Designing a Cloud‑Native IAM for Zero‑Trust Security at a Leading Courier

Introduction

With the widespread adoption of cloud computing and big data, continuous integration/continuous deployment (CI/CD) and mobile work have reshaped information‑security thinking. To protect digital assets dynamically, intelligently, and securely without sacrificing efficiency, ZTO adopted Google’s zero‑trust architecture and built a cloud‑native IAM solution.

Security Risks from Business Growth

ZTO, the world’s largest parcel‑delivery company, processes over 6.2 billion parcels annually and operates a massive ecosystem of subsidiaries, partners, and services. Rapid expansion creates four main security challenges:

Massive heterogeneous applications (self‑developed, third‑party, on‑premise, cloud) require integrated security control and horizontal scalability during peak events.

Complex, large‑scale organization with millions of users and devices that change frequently.

Sensitive data flows across systems, raising protection difficulty.

Extensive APIs for ecosystem partners increase the attack surface.

Solution

Google’s zero‑trust practice suggests that IAM is the core foundation. Traditional IAM cannot meet ZTO’s needs, so a next‑generation, flexible IAM platform was designed.

Design Goals

Comprehensive identity support using the SPIFFE framework to represent people, devices, applications, APIs, etc.

Cloud‑native support: move from network‑layer to application‑layer dynamic access control, leveraging containers, micro‑services, service mesh, and orchestration for horizontal scaling and heterogeneous integration.

Complex organization support: multi‑tenant, multi‑account, cross‑domain, and federated identity capabilities with fine‑grained resource classification and automated audit.

Key Module Design

1. Identity Space

Manages the lifecycle of logical identities (people, devices, services) and maps them to concrete accounts, using SPIFFE as a reference implementation.

2. Account System

Supports multi‑tenant mode where each tenant can define multiple account systems (office, B2B, B2C) and groups (role‑based, org‑based) containing various identity types.

3. Complex Organization Structure

Enables group‑level account sets that auto‑create based on organizational hierarchy, facilitating seamless role changes and collaboration tools.

4. System Integration

Provides secure access‑control integration with heterogeneous systems via standard protocols (OIDC, OAuth2, SAML2, SCIM, REST).

5. Authorization

Combines RBAC for coarse‑grained control and ABAC for fine‑grained policies. A custom DSL describes requests, e.g., {"appid":"eihxiidhh23s","user":"jack","action":"getArticleID","resource":"resources:articles:zto","context":{"remoteIP":"192.168.0.5","trustScore":"90"}}.

6. Micro‑service Security Architecture

Adopts Istio for mutual TLS between services, sidecar data‑plane enforcement, and pilot‑driven policy distribution.

7. Certificate Issuance, Rotation, Revocation

Implements a certificate center that automates issuance, periodic rotation, and real‑time revocation through a CA proxy.

8. Automated Auditing

Classifies and grades resources and operations, then automatically filters anomalies, reducing manual audit workload.

9. Mobile App

Provides a companion app with secure authentication, IM, app publishing, and tooling, replacing static passwords with AI‑driven liveness checks.

Summary and Outlook

Key modules such as SSO, AI‑enhanced identity verification, and centralized permission management are already in production, supporting hundreds of applications. Future work includes integrating more zero‑trust components, open‑sourcing mature security modules, and expanding the ecosystem.

Reference materials:

Google BeyondCorp – https://cloud.google.com/beyondcorp/

AWS IAM – https://aws.amazon.com/iam/

SPIFFE – https://spiffe.io/

Istio – https://istio.io/