UC Berkeley MICS Network Security | Fall 2022
In Zero Trust Architecture (ZTA), the user and device are considered in conjunction when calculating Trust Scores.
This is a proof of concept (POC) using the device_detector gem to use both user and device data to make authorization
decisions on a per-request basis.
In real ZTA, you would separate the Enforcer, Policy Engine, and Trust Engine. This app is meant to be a POC only, so the Policy and Trust components are embedded within the same app.
Most of the fields are standard fields you would see in a User model. Location here could be used for filtering if the
User is logging in from an unusual location.
- First Name
- Last Name
- Location
- Password hash
Rudimentary model for a Device registry. The idea is that we would compare the data from the user agent making the request against the registered devices for the User, and ensure the User is logging in from an approved device. In real ZTA, you would not just look at the user agent to make this determiniation, but for the purposes of this demo, we are keeping things simple.
- Name
- Kind
- Preferred Browser
- OS Name
- Device belongs to a User
- User can have many devices
This is a simple "employee" dashboard with a homepage, a profile page, and a "super secret" restricted page.
Login screen:
Upon successful login, users are redirected to the dashboard index:
Users can see their profile and registered devices:
The "super secret" page is only accessible to registered devices for the User:
Regitered device:
Unregistered device (mobile):
On an unregistered device, the user is directed to their profile and shown an error message.
Relevant code:
# user.rb
def check_device_policy(client)
devices.any? { |device| device.approved?(client) }
end
# device.rb
def approved?(client)
return true if os_name.include?(client.os_name) && kind == client.device_type
return false
end