Continuous verification

Short-lived trust, posture, per-request checks.

Expert30 min · lesson 15 of 15

The final zero-trust principle is that trust is never permanent. Continuous verification — re-establishing trust constantly rather than granting it once — is what ties the whole model together and is realized concretely through short-lived credentials, rotation, and posture-aware access.

Revocation by expiry

Everything in this course pushes toward short-lived, continuously-rotated credentials: SPIRE SVIDs, mesh certificates, cloud federation tokens. That design makes revocation largely automatic — a compromised identity simply stops working when its minutes-to-hour credential lapses, so you rarely need the complexity of certificate revocation lists or OCSP. This is continuous verification in practice: instead of a long-lived grant an attacker can hold, trust is re-issued on a tight cadence, and stopping issuance (or letting the current credential expire) is how you cut off a workload. Short lifetimes turn "how do we revoke?" from a hard problem into a property of the system.

short lifetimes make revocation automatic
# Trust is continuously re-established, not granted once:
#
# SVID / mesh cert TTL: ~ minutes to 1 hour, auto-rotated
# → a leaked credential is useful only until it expires
# → to "revoke": stop issuing to that identity; the current cred lapses fast
# → no CRL/OCSP machinery needed for the common case
#
# Compare a long-lived key: leak = indefinite access until manually revoked.

Posture-aware, per-request trust

Mature zero trust goes further than identity alone: access decisions can incorporate posture and context at request time — is the workload attested and running an approved image, is the device compliant and patched, does the request context look normal — so a grant adapts to current conditions rather than being a one-time decision. Combined with per-request authentication (workload mTLS identity plus request JWT), this means every connection and every request is evaluated against fresh signals. The unifying theme of the whole course: every workload has a verifiable identity, and every connection is authenticated, authorized by least privilege, short-lived, and continuously re-verified — the network you happen to be on grants nothing.

Continuous verification
short-lived trust
rotated SVIDs / certs / tokens
minutes-to-hour TTL
revocation via expiry
stop issuing to cut off
context-aware
posture at request time
attested, patched, compliant
per-request evaluation
identity + claims + context
Trust is re-established constantly, never granted once. Short lifetimes handle revocation; posture and per-request checks keep it current.
One-time authentication is not zero trust
Authenticating a workload or user once and then trusting it indefinitely recreates the standing-trust the model exists to eliminate. Use short-lived, auto-rotated credentials and evaluate identity, authorization, and (where possible) posture continuously — trust that is not re-verified is exactly what an attacker inherits after a compromise.