Build on Trust: Zero Trust with Choreo

Why Zero Trust Matters for an Internal Developer Platform (IDP)

As more organizations adopt cloud native architectures, developer self-service, and multi-cloud deployments, traditional security models fall short. Internal developer platforms (IDPs) are at the heart of modern software delivery but without built-in zero trust, they can expose sensitive systems and data to risk.

In an IDP, developers can provision infrastructure, deploy services, and integrate APIs autonomously. This speed and flexibility must be balanced with security. Zero trust ensures that every request whether from users, services, or workloads is continuously verified, authenticated, and authorized.

Embedding zero trust into an IDP enables:

• Consistent security enforcement across services and environments.
• Minimized blast radius through strong isolation and least-privilege access.
• Secure automation of builds, deployments, and API interactions.
• Compliance readiness with centralized audit trails and policy enforcement.

Zero trust is no longer optional—it’s essential for any secure, scalable, and modern IDP. Choreo bakes these zero trust principles into its architecture, giving you a platform that’s not just fast and flexible, but secure by design.

How Choreo Implements Zero Trust

Choreo implements zero trust principles as a foundational part of its architecture, providing strong security and controlled access across every layer of the platform.

Core Principles

• Never Trust, Always Verify: Every interaction is authenticated and authorized. Choreo uses multi-layered controls, API gateways, and continuous monitoring to track behavior and detect anomalies in real time.
• Least Privilege Access: Access is limited to the absolute minimum necessary. This is enforced through role-based authorization for APIs, fine-grained controls, and strict gateway policies.
• Assume Breach: Choreo operates with the understanding that breaches are inevitable. The platform prioritizes real-time network observability, comprehensive logging, and anomaly detection for rapid threat identification and response.
• Explicit Verification: All traffic, internal or external, is strictly regulated by API gateways. Each request is explicitly authenticated and authorized based on user identity, device health, location, and workload context.
• End-to-End Encryption: All data paths, including internal network traffic, are secured with transparent encryption using Cilium Transparent Encryption.

Architecture-Level Enforcement

• Cell-Based Architecture: Components are grouped into secure, manageable cells with internal direct communication, while external access is strictly controlled by API gateways.
• Micro-Segmentation: Each Choreo project resides in a distinct Kubernetes namespace combined with Cilium Network Policies within a cell-based architecture, creating isolated communication scopes that minimize the blast radius of any potential compromise.
• Control Plane and Data Plane Security: Choreo's architecture separates control (managing development lifecycle) from data (where applications run). Both cloud and private data planes inherently enforce the zero trust model.
• Dual API Gateways: Dedicated gateways manage both external and internal traffic to user applications, ensuring all access is monitored and secure.

Visibility and Monitoring

• Layered Security Controls: Multiple defense layers are enforced, including network-level controls via Cilium policies and multi-factor authentication (MFA) powered by Asgardeo.
• Full User and System Visibility: A comprehensive logging strategy captures activities across applications, API gateways, and Kubernetes events, providing complete visibility to reinforce the "never trust, always verify" principle.

Read how we implemented Zero Trust in Choreo

Zero Trust Network Access

Choreo delivers robust zero trust network access by controlling every connection, ensuring that only verified entities can communicate.

• Cilium and eBPF Integration: Leveraging Cilium and eBPF, Choreo ensures highly secure and observable network connectivity. Cilium policies manage ingress and egress traffic across multiple OSI layers.
• Strict Network Policies: Cilium network policies secure project namespaces, preventing unauthorized access to workloads.
• Encrypted Internal Traffic: All internal network communication within Choreo is automatically encrypted, safeguarding data in transit.
• Egress Control: Enforce fine-grained egress policies using both DNS-based and IP/CIDR-based rules to control outbound traffic from workloads, adding an extra layer of protection to your zero trust network.

Zero Trust Solutions and Capabilities

Choreo provides powerful zero trust solutions and features designed to protect your applications and data.

• Multi-Factor Authentication (MFA): Secure user logins with robust MFA, powered by Asgardeo, ensuring only authorized users can access the platform.
• Comprehensive Audit Logs: Maintain detailed audit trails of all access attempts and activities, crucial for compliance and forensic analysis.
• SIEM Integration (Azure Sentinel): Seamlessly integrate with security information and event management (SIEM) systems like Azure Sentinel for centralized collection, aggregation, and analysis of security data.
• Container Security: Choreo's CI/CD pipeline enforces rigorous security guidelines for Docker images, assigning distinct identities to container deployments to enhance runtime security.
• Dynamic Service Graph: Visualize all network activities in real time, validating them against your defined design-time policies, providing critical observability for your zero trust security posture.

Benefits of Zero Trust with Choreo

• Eliminate Implicit Trust
  Choreo ensures that no actor—human or system gains access without strict verification.
• Secure Software Supply Chain
  Security scanning is embedded into the build pipelines, ensuring vulnerabilities are caught before reaching production.
• Granular Access Enforcement
  Set access boundaries at every layer from project to service level, ensuring least-privilege access across environments.
• Compliance and Governance
  Get centralized audit logs, access tracking, and compliance reports built into your developer workflows.
• Scalable Security for Multi-cloud Environments
  Choreo supports Zero Trust network models across AWS, Azure, GCP, and private Kubernetes clusters.

Why Choreo Is the Ideal Zero Trust Solution

Most platforms require patching together security tools and writing custom policies. Choreo delivers a fully integrated zero trust solution—built into the developer and platform engineering workflows.

Whether you're deploying microservices, APIs, or full-stack apps, Choreo makes it easy to:

• Enforce zero trust access controls.
• Monitor internal and external traffic.
• Secure the software supply chain.
• Maintain security without slowing down delivery.