ZTFORENSICS: ZERO TRUST POLICY ENFORCEMENT WITH TAMPER-EVIDENT FORENSIC EVIDENCE PACKAGING FOR HYBRID CLOUD ENVIRONMENTS

Abstract

Hybrid cloud environment reveals a serious lack in security: perimeter-based models of access control provide one-shot authentication, with no continuous verification, nor evidence collection that is tamper-proof. If valid credentials are gained by an adversary, they can eexfiltrate data, and then delete or manipulate audit logs, which can interfere with forensic accountability. Current Zero Trust Architecture (ZTA) solutions focus on enforcement and don’t necessarily tie every access decision to a legally admissible, cryptographically bound forensic record. This paper introduces an integrated framework, called ZTForensics, which enforces Zero Trust policy decisions in real time, and generates hash-chained forensic evidence records for every access event using the SHA-256 hash function. Enforcement of the framework is done by a FastAPI gateway, Open Policy Agent (OPA) with Rego policies, Keycloak identity management, PostgreSQL evidence storage and MinIO object packaging. Seven contextual risk factors are applied to each request, and the outcome of the decision (allow, deny, or challenge) is recorded as an integrity-linked forensic record. Long-term evidence integrity is provided by RSA-signed anchors and a chain-verification endpoint. In a simulated banking environment, correct decisions are validated, tamper detection on several attack vectors is ensured with no false positives and the evidence bundle export is structured according to legal rules. The challenges of reactive forensic collection and proactive decision-making are bridged by ZTForensics, creating trustworthy forensic evidence within cloud-based application programming interfacesin cloud API environments.