← Back to Privacy Policy
1. Purpose
This policy defines Iron Amethyst Holdings' Zero Trust model. Never trust, always verify. No implicit trust for any user, device, or network connection.
2. Core Principles
- Verify explicitly: All access authenticated regardless of location.
- Least privilege: Minimum access required for every role and service.
- Assume breach: Limit blast radius through segmentation.
3. Identity Verification
- MFA enforced on every account.
- Unique complex passwords via password manager.
- No shared credentials.
4. Device Trust
- Only authorized managed devices permitted.
- Full-disk encryption required.
- OS patched to current versions.
- Screen lock enforced.
5. Network Access Controls
- No access granted based solely on network location.
- Remote access requires authentication regardless of origin.
- All inter-service communication encrypted with TLS 1.2 or higher.
6. Application and Data Access
- Access controlled at the application layer.
- API keys and service tokens scoped to minimum permissions, rotated periodically, revoked after use.
- No standing administrative access.
7. Continuous Validation
- Access rights reviewed periodically.
- Re-authentication required after inactivity.
- Third-party integrations audited regularly.
8. Incident Response
Affected credentials revoked immediately upon suspected compromise. Access logs reviewed to assess scope.
9. Policy Review
Reviewed annually.
Effective Date: April 1, 2026
← Back to Privacy Policy