Zero Trust in security institutions: lessons from the prison system
12 years in the prison system taught me that trust must be earned and constantly verified. Here's how I apply these principles to software development.
The fundamental principle
In my experience at the Buenos Aires Prison System, I learned something the tech industry calls “Zero Trust”: never trust, always verify.
Every door has a protocol. Every movement is recorded. Every access is individually authorized. It doesn’t matter if you’re the director or a new officer: the system treats you the same.
Applying Zero Trust to development
When I develop systems for critical institutions, I apply these same principles:
1. Continuous verification
It’s not enough to authenticate once. Every sensitive operation requires re-verification.
async function performCriticalOperation(userId: string, operation: Operation) {
// Verify active session
const session = await verifyActiveSession(userId);
// Check permissions for this specific operation
const hasPermission = await checkOperationPermission(userId, operation);
// Log attempt before execution
await auditLog.record({
userId,
operation,
timestamp: new Date(),
status: 'attempted'
});
if (!session || !hasPermission) {
throw new UnauthorizedError();
}
// Execute and log result
const result = await operation.execute();
await auditLog.record({
userId,
operation,
timestamp: new Date(),
status: 'completed',
result
});
return result;
}2. Least privilege
Every user has exactly the permissions they need. No more, no less.
3. Total auditing
Everything is logged. Who, what, when, from where.
Conclusion
Systems that cannot fail require a different approach. Experience in security institutions teaches that trust is not a state, it’s a continuous process of verification.