Tessera
Built by Vladimir Kamenevburademirung@gmail.com512 3369618GitHub

← All technologies

TECHNOLOGY

Zero Trust (NIST SP 800-207)

Zero Trust (NIST SP 800-207)

Authorize per request, not per session — the edge is the PEP, Regorus is the PE, the Go control plane is the PA.

Zero Trust (NIST SP 800-207) removes implicit trust from the network and makes every request prove itself. The load-bearing tenet for Tessera is continuous verification: the engine re-evaluates authorization per request with a fresh environment (device, time, risk) and never caches an allow decision for the life of a session.

The architecture maps onto the standard’s roles exactly: the edge Worker is the Policy Enforcement Point and carries no policy logic; the Regorus-evaluated bundle is the Policy Engine; and the Go control plane is the Policy Administrator that mints and revokes sessions and signs and pushes policy bundles. Decisions are server-side, deny-by-default, and fail closed.

Code

rust
// Zero Trust tenet #3/#6: re-evaluate authorization PER REQUEST with fresh
// environment input — never cache an allow decision for the session.
async fn handle(req: Request, ctx: Ctx) -> Result<Response> {
    let input = Input {
        subject: ctx.session.subject(),          // who, + roles
        action: req.action(),
        resource: req.resource(),
        environment: ctx.fresh_environment(),     // device, time, risk — fresh each call
    };
    // PEP = this edge Worker (no policy logic). PE = Regorus bundle.
    match ctx.regorus.eval_allow(&input).await {
        Ok(true) => proceed(req).await,
        _ => Response::forbidden(), // fail closed on deny/error/undefined
    }
}

Standards it follows

NIST SP 800-207 (Zero Trust Architecture)
https://csrc.nist.gov/pubs/sp/800/207/final
NIST SP 800-207A (ZT for multi-cloud)
https://csrc.nist.gov/pubs/sp/800/207/a/final
OWASP ASVS v5.0 (V8 Authorization)
https://owasp.org/www-project-application-security-verification-standard/

Best practices applied

  • Re-evaluate authorization per request with fresh environment input (tenets source
  • Map the architecture cleanly — PEP = edge Worker (no policy logic), PE = Regorus-evaluated bundle, PA = Go control plane. source
  • Make authorization decisions server-side only, deny-by-default, with immediate effect on entitlement changes (ASVS V8). source
  • Use identity-centric authorization across clouds rather than network location (SP 800-207A). source