What does LockedIn Labs do?

LockedIn Labs is a digital product engineering firm that builds enterprise-grade software at velocity. We specialize in cloud platforms, AI/ML systems, mobile and web applications, and DevOps infrastructure — serving healthcare, fintech, retail, technology, telecom, and energy sectors.

What industries does LockedIn Labs serve?

We serve six primary industry verticals: Healthcare & Life Sciences (HIPAA-compliant platforms), Financial Services (trading, banking, compliance), Retail & E-Commerce (omnichannel commerce), Technology & SaaS (product acceleration), Telecom & Media (network optimization), and Energy & Industrial (IoT, predictive maintenance).

How fast can LockedIn Labs deliver an MVP?

Our methodology delivers production-ready MVPs in as little as 8 weeks. We achieve this through senior-only engineering teams, weekly sprint cycles, and a delivery process that compresses traditional enterprise timelines by 60-70%.

Is LockedIn Labs HIPAA and SOC 2 compliant?

Yes. LockedIn Labs maintains SOC 2 Type II compliance and builds HIPAA-compliant healthcare systems. We also engineer to PCI DSS, HITRUST, ISO 27001, and FDA 21 CFR Part 11 standards depending on the industry requirements.

What is LockedIn Labs' AI engineering capability?

We engineer production AI systems including LLM integration and fine-tuning, RAG pipelines, agentic AI systems, custom model training, MLOps infrastructure, and intelligent automation. We work with GPT-4, Claude, Gemini, Llama, and open-source models — choosing the right tool for each use case.

Where is LockedIn Labs located?

LockedIn Labs is headquartered in Tampa, Florida and serves enterprise clients across the United States. Our engineering teams work both on-site and remotely depending on project requirements.

Back to Insights

Security & Architecture

Implementing Zero Trust Architecture: A Practical Engineering Guide

LockedIn Labs Engineering TeamFebruary 20, 202612 min read

The perimeter is dead. It has been dead for years, but most enterprise security architectures still behave as if a firewall and a VPN constitute a defensible boundary. The reality of modern infrastructure — cloud workloads spread across multiple providers, remote employees connecting from unmanaged networks, third-party SaaS integrations accessing internal data, microservices communicating over service meshes — has made perimeter-based security not just insufficient but actively dangerous. It creates a false sense of safety that attackers exploit routinely.

Zero trust is the architectural response: never trust, always verify. Every request is authenticated, authorized, and encrypted regardless of where it originates. There is no trusted network zone. An API call from inside the Kubernetes cluster receives the same scrutiny as one from the public internet. At LockedIn Labs, we have implemented zero trust architectures for financial services firms, healthcare platforms, and government contractors. This article covers what actually works in production, the implementation patterns we use, and the pitfalls that trip up most engineering teams.

The Five Pillars of Zero Trust Implementation

Zero trust is not a product you can buy. It is an architectural pattern that spans identity, network, devices, applications, and data. Vendors who sell zero trust as a single solution are selling you a VPN replacement with better marketing. Real zero trust requires changes at every layer of your stack, implemented incrementally over months or years. The organizations that succeed start with identity and expand outward.

The Five Pillars

Identity

Every actor — human and machine — has a verifiable identity. Authentication is continuous, not one-time.

Network

Micro-segmented, encrypted, with no implicit trust between segments. Every flow is explicitly authorized.

Devices

Device health is continuously assessed. Compromised or non-compliant devices lose access automatically.

Applications

Application-level authorization with least privilege. Every API call is authenticated and scoped.

Data

Classification-driven access controls. Encryption at rest and in transit. Data loss prevention at the boundary.

Identity-Based Access: The Foundation Layer

Identity is the control plane of zero trust. Before you can enforce any policy, you need to know who or what is making the request. This sounds straightforward for human users — integrate with an identity provider, enforce multi-factor authentication, done. But in a microservices architecture, the majority of network traffic is machine-to-machine. Service A calls Service B calls Service C. Each of those calls needs an identity, and that identity needs to be verifiable, rotatable, and revocable.

For service-to-service identity, we use SPIFFE (Secure Production Identity Framework for Everyone) as the identity standard and SPIRE as the runtime. Every workload receives a SPIFFE Verifiable Identity Document (SVID) — a short-lived X.509 certificate that encodes the workload’s identity. Certificates rotate automatically every hour. If a workload is compromised, its identity can be revoked instantly, and all other services will reject its connections within seconds. This is dramatically more secure than the common pattern of shared secrets or long-lived API keys stored in environment variables.

SPIRE registration entry for a Kubernetes workload

# Register a workload identity based on K8s service account
spire-server entry create \
  -spiffeID spiffe://lockedinlabs.ai/ns/production/sa/payment-service \
  -parentID spiffe://lockedinlabs.ai/k8s-node \
  -selector k8s:ns:production \
  -selector k8s:sa:payment-service \
  -ttl 3600

# The payment-service can now authenticate to any service
# that trusts the lockedinlabs.ai trust domain, and policies
# can be written against its SPIFFE ID.

For human access, we enforce phishing-resistant MFA as the baseline — hardware security keys or platform authenticators, not SMS codes. Every authentication event produces a signed token with claims about the user’s identity, device posture, network location, and authentication strength. These claims flow through the entire request chain, so downstream services can make fine-grained authorization decisions. A user authenticated with a hardware key from a managed device gets broader access than the same user authenticated with a password from an unknown device.

Network Micro-Segmentation: Shrinking the Blast Radius

Traditional network security creates broad zones — a DMZ, an application tier, a database tier — and allows unrestricted communication within each zone. In a zero trust model, every communication path is explicitly defined and enforced. Service A can talk to Service B on port 443 using mTLS. Service A cannot talk to Service C at all, even though they are in the same Kubernetes namespace. The blast radius of a compromise is limited to exactly what that workload is authorized to access.

We implement micro-segmentation at the service mesh layer using Istio or Linkerd, depending on the client’s infrastructure. The service mesh provides mTLS between all services by default — every connection is encrypted and mutually authenticated. Authorization policies define which services can communicate and under what conditions. These policies are expressed as code, stored in version control, and deployed through the same CI/CD pipeline as application code. No manual firewall rules, no tickets to the network team, no drift between intended and actual state.

Istio AuthorizationPolicy: only allow payment-service to call billing-service

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: billing-service-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: billing-service
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
          - "cluster.local/ns/production/sa/payment-service"
    to:
    - operation:
        methods: ["POST"]
        paths: ["/api/v1/charges", "/api/v1/refunds"]
  # Everything else is implicitly denied

The key engineering decision is choosing default-deny versus default-allow during migration. Default-deny is more secure but can break existing communication paths that you did not know existed. Our approach is to deploy the mesh in permissive mode first, collect telemetry on all actual communication patterns for two to four weeks, auto-generate policies from the observed traffic, have the security team review and tighten those policies, then switch to enforce mode. This data-driven approach eliminates the guesswork that causes outages during zero trust migrations.

Continuous Verification: Beyond the Authentication Event

Traditional authentication is binary and point-in-time: the user logged in ten hours ago with a valid password, so they are trusted for the rest of the session. Zero trust replaces this with continuous verification. The trust level is reassessed throughout the session based on behavioral signals, device state changes, and contextual risk factors. A session that started on a compliant corporate laptop in the office might be downgraded if the device stops reporting health checks, or if the user’s behavior deviates from their baseline pattern.

We implement continuous verification through a policy decision point (PDP) that evaluates every significant action against the current risk context. The PDP receives signals from the identity provider, the device management platform, the network layer, and the application itself. It computes a risk score and compares it against the sensitivity of the requested action. Low-risk actions (reading a public dashboard) require minimal verification. High-risk actions (exporting customer data, modifying access controls, deploying to production) require step-up authentication and may trigger additional approvals.

The technical implementation uses a combination of short-lived tokens (fifteen-minute expiry for access tokens, four-hour expiry for refresh tokens) and real-time policy evaluation. When a service receives a request, it validates the token signature and expiry, then calls the PDP with the token claims and the requested action. The PDP returns allow, deny, or step-up. This adds latency — typically two to five milliseconds for cached policy evaluations — but the security improvement is substantial. An attacker who steals a token has a fifteen-minute window instead of an eight-hour session.

The Migration Path: Incremental, Not Big-Bang

The biggest mistake organizations make with zero trust is attempting a wholesale migration. They buy a zero trust platform, form a project team, and try to convert their entire infrastructure in one initiative. This fails predictably because zero trust touches every layer of the stack and every team in the organization. The complexity is too high for a single coordinated effort.

Our recommended migration path starts with the highest-value, lowest-risk changes. Phase one is identity consolidation: ensure every human user and every service has a strong, verifiable identity. Phase two is mTLS everywhere: encrypt and authenticate all service-to-service communication using the service mesh. Phase three is micro-segmentation: define and enforce communication policies based on observed traffic patterns. Phase four is continuous verification: replace long-lived sessions with short-lived tokens and real-time policy evaluation. Phase five is data-centric controls: classify data, enforce encryption, and implement DLP.

Each phase delivers independent security value. You do not need to complete all five phases to benefit from zero trust. An organization that implements strong identity and mTLS everywhere has materially improved its security posture, even if micro-segmentation policies are still being refined. This incremental approach also lets you build organizational muscle gradually — each phase teaches the team new patterns and tooling that make the next phase easier.

Measuring Success: Security Metrics That Matter

Zero trust is not a checkbox. You cannot declare it complete. Instead, you measure progress through concrete security metrics. We track blast radius reduction — how many systems could an attacker access if they compromise a single workload? Before zero trust, the answer is often everything in the same network zone. After micro-segmentation, the answer should be zero or near-zero additional systems beyond the compromised workload’s explicit authorization set.

Key Metrics We Track for Zero Trust Implementations

96%

Average blast radius reduction after full micro-segmentation deployment

15 min

Maximum token lifetime, reducing the window for credential theft attacks

100%

Service-to-service traffic encrypted with mTLS after mesh deployment

Zero trust is a continuous journey, not a destination. Threats evolve, infrastructure changes, and new attack vectors emerge. The organizations that treat zero trust as an ongoing engineering discipline — with dedicated investment, regular assessment, and incremental improvement — are the ones that maintain genuine security posture over time. The perimeter-based model is a relic. The sooner your architecture acknowledges that reality, the better prepared you are for the threats that are already inside your network.

Healthcare