Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

A Zero Trust Manifesto

0
0

A Google search for “zero trust” returns ~ 195Million results. Pretty sure some are not necessarily related to access management and cyber security, but a few probably are. Zero Trust was a term coined by analyst group Forrester back in 2010 and has gained popularity since Google started using the concept with their employee management project called BeyondCorp .

It was originally focused on network segmentation but has now come to include other aspects of user focused security management.

Below is a hybrid set of concepts that tries to cover all the current approaches. Please comment below so we can iterate and add more to this over time.

Assign unique, non-reusable identifiers to all subjects [1], objects [2] and network devices [3] Authenticate every subject Authenticate every device Inspect, verify and validate every object access request Log every object access request Authentication should contain 2 of something you have, something you are, something you know Successful authentication should result in a revocable credential [4] Credentials should be scoped and follow least privilege [5] Credentials should be bound to a user, device, transaction tuple [6] Network communications should be encrypted [7] Assume all services, API’s and applications are accessible from the Internet [8] Segment processes and network traffic in logical and operational groups [1] Users of systems, including employees, partners, customers and other user-interactive service accounts [2] API’s, services, web applications and unique data sources [3] User devices (such as laptops, mobiles, tablets, virtual machines), service devices (such as printers, faxes) and network management devices (such as switches, routers) [4] Such as a cookie, tokenId or access token which is cryptographically secure. Revocable shouldn’t necessarily be limited to being time bound. Eg revocation/black lists etc. [5] Credential exchange may be required where access traverses network or object segmentation. For example an issued credential for subject 1 to access object 1, may require object 1 to contact object 2 to fulfil the request. The credential presented to object 2 may differ to that presented to object 1. [6] Token binding approach such as signature based access tokens or TLS binding [7] Using for example standards based protocols such as TLS 1.3 or similar. Eg Google’s ALTS . [8] Assume perimeter based networking (either software defined or network defined) is incomplete and trust cannot be placed simply on the origin of a request

The below is a list of companies referencing “zero trust” public documentation:

Akamai https://www.akamai.com/uk/en/solutions/zero-trust-security-model.jsp Palo Alto https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture Centrify https://www.centrify.com/zero-trust-security/ Cisco https://blogs.cisco.com/security/why-has-forresters-zero-trust-cybersecurity-framework-become-such-a-hot-topic Microsoft https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/ ScaleFT https://www.scaleft.com/zero-trust-security/ zscaler https://www.zscaler.com/blogs/corporate/google-leveraging-zero-trust-security-model-and-so-can-you Okta https://www.okta.com/resources/whitepaper-zero-trust-with-okta-modern-approach-to-secure-access/ ForgeRock https://www.forgerock.com/blog/zero-trust-importance-identity-centered-security-program Duo Security https://duo.com/blog/to-trust-or-zero-trust Google’s Beyond Corp https://beyondcorp.com/ Fortinet https://www.fortinet.com/demand/gated/Forrester-Market-Overview-NetworkSegmentation-Gateways.html

Recent Articles By Author

Cyber Security Skills in 2018 The Role Of Mobile During Authentication How Information Security Can Drive Innovation More from Simon Moffatt

*** This is a Security Bloggers Network syndicated blog from Infosec Pro authored bySimon Moffatt. Read the original post at: http://feedproxy.google.com/~r/InfosecProfessional/~3/viB6Z7IxVWM/a-zero-trust-manifesto.html


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images