Zero trust Architecture

Reference article ： be based on SDP Technology to build zero trust security 、 How to implement zero trust security architecture ？

What is zero trust

Physical boundary used to be an effective partition between trusted network and untrusted network , Firewalls are usually located at the edge of the network , Control network traffic based on static policy . Users inside the firewall will be granted a high level of trust to access the sensitive resources of the enterprise , Because they are trusted by default .
But as the business moves to the cloud ,APT A flood of attacks , And the trend of mobile office , The traditional security boundary has become blurred , Now that networks and threats have changed , Our defense model will also change .

Zero trust is a security model . First of all, we should abandon the traditional concept of boundary , No longer depends on the network location of the user to determine whether the person is trusted . Instead, we strictly validate each request
Before trust is established , Any resource on the network is invisible . Unauthorized users and devices are isolated . I can't see anything on the Internet at all .
The verification process includes human factors and equipment factors
Human factors include verifying the user's identity , See if his identity is true . And verify whether the user is authorized , See if he is allowed to access the corresponding resources .
besides , We also need to know whether the user is using a legitimate device , Whether the equipment has not been captured . By verifying the equipment used by the user , We can avoid exposing sensitive data to compromised devices , And avoid being attacked laterally by the device against other users on the network .
Once the validation process has passed , It builds trust . The user can access the requested resource . Of course, other unauthorized resources are still invisible . Because zero trust is based on the concept of authorization on demand .
I can only access the resources I need . Nothing else . Unless I make a new request , And through the same verification and authorization process .
In the zero trust model , User authentication is dynamic , Ongoing .
This means that when legitimate users are captured , The equipment verification will immediately report an error . Their access to resources will be cut off immediately , The connection between unsafe equipment and other resources will also be cut off immediately , To avoid data leakage and horizontal attacks .
Zero trust is just a theoretical model . There are many practical products that can help us realize it .

The basic assumption of the concept of zero trust

• Internal threats are inevitable ;
• From space , All objects involved in the process of resource access （ user 、 Terminal equipment 、 application 、 The Internet 、 Resources, etc ） Don't trust by default , Its security is no longer determined by the network location ;
• In terms of time , The security of each object changes dynamically （ Not constant throughout the time ）.

The basic principle of zero trust

• Any access subject （ people / equipment / Application etc. ）, Before access is allowed , Must be authenticated and authorized , Avoid excessive trust ;
• The access authority of the access subject to the resource is dynamic （ Not static ）;
• When assigning access rights, we should follow the principle of minimum rights ;
• Minimize unnecessary network exposure to resources , To reduce the attack surface ;
• Try to make sure that all access subjects 、 resources 、 The communication link is in the most secure state ;
• As much as possible and timely access to all information that may affect authorization , Based on this information, we can conduct continuous trust evaluation and security response .

Zero trust can be used in all scenarios that require security protection for resource access , But whether to adopt , It shall be determined according to the acceptable safety risk level and investment of the enterprise .

The three core technologies of zero trust

At present, zero trust mainly has three core technologies , Namely SDP（ Software defines boundaries ）、IAM（ Identity and access management ） and MSG（ Micro isolation ）

SDP

SDP For detailed explanation, please refer to ： Software defines boundaries （SDP）

SDP, Software defined boundary , from CSA The international cloud security alliance is 2013 in . Compared with the traditional form of internal and external network differentiation , Its core is through software , Build virtual boundaries for enterprises , Using identity based access control and authority authentication mechanism , Provide stealth protection for enterprise applications and services , Network hackers can't attack enterprise resources because they can't find the target , So as to effectively protect enterprise data security .

SDP It mainly includes SDP Access side 、SDP Controller and SDP Three components of gateway , The access end refers to the software installed on the user terminal equipment , The main functions include user authentication 、 User behavior analysis 、 Terminal equipment detection, etc , To check whether the equipment is abnormal 、 Whether to be attacked , At the same time, the user access request is sent to the gateway . The controller is the trust coordinator between the access side and the enterprise resources , It is mainly responsible for the configuration of user identity authentication and access rights , Control the whole process of resource permission allocation within the enterprise , Usually, only users who have passed the access request are provided with access to specific resources . The gateway refers to the gateway deployed at the network portal “ The gatekeeper ”, It is mainly responsible for protecting the internal resources and business systems of the enterprise , Prevent all kinds of network attacks ; By default , The gateway closes all network ports , Reject all connections , Only the legal data from the access side will be processed IP Open designated port .

SDP That is, under the interaction of the three , The network between application and enterprise resources is realized “ stealth ”. At the same time, the communication and connection between the three will be encrypted , Carry out point-to-point transmission between the accessing end and the accessed end , Once the connection fails, it will be disconnected immediately , And cut off the visibility and access rights of all application systems on the network . This can not only effectively solve the security problems in enterprise business development , At the same time, it also makes SDP Technology has become one of the best practices in the current zero trust security architecture .

IAM

IAM For detailed explanation, please refer to ： Identity and access management （IAM）

IAM, Identity rights management technology , It is a technology that identifies all digital entities within an enterprise with unique resource identification . meanwhile IAM Backward compatible with various existing identity protocols , Flexible support for multi factor identity authentication , It can easily realize the full life cycle dynamic trust management with identity as the center , And according to the trust evaluation results , Determine whether the current identity can access the internal resources or data assets of the enterprise .

IAM Mainly around user identity 、 Terminal equipment 、 Four aspects of accessing application and activity data , Provide unified and authoritative identity authentication services for enterprises , Ensure that the user is in the correct identity 、 In the right access environment 、 Proper access to resources , It can not only help enterprises to integrate the original decentralized user system and authentication system , At the same time, it further strengthens the minimum permission control of users , It helps to realize enterprise level unified access control .

With the further deepening of digital transformation , The user access relationship within the enterprise becomes more and more complex , Cloud of business and data resources 、 Employee entry and resignation 、 Company merger and other scenarios , It puts forward higher requirements for enterprises on the two major requirements of user identity lifecycle management and identity authentication . Based on this situation ,IAM Identification included 、 to grant authorization 、 management 、 Analysis audit and other functions , It has gradually developed into an important basic function supporting enterprise business and data security in the zero trust security architecture .