Skip to content

Adaptive Zero-Trust Engine

Zero Trust Security MFA Geo-Fencing

The UBU Finance backend implements an Adaptive Zero-Trust Engine that provides advanced security features including risk-based MFA prompts, device posture checks, and geo-fencing capabilities.

Overview

The Zero-Trust Engine operates on the principle of "never trust, always verify" and continuously evaluates risk factors for each user interaction with the system. Based on the risk assessment, it can dynamically require different levels of authentication.

Key Features

Risk-Based MFA Prompts

The system dynamically determines when to require Multi-Factor Authentication (MFA) based on multiple risk factors:

  • New or untrusted devices: When a user logs in from a device not previously used
  • Unusual locations: When a login occurs from a geographic location significantly different from previous logins
  • Unusual login times: When a user logs in at times that differ from their established patterns
  • Transaction value: Higher value transactions automatically trigger stronger authentication requirements

Based on the assessed risk level, the system can require different types of MFA: - Low risk: No additional authentication required - Medium risk: One-time password (OTP) required - High risk: Biometric authentication required

Device Posture Checks

The system can evaluate the security posture of the device being used to access the system, checking:

  • Antivirus status
  • Firewall status
  • Disk encryption status
  • Security patch status

Access to sensitive functions can be restricted based on the device's security health.

Geo-Fencing

The system implements geo-fencing capabilities that can restrict access to certain resources based on the user's geographic location:

  • Different organizational units can have different geographic access policies
  • Access can be restricted to specific countries or regions
  • Unusual location changes trigger additional verification

Implementation Details

The Zero-Trust Engine is implemented in app/security/zero_trust.py and provides the following components:

  • ZeroTrustEngine: The main engine that performs risk assessment and security checks
  • require_mfa: A dependency that can be added to API endpoints to enforce MFA based on risk assessment
  • enforce_geo_fencing: A dependency to enforce geo-fencing rules
  • check_device_posture: A dependency to check device security posture

Usage Examples

Adding Risk-Based MFA to an Endpoint

from app.security.zero_trust import require_mfa

@app.post("/api/high-value-transaction")
async def create_high_value_transaction(
    transaction: TransactionCreate,
    risk_assessment: dict = Depends(lambda req: require_mfa(req, req.state.user_id, transaction.amount))
):
    # Process transaction
    return {"status": "success", "risk_level": risk_assessment.risk_level}

Enforcing Geo-Fencing

from app.security.zero_trust import enforce_geo_fencing

@app.get("/api/restricted-resources")
async def get_restricted_resources(
    request: Request,
    geo_check: bool = Depends(lambda req: enforce_geo_fencing(req, req.state.user_id, "headquarters"))
):
    # Return restricted resources
    return {"resources": [...]}

Checking Device Posture

from app.security.zero_trust import check_device_posture

@app.post("/api/sensitive-operation")
async def perform_sensitive_operation(
    request: Request,
    posture: dict = Depends(lambda req: check_device_posture(req, req.state.user_id, "healthy"))
):
    # Perform sensitive operation
    return {"status": "success", "device_health": posture["overall_health"]}

Configuration

The Zero-Trust Engine can be configured through environment variables:

  • GEOIP_DB_PATH: Path to the GeoIP database file (default: "data/GeoLite2-City.mmdb")
  • ZERO_TRUST_ENABLED: Enable/disable the Zero-Trust Engine (default: "true")
  • MFA_REQUIRED_FOR_HIGH_VALUE: Value threshold for requiring MFA (default: "1000")

Integration with Other Security Components

The Zero-Trust Engine integrates with other security components:

  • Account Lockout: Works alongside the account lockout mechanism to provide defense in depth
  • Rate Limiting: Complements rate limiting by adding contextual security
  • Monitoring & Alerting: Generates security events that are logged and can trigger alerts