Zero trust, which has been popular for more than ten years, why can't it be implemented?

But sometimes fate is so disappointing.Zero trust technology fire for more than ten years,Also blow the decade,但直到今天,In China is still in“叫好不叫座”的尴尬地位.Really take out money,Large-scale ground zero trust technology enterprise,还真没有多少.

那么,问题究竟出在哪里,Lead to the hot zero trust in similar“人买我推荐,真买我不买”的境遇？对于甲方企业来说,What is the core of the full implementation of zero trust to promote,Zero trust technology and what of the future development path？

Safety is the balance of risks and benefits

在回答上述问题之前,We need to discuss“What is the nature of enterprise security”？

当下HWAre underway in,Advances in their respective transfer the existing resources to carry on the offensive and defensive drills,Or play in the target system to gain access;Or keep the safety of the bottom line,Traceability of attack path.Their purpose is very clear：Beat each other,Win the fight.

This is not the essence of enterprise security.Winning is just a result,The essence of enterprise security should be to let the enterprise development better.Standing in the enterprise strategic level,Safety is the nature of the balance between the risks and benefits,Is a kind of uncontrollable risk into the means of controllable cost.

Network attack risk associated with the development of the Internet and the development.Early network attacks are mainly composed of trojans and viruses,As a successful infection target users' computers as the goal,More in his personal technique mainly,For the harm of enterprises are mainly concentrated in“电脑中毒”,For enterprise business and operations of interference with smaller.

因此,When enterprise information security jobs mostly byITOperations of,Safety protection system is mainly the third piece：防火墙、Antivirus software and intrusion detection.此时,Cost brought by the cyber attack is relatively small,The traditional border security system aims to virus isolation from the outside.

With the development of the Internet further,Enterprise business gradually login online,Cyber attacks becoming popular,And all sorts of use of loopholes while the behavior of wool,Cyber threats began to bring sustainable business interference and direct economic losses.更关键的是,This part of the costs are increasing with the development of technology and the digitized transformation,Some have even become one of the core factor of enterprise life and death.

此时,Network attack is no longer“Infected computers”为目的,Fickle kinds increasingly obvious：高举DDoSThreats to the enterprise to blackmail,Or encryption equipment、Data for blackmail,Or steal data directly in the dark to resell online......轻则业务中断,Heavy would bring huge economic losses.

为了控制、Reduce network threats brought about by the huge cost,Companies continue to increase investment in information security,Set of information security department,Buy in large quantities of security equipment,And to upgrade the traditional border protection system,Reframe the enterprise information security of the underlying logic and inherent demand,Build more adapt to the business development of the new security system.

与此同时,Network security legal system are also gradually improve,The punishment of violation of security compliance efforts also more and more,Can even decide life and death,Typical legal representatives include《网络安全法》《数据安全法》《网络安全审查办法》等.为了降低这部分成本,Enterprise information security is also in the“满足合规”的方向进行建设,Avoid companies suffered huge losses because of the stepped on security line.

“划算”Becoming the key factor of implementing zero trust

从“The essence of enterprise security”可以看出,Network risk and compliance risk is the core power to promote the development of enterprise security.新理念、新技术、新产品的出现,Are all in order to better reduce the cost of these two risks caused by the,Or optimize security operations,Make business more smooth;Or strengthen security technology,And more accurate to strangle risks, etc.

Network security industry in China has a strong compliance properties,Enterprise in violation of the losses from the compliance direct and serious,Light is regulatory interview,重则APP下架,Heavy penalties by regulators,Very bad influence on business.因此,在资源有限的情况下,Companies are often preferred to meet compliance requirements.

From the existing legal system and network security compliance rules to see,Zero trust technology to meet the demand of compliance is not much help,Therefore is promoting the enterprise to the ground zero trust technology at the core of the impetus is only network attack threat.

对于企业来说,Once the full implementation of、Ground zero trust technology,So will the comprehensive adjustment on the security architecture,需要投入海量的人力、Construction material for.

正如上文所说,The nature of the network security is a means of cost control,因此,Enterprise investment in safety is never more than,The sum total of all kinds of network threat caused a loss of（可以简单理解为：The loss caused by riskX概率）.

另外,Business investment in safety also must carry on the longitudinal decision,That compared with the security system at present stage,Invest a lot of resources, the effect of,If there is a obvious improve,And has obvious effect on the business development？

此时,Enterprise leadership will need to be considered a very critical problem：Investment deal？

首先,Facing the network attack in China although very serious,But also can't and foreign frequent outbreak of,Above multimillion-dollar ransom,Severity and mass data theft par.This is why zero trust foreign technology more common ground,And domestic still holding the manner which give it a try,More inclined to gradually strengthen the security system.

其次,China's lack of full implementation of zero trust on real significance of enterprise,Can't give industry reference,Lead to many enterprises difficult to determined.From the perspective of the development course of previous network security industry,A landmark case for the application of new technology has great significance in promoting,Most companies are not willing to become the first.原因在于,The first results of the unknown,And continue to rely on existing security system has an acceptable result.

在这样的情况下,Companies prefer to wait,Rather than become an observer,Eventually cause everyone is bullish zero trust technology,But there was none to end ground practice.此外,Many enterprises still lack of ground zero trust technology basis.

For example, dynamic authorization and continue to trust is one of the core zero trust,需要在权限统一管理基础上建立持续信任评估机制,Participate in the trust evaluation factor of how many decide to trust the results of the assessment accuracy.Should be trust evaluation model based on different network to build an evaluation model for different,准确精准度要求高,当前持续信任缺乏统一的落地.

Zero trust will security system as a whole,涉及终端环境感知、IAM、EDR、UEBA等多种安全产品,When the ground need for these products and system integration.However, the present enterprise purchase safety equipment is often scattered in multiple vendors brand,Want to perfect fusion nearly impossible,Zero trust fall to the ground is hard.

Local zero trust can yet be regarded as a path

随着大、云、物、移、智、The rapid development of chain and other technical,And the new champions league for the global epidemic of continuous impact,Zero trust technology be born ushered in the new development opportunity.And in the case of can't fully be born,Local zero trust becomes many enterprises choose.

For example, zero trust of one of the core,Identity authentication system is constantly strengthen,Become a local ground zero trust to try.

随着企业数字化转型的加速,The cloud become indispensable path,And the cloud architecture makes enterprises face greater risks,Once the stored data disclosure or attack,Will cause incalculable loss to enterprise.据统计,80%Data leaks are related with the password is stolen,Identity authentication has become an important mark enterprise information security.

在这种情况下,The traditional identity authentication system is difficult to meet the ever-changing network development,More difficult to ensure that the visitor's identity security,因此,With the concept of zero trust to build the new identity safe idea,Optimize the identity security verification system for many enterprises choose,And provided a basis for future comprehensive ground zero trust.

例如在疫情期间,In order to strengthen the security of online office,An enterprise is to upgrade the original identity authentication system.From on the basis of the account management to on the basis of identity management,By multiple factor、实时、Dynamic authentication to ensure that access identity and it represents the identity of the same.

在落地的过程中,Companies also give full consideration to the authorization policy adaptive、可管理、The balance of extensible aspects.通过RBACImplement coarse-grained authorization,To meet the principle of least privilege permissions baseline,也可通过ABAC模型,基于主体、The object and environment attributes for the role of dynamic mapping,Meet the demand of flexible management.At the same time also can through the risk assessment and analysis,The roles and permissions to filter,Implementation scenario and risk perception of dynamic authorization.

事实上,Local ground zero trust mode is more suitable for the current situation of our country enterprise.More and more companies began to try to introduce in detail place zero trust,To improve the existing security system,包括授权管理、业务审计、Safe operation monitoring and early warning information system、Terminal security system and so on several aspects.

Do the benefits of the obvious,Companies don't need to set the security architecture“大动干戈”,And now you don't have to massive resources into,Therefore are more likely to win the support of the leadership.同时,Enterprises in the process of implementation can be further perception zero trust for promotion enterprise's safety,And whether it will adverse impact on business and so on.

某种意义上来说,Zero trust to do not replace the original security system,But from the perspective of micro segregation or network hidden,In order to identity management、权限控制、Dynamic authentication technology based on,Strengthening the deficiencies in the original security system.

一方面,Zero trust system can merge the original host and safety、EDR、Situational awareness and safety awareness to carry out;Can merge the original fortress machine、统一门户（含SSO）Security access、VPNAs well as the security gateway（FW、UTM等）As a safety action execution ability, etc.

另一方面,Defense in depth system can be realized by using zero trust level more fine-grained access control;Can use zero trust and dynamic trust evaluation system to achieve real-time response;Can use the identity of the zero trust management implementation more equipment management, etc.

由此来看,Zero trust lands may be out of a whole after partial first road,The time of the road may be a long time,But it is a feasible path,Allows businesses to have enough time and resources to continuously explore zero trust、Evaluation of zero trust.

Zero trust lands is a sublimation of traditional security

As one of the most hot security technology in recent years,For zero trust industry has high enthusiasm.然而,Long time advocating that zero trust is filled with more and more bubbles,动辄“颠覆”The security system of the original big action,Is that most companies can only far looked at“零信任”,Rather than the real ground and practice.

We always poking fun at the traditional border security,Think the appearance of zero trust will break the boundary,但需要注意的是,Zero trust is not borderless,But everywhere border,故而需要“持续验证”.从这点来看,The appearance of zero trust is not upset,But the prestige and sublimate.

When the boundary of the traditional fragmented,A new boundary gradually formed in the system,And will play a more powerful effect.