Zero Trust Architecture for Security Operations¶
Zero Trust ("never trust, always verify") is particularly important for SOC infrastructure. A compromised SIEM or SOAR platform is catastrophic — it would give an attacker visibility into every detection rule, active investigation, and response action. This document applies Zero Trust principles specifically to security operations tooling.
Zero Trust Principles Applied to SOC¶
The three core Zero Trust principles, applied to security operations:
| Principle | General Meaning | SOC Application |
|---|---|---|
| Verify explicitly | Authenticate and authorize every access request | MFA for all SOC tool access; no implicit trust for analysts on corporate network |
| Least privilege | Grant minimum access needed for the task | Role-based access to log data; analysts see only the data they need |
| Assume breach | Design as if the perimeter is already compromised | Segment SOC tools from production; encrypt all internal traffic; monitor SOC tool access |
A SOC that trusts its own network perimeter for analyst access is vulnerable. Insider threats and compromised analyst machines can access every security log, alert, and investigation.
Zero Trust Access Flow for SOC Analysts¶
sequenceDiagram
participant A as SOC Analyst
participant IDP as Identity Provider (IdP)
participant MFA as MFA Challenge
participant CA as Conditional Access Policy
participant PIM as Privileged Identity Management
participant SIEM as SIEM Platform
A->>IDP: Request SIEM access
IDP->>MFA: Require MFA
MFA-->>IDP: MFA approved
IDP->>CA: Evaluate policy
Note over CA: Check: Device compliant?<br/>Location allowed?<br/>Risk score acceptable?
CA-->>IDP: Access conditions met
A->>PIM: Request elevated role (if admin task)
Note over PIM: JIT role activation<br/>Time-limited (4h max)
PIM-->>A: Role activated
A->>SIEM: Authenticated access granted
Note over SIEM: Access logged with context<br/>Session monitoredIdentity Controls for SOC Tooling¶
Analyst Access Requirements (Nexus SecOps-111–116)¶
Authentication: - MFA MUST be required for all SOC tool access — no exceptions - Phishing-resistant MFA (hardware key or number matching) REQUIRED for admin-level access - Passwordless authentication SHOULD be used where platform supports it
Authorization (Role-Based Access Control):
| Role | SIEM Access | EDR Access | SOAR Access | Admin |
|---|---|---|---|---|
| Tier 1 Analyst | Read: assigned tenant | Read: own queue | Read: assigned cases | No |
| Tier 2 Analyst | Read: all tenants | Read + isolate | Read + execute approved | No |
| Detection Engineer | Read all + write rules | Read | Read + write playbooks | No |
| SOC Manager | Read all + reports | Read all | Full | Limited |
| Platform Admin | Full | Full | Full | Yes — JIT only |
Privileged Access: - Platform admin access to SIEM/SOAR MUST use Privileged Identity Management (PIM/JIT) - Admin sessions MUST be time-limited (4 hours maximum) - All privileged sessions MUST be recorded (session recording) - Break-glass admin accounts MUST require dual approval and immediate notification
Network Segmentation for SOC Infrastructure¶
SOC tools MUST be isolated from the production environment they monitor:
[Production Network]
|
[Firewall / ACL — read-only, one-way]
|
[SOC Infrastructure VLAN]
├── SIEM Platform
├── SOAR Platform
├── Threat Intelligence Platform
├── Case Management
└── Analyst Workstations
|
[Firewall / controlled egress]
|
[Internet / External services]
Log data flows INTO the SOC VLAN (one-way read); containment actions flow OUT via dedicated controlled API paths. The SIEM should never need a direct connection to production systems for response actions.
Network rules: - SIEM receives log data from log collectors (inbound) - SIEM MUST NOT have direct read/write access to production systems - SOAR actions (account disable, host isolation) use dedicated service accounts with minimum required permissions - No lateral movement possible from SOC VLAN to production via network
Data Access Controls (Log Data Zero Trust)¶
Not all analysts should access all log data. Apply data segmentation:
| Log Type | Who Can Access | Rationale |
|---|---|---|
| Authentication logs | Tier 2+ only | Contains user credential activity patterns |
| HR system logs | Tier 2+ and CTI only | Sensitive employee data |
| Executive activity logs | Tier 3 + SOC Manager only | High sensitivity; insider threat risk |
| Production DB logs | Tier 2+ only | Contains schema and query patterns |
| DLP/email content logs | Tier 2+ only | May contain sensitive content |
| Network flow (summary) | All tiers | Low sensitivity; needed for triage |
Implementation: Use SIEM index-level RBAC to enforce data segmentation. Tier 1 analysts should not be able to query authentication logs directly — enrichment automation surfaces the relevant context.
Zero Trust for SOAR Credentials¶
SOAR playbooks interact with dozens of systems via APIs. Poorly managed credentials are a major risk.
Requirements (Nexus SecOps-104):
- No hardcoded credentials — All credentials stored in a secrets vault (HashiCorp Vault, Azure Key Vault, AWS Secrets Manager)
- Service accounts, not personal accounts — Playbook service accounts are dedicated; not shared with human users
- Minimum required permissions — Service accounts have only the permissions needed for their specific playbook action
- Credential rotation — API keys and service account passwords rotated every [90 days / per policy]
- Credential access logged — Every secrets retrieval is logged to the SIEM
- Emergency revocation — Process exists to revoke all SOAR credentials within 1 hour if SOAR is compromised
Vault integration pattern:
[Playbook runs]
→ Vault API call (authenticated with playbook service identity)
→ Vault validates and returns short-lived credential
→ Playbook uses credential for action
→ Credential expires after [15 minutes]
→ All steps logged
Zero Trust for LLM Copilot¶
LLM copilots processing security context need specific Zero Trust controls:
| Control | Requirement | Nexus SecOps |
|---|---|---|
| Analyst authentication | MFA before accessing LLM copilot | Nexus SecOps-189 |
| Context isolation | Each analyst session is isolated; no cross-session data leakage | Nexus SecOps-187 |
| Data classification | Classified data filtered before LLM API submission | Nexus SecOps-186 |
| Knowledge base access | RAG knowledge base access-controlled per role | Nexus SecOps-198 |
| Prompt logging | All prompts and responses logged for audit | Nexus SecOps-192 |
Microsegmentation for SOC Tools¶
Apply microsegmentation within the SOC VLAN:
SOC VLAN
├── SIEM Segment
│ ├── SIEM indexers: receive logs, serve queries
│ ├── Only SOAR and analyst workstations can query
│ └── No outbound to production
├── SOAR Segment
│ ├── Receives alerts from SIEM
│ ├── Outbound via approved API paths only
│ └── Human gate server isolated
├── TIP Segment
│ ├── Inbound: external feeds (controlled)
│ ├── Outbound to SIEM and SOAR only
│ └── No direct access to production
└── Analyst Workstation Segment
├── SIEM query access only
├── Case management access only
└── No direct production network access
Zero Trust Maturity Progression¶
Implement Zero Trust for SOC infrastructure progressively:
| Maturity Stage | Focus Area | Key Actions |
|---|---|---|
| Stage 1 | Identity | MFA for all SOC tools; basic RBAC |
| Stage 2 | Devices | Device compliance checks before SOC tool access; managed analyst workstations |
| Stage 3 | Network | Dedicated SOC VLAN; log-only inbound from production |
| Stage 4 | Applications | App-level RBAC for SIEM; data-level segmentation for sensitive logs |
| Stage 5 | Data | Full data classification applied to log storage; analyst data scoping |
| Stage 6 | Automation | Vault-managed credentials; session recording for admin access |
Common Zero Trust Mistakes in SOC Environments¶
Avoid These
- Using admin accounts for daily analyst work. Admin should be JIT only; daily work uses standard roles.
- Allowing analyst workstations to reach production directly. Even investigation should go through SIEM, not direct host access.
- Hardcoded SOAR credentials. These are discovered in code reviews, playbook exports, and compromised SOAR instances.
- No audit log for SIEM admin actions. Who changed that detection rule? Who deleted that index? Must be answerable.
- Shared analyst accounts. Non-repudiation requires individual accounts. Shared accounts are an audit and forensics failure.
- Trusting the analyst VLAN. An analyst machine can be compromised. Zero Trust means even internal SOC network access is authenticated and authorized.
Nexus SecOps Control Mapping¶
| Zero Trust Control | Nexus SecOps Controls |
|---|---|
| MFA for SOC tools | Nexus SecOps-111, Nexus SecOps-113 |
| RBAC for SIEM/SOAR | Nexus SecOps-114, Nexus SecOps-205 |
| JIT admin access | Nexus SecOps-116, Nexus SecOps-118 |
| Network segmentation | Nexus SecOps-121, Nexus SecOps-122 |
| SOC tool session recording | Nexus SecOps-118 |
| Vault-managed credentials | Nexus SecOps-104, Nexus SecOps-112 |
| LLM access controls | Nexus SecOps-186, Nexus SecOps-189, Nexus SecOps-192 |
| Log integrity | Nexus SecOps-005 |
| Analyst activity monitoring | Nexus SecOps-049, Nexus SecOps-119 |
See Reference Architecture | Integration Patterns Related chapters: Chapter 13: Governance | Chapter 33: Identity & Access Security