[{"data":1,"prerenderedAt":345},["ShallowReactive",2],{"blog-post-blog_de-zero-trust-architektur-sicherheit-jenseits-des-perimeters":3},{"id":4,"title":5,"body":6,"cover":330,"date":331,"description":332,"draft":333,"extension":334,"meta":335,"navigation":336,"path":337,"seo":338,"stem":339,"tags":340,"__hash__":344},"blog_de\u002Fde\u002Fblog\u002Fzero-trust-architektur-sicherheit-jenseits-des-perimeters.md","Zero Trust Architektur: Sicherheit jenseits des Perimeters",{"type":7,"value":8,"toc":325},"minimark",[9,18,23,34,56,63,67,70,90,101,303,306,310,321],[10,11,12,13,17],"p",{},"Klassische Sicherheitsmodelle basieren auf einem einfachen Prinzip: Innerhalb des Netzwerks wird vertraut, ausserhalb nicht. In Zeiten von Remote-Arbeit, Cloud-Migration und zunehmenden Supply-Chain-Angriffen reicht dieser Ansatz nicht mehr aus. ",[14,15,16],"strong",{},"Zero Trust Architecture (ZTA)"," kehrt dieses Modell um.",[19,20,22],"h2",{"id":21},"was-ist-zero-trust","Was ist Zero Trust?",[10,24,25,26,29,30,33],{},"Zero Trust ist ein Sicherheitsparadigma, das auf dem Grundsatz ",[14,27,28],{},"\"Never trust, always verify\""," basiert. Kein Benutzer, kein Geraet und kein Netzwerksegment erhaelt automatisch Vertrauen - unabhaengig vom Standort. Das ",[14,31,32],{},"NIST Special Publication 800-207"," definiert den Referenzrahmen fuer die Umsetzung und beschreibt drei zentrale logische Komponenten:",[35,36,37,44,50],"ul",{},[38,39,40,43],"li",{},[14,41,42],{},"Policy Engine (PE)"," - trifft Zugriffsentscheidungen auf Basis von Richtlinien, Risikobewertungen und Identitaetsdaten",[38,45,46,49],{},[14,47,48],{},"Policy Administrator (PA)"," - setzt die Entscheidungen der Policy Engine in konkrete Aktionen um",[38,51,52,55],{},[14,53,54],{},"Policy Enforcement Point (PEP)"," - erzwingt die Zugriffsentscheidungen am Netzwerkuebergang",[10,57,58],{},[59,60],"img",{"alt":61,"src":62},"Vergleich: Perimeter-Modell vs. Zero Trust","\u002Fimg\u002Fblog\u002Fzero-trust-vergleich.png",[19,64,66],{"id":65},"kernprinzipien-und-umsetzung","Kernprinzipien und Umsetzung",[10,68,69],{},"Die drei Kernprinzipien von Zero Trust lauten:",[35,71,72,78,84],{},[38,73,74,77],{},[14,75,76],{},"Explizite Verifizierung"," - Jede Anfrage wird anhand von Identitaet, Geraetezustand, Standort und Verhaltensmuster geprueft",[38,79,80,83],{},[14,81,82],{},"Least Privilege Access"," - Zugriff wird nur in dem Umfang gewaehrt, der fuer die jeweilige Aufgabe erforderlich ist",[38,85,86,89],{},[14,87,88],{},"Assume Breach"," - Das System geht davon aus, dass ein Angreifer bereits im Netzwerk ist, und minimiert den Blast Radius",[10,91,92,93,96,97,100],{},"In ",[14,94,95],{},"Kubernetes-Umgebungen"," laesst sich Zero Trust durch ",[14,98,99],{},"NetworkPolicies"," umsetzen. Diese erzwingen Mikrosegmentierung auf Pod-Ebene:",[102,103,108],"pre",{"className":104,"code":105,"language":106,"meta":107,"style":107},"language-yaml shiki shiki-themes github-light github-dark","apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-frontend-to-backend\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n    - Ingress\n  ingress:\n    - from:\n        - podSelector:\n            matchLabels:\n              app: frontend\n      ports:\n        - protocol: TCP\n          port: 8080\n","yaml","",[109,110,111,128,139,148,159,170,178,186,194,205,213,222,230,240,251,259,270,278,291],"code",{"__ignoreMap":107},[112,113,116,120,124],"span",{"class":114,"line":115},"line",1,[112,117,119],{"class":118},"s9eBZ","apiVersion",[112,121,123],{"class":122},"sVt8B",": ",[112,125,127],{"class":126},"sZZnC","networking.k8s.io\u002Fv1\n",[112,129,131,134,136],{"class":114,"line":130},2,[112,132,133],{"class":118},"kind",[112,135,123],{"class":122},[112,137,138],{"class":126},"NetworkPolicy\n",[112,140,142,145],{"class":114,"line":141},3,[112,143,144],{"class":118},"metadata",[112,146,147],{"class":122},":\n",[112,149,151,154,156],{"class":114,"line":150},4,[112,152,153],{"class":118},"  name",[112,155,123],{"class":122},[112,157,158],{"class":126},"allow-frontend-to-backend\n",[112,160,162,165,167],{"class":114,"line":161},5,[112,163,164],{"class":118},"  namespace",[112,166,123],{"class":122},[112,168,169],{"class":126},"production\n",[112,171,173,176],{"class":114,"line":172},6,[112,174,175],{"class":118},"spec",[112,177,147],{"class":122},[112,179,181,184],{"class":114,"line":180},7,[112,182,183],{"class":118},"  podSelector",[112,185,147],{"class":122},[112,187,189,192],{"class":114,"line":188},8,[112,190,191],{"class":118},"    matchLabels",[112,193,147],{"class":122},[112,195,197,200,202],{"class":114,"line":196},9,[112,198,199],{"class":118},"      app",[112,201,123],{"class":122},[112,203,204],{"class":126},"backend\n",[112,206,208,211],{"class":114,"line":207},10,[112,209,210],{"class":118},"  policyTypes",[112,212,147],{"class":122},[112,214,216,219],{"class":114,"line":215},11,[112,217,218],{"class":122},"    - ",[112,220,221],{"class":126},"Ingress\n",[112,223,225,228],{"class":114,"line":224},12,[112,226,227],{"class":118},"  ingress",[112,229,147],{"class":122},[112,231,233,235,238],{"class":114,"line":232},13,[112,234,218],{"class":122},[112,236,237],{"class":118},"from",[112,239,147],{"class":122},[112,241,243,246,249],{"class":114,"line":242},14,[112,244,245],{"class":122},"        - ",[112,247,248],{"class":118},"podSelector",[112,250,147],{"class":122},[112,252,254,257],{"class":114,"line":253},15,[112,255,256],{"class":118},"            matchLabels",[112,258,147],{"class":122},[112,260,262,265,267],{"class":114,"line":261},16,[112,263,264],{"class":118},"              app",[112,266,123],{"class":122},[112,268,269],{"class":126},"frontend\n",[112,271,273,276],{"class":114,"line":272},17,[112,274,275],{"class":118},"      ports",[112,277,147],{"class":122},[112,279,281,283,286,288],{"class":114,"line":280},18,[112,282,245],{"class":122},[112,284,285],{"class":118},"protocol",[112,287,123],{"class":122},[112,289,290],{"class":126},"TCP\n",[112,292,294,297,299],{"class":114,"line":293},19,[112,295,296],{"class":118},"          port",[112,298,123],{"class":122},[112,300,302],{"class":301},"sj4cs","8080\n",[10,304,305],{},"Diese Policy erlaubt ausschliesslich Traffic von Frontend-Pods zum Backend auf Port 8080. Jeglicher anderer eingehender Verkehr wird implizit blockiert.",[19,307,309],{"id":308},"warum-das-wichtig-ist","Warum das wichtig ist",[10,311,312,313,316,317,320],{},"Die zunehmende Verlagerung von Workloads in die Cloud und die Verbreitung hybrider Arbeitsmodelle machen den klassischen Netzwerkperimeter obsolet. Zero Trust adressiert diese Realitaet, indem Sicherheit nicht an Netzwerkgrenzen, sondern an Identitaeten und Richtlinien gebunden wird. Mit der wachsenden Unterstuetzung durch CNI-Technologien wie ",[14,314,315],{},"Calico"," und ",[14,318,319],{},"Cilium"," wird die Umsetzung in containerisierten Umgebungen zunehmend praktikabler.",[322,323,324],"style",{},"html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":107,"searchDepth":130,"depth":130,"links":326},[327,328,329],{"id":21,"depth":130,"text":22},{"id":65,"depth":130,"text":66},{"id":308,"depth":130,"text":309},"\u002Fimg\u002Fblog\u002Fzero-trust-cover.jpg","2026-03-24","Zero Trust ersetzt das klassische Perimeter-Modell durch kontinuierliche Verifizierung und minimale Zugriffsrechte.",false,"md",{},true,"\u002Fde\u002Fblog\u002Fzero-trust-architektur-sicherheit-jenseits-des-perimeters",{"title":5,"description":332},"de\u002Fblog\u002Fzero-trust-architektur-sicherheit-jenseits-des-perimeters",[341,342,343],"Zero Trust","Cybersecurity","Architecture","wzJ2M-zU0YMB9azX6JGGfbol5G5n1WLuuG4kypOXheA",1775680578622]