatic access without user interaction
  • Security: Token rotation and revocation capabilities

Session Tokens

  • Use Case: Maintaining authenticated sessions across requests
  • Implementation: Cryptographically signed tokens (JWT/PASETO)
  • Features: Configurable expiration, secure storage, automatic renewal

Policy Engine

The heart of Edge Access is its policy evaluation engine, which makes access decisions based on multiple contextual factors.

Wirefilter Rule Language

Edge Access uses Cloudflare's Wirefilter syntax for expressing complex conditional logic:

auth.user.email ends_with "@company.com" and 
ip.geoip.country in ("US", "CA", "GB") and
not (ip.src in $suspicious_networks)

Supported Fields

The policy engine evaluates requests against comprehensive context:

  • Identity Fields: auth.user.email for authenticated user identification
  • Network Fields: ip.src, ip.geoip.country, ip.geoip.city, ip.geoip.asnum
  • HTTP Fields: http.host, http.request.uri.path, http.request.method, http.user_agent
  • Device Fingerprints: fingerprint.tls, fingerprint.h2, fingerprint.headers

Policy Actions

Five distinct actions control request handling:

  • ALLOW: Grant immediate access without additional verification
  • BLOCK: Deny access with HTTP 403 response
  • BYPASS: Skip authentication requirements (use sparingly)
  • LOGIN_GATE: Require user authentication before access
  • SERVICE_AUTH: Require valid service token authentication

Request Flow Architecture

Request Interception

  • Edge nodes receive HTTP requests before reaching origin servers
  • Requests are evaluated against configured policies for the target domain
  • Policy matching occurs based on host, path, and other request attributes

Context Enrichment

  • IP geolocation and ASN lookup
  • Device fingerprint analysis
  • User session validation if present
  • Historical behavior analysis

Policy Evaluation

  • Sequential rule evaluation in priority order
  • First matching rule determines the action
  • Complex boolean logic support with parentheses and operators
  • List-based matching for scalable IP ranges and domain patterns

Action Execution

Based on policy evaluation results:

  • Authentication Required: Redirect to authentication provider
  • Access Granted: Forward request to origin with optional header injection
  • Access Denied: Return appropriate HTTP error response
  • Service Auth: Validate bearer token and extract claims

Session Management

  • Successful authentication creates session tokens
  • Tokens are cryptographically signed and tamper-resistant
  • Configurable session duration and renewal policies
  • Secure storage using HTTP-only cookies

Network Integration Patterns

DNS-Based Protection

Edge Access operates at the DNS level, intercepting requests before they reach protected applications:

app.company.com → Edge Access → Policy Evaluation → Origin Server

This approach provides:

  • Universal Coverage: Protection regardless of client type or location
  • Transparent Operation: No client-side configuration required
  • Performance: Edge-based evaluation with minimal latency impact

Multi-Application Support

A single Edge Access configuration can protect multiple applications:

policies:
  - application: "app1.company.com"
    rules: [corporate_users, office_networks]
  - application: "app2.company.com" 
    rules: [admin_users, mfa_required]

API and Web Protection

Different authentication methods suit different access patterns:

  • Web Applications: Email OTP with session management
  • REST APIs: Service token authentication
  • Mobile Apps: JWT tokens with refresh capabilities
  • Automated Systems: Long-lived service tokens

Security Architecture Benefits

Defense in Depth

Edge Access adds a security layer that complements existing application security:

  1. Network Layer: IP-based filtering and geographic restrictions
  2. Identity Layer: Strong authentication with email verification
  3. Application Layer: Path and method-based access control
  4. Behavioral Layer: Anomaly detection and risk scoring

Scalability and Performance

Edge deployment provides global security coverage:

  • Edge Processing: Policy evaluation at 200+ global locations
  • Reduced Latency: Security decisions made close to users
  • Origin Protection: Unauthorized requests never reach origin servers
  • Traffic Filtering: Malicious traffic blocked at the edge

Operational Simplicity

Zero trust implementation without infrastructure changes:

  • No VPN Required: Direct internet access with policy enforcement
  • Client Agnostic: Works with any HTTP client or browser
  • Centralized Management: Single control plane for all applications
  • Real-time Updates: Policy changes propagate immediately

Deployment Considerations

Gradual Migration

Edge Access supports phased zero trust adoption:

  1. Monitoring Phase: Deploy in log-only mode to understand traffic patterns
  2. Pilot Phase: Apply policies to subset of users or applications
  3. Production Phase: Full enforcement with fallback procedures
  4. Optimization Phase: Refine policies based on usage analytics

High Availability

Built-in redundancy ensures continuous protection:

  • Multiple Edge Locations: Automatic failover between data centers
  • Policy Replication: Consistent enforcement across all edge nodes
  • Health Monitoring: Automatic bypass if authentication systems unavailable
  • Graceful Degradation: Configurable fallback behaviors

Compliance and Audit

Edge Access provides comprehensive audit capabilities:

  • Access Logs: Detailed records of all authentication events
  • Policy Evaluation: Complete decision trails for compliance reporting
  • Session Tracking: User activity monitoring across applications
  • Real-time Analytics: Security dashboards and alerting

Integration with Existing Infrastructure

Identity Provider Compatibility

While Edge Access uses email-based authentication, it integrates with existing directory services for user validation and policy decisions.

SIEM Integration

Security events can be forwarded to existing security operations tools:

  • Log Forwarding: Real-time event streaming to SIEM platforms
  • API Access: Programmatic access to security events and analytics
  • Webhook Integration: Custom integrations for specialized workflows
  • Standard Formats: Compatible with common log analysis tools

Development Workflows

Edge Access accommodates various development practices:

  • Staging Environments: Separate policies for development and production
  • CI/CD Integration: Automated policy deployment and testing
  • Developer Access: Temporary bypass capabilities for development workflows
  • API Testing: Service token support for automated testing

Architecture Evolution

Edge Access is designed to accommodate growing security requirements:

Enhanced Context

Future enhancements may include additional contextual factors:

  • Device Trust: Certificate-based device verification
  • Behavioral Analytics: ML-based risk scoring
  • Threat Intelligence: Real-time threat feed integration

Advanced Authentication

Additional authentication methods as requirements evolve:

  • Hardware Tokens: FIDO2/WebAuthn support for high-security environments
  • Biometric Verification: Advanced identity verification methods
  • Multi-Factor Combinations: Risk-based authentication escalation

Policy Sophistication

More advanced policy capabilities:

  • Time-Based Rules: Temporal access controls
  • Risk Scoring: Dynamic policy adjustment based on calculated risk
  • Machine Learning: Automated policy optimization based on usage patterns

Zero trust architecture in Edge Access provides a comprehensive security foundation that scales with organizational needs while maintaining operational simplicity and user experience quality.