2021 is known as the first year of network security, and various factors have greatly driven zero trust to become a new trend in security. Zero trust has undoubtedly become one of the hottest words in the entire security circle, including the field of network security.
What is Zero Trust? Zero trust is neither a single product nor a single technology. It is a security concept and a security architecture. The core principle is continuous verification, never trust, centered around identity, focusing on applications and data, and implementing continuous verification plus dynamic authorization access mode to solve identity, terminal application, and data security issues throughout the access process.
From concept to architecture to implementation, after several years of practice, SIM is still the main technical direction for realizing zero trust architecture . "S" refers to SDP, which is mainly a software-defined boundary, which mainly solves north-south traffic, and secure access control between users and access resources; "I" refers to IAM, identity management, which is mainly used for unified management of user identities and permissions; "M" refers to MSG micro-isolation, which mainly solves east-west traffic, and focuses on preventing hackers from attacking the internal network of the enterprise, avoiding the risk of horizontal attacks and translation.
These three types of zero trust technologies have been implemented in the industry. In general, compared with IAM and micro-isolation, SDP has less changes to the existing IT structure of the enterprise during the implementation process, and the risk will be more controllable. With the gradual normalization of remote office, enterprises are more concerned about how to give priority to solving security issues in remote office scenarios. SDP technology has become the focus of major zero trust solution providers, and it is also an area of focus for enterprise users.
2 How should enterprises plan and build a zero trust architecture?
At this press conference, UnitedSoft gave planning suggestions from the technical level, ROI level and implementation level .
■Technical level : The core focus is on whether the entire zero-trust solution has or integrates UEM capabilities. UEM is mainly for unified endpoint management, including operating systems covering mobile terminals, PC mobile terminals, and IoT devices, covering all platforms.
■ROI level : Can the zero trust architecture connect with existing security investments? Through the existing security capability components, the analysis results can be imported into the zero-trust trust evaluation system to achieve linkage processing and dynamic authorization.
■Implementation level : After all, zero trust is a new architecture and concept, and manufacturers and enterprise users are also advancing in the process of exploration. The construction of security has never been achieved overnight. It must be planned and constructed step by step, and prioritized according to the importance of business and risk impact.
3 Zero Trust Security Architecture
Throughout the construction, the endpoint security capability is the most important link in the zero trust architecture, so most users will give priority to whether the existing endpoint security vendors have zero trust solutions. . Under the existing EPP architecture system, the zero-trust infrastructure can be quickly covered through capacity expansion. At the same time, EPP, as a link in the entire security evaluation system, can achieve better integration, better operation and maintenance, and better ROI.
Help users build an advanced and implementable zero-trust architecture. The entire architecture is divided into two parts: the core components of zero trust and the security components of zero trust . The core components include zero-trust management platform, trusted access gateway, and secure client. Security components mainly include endpoint security, data security, IAM, and security analysis components.
The zero trust architecture is mainly built around five aspects : identity, access, device, application and data .
Trusted identity : comprehensive identity, dynamic authorization based on identity role, what can be accessed and what cannot be accessed, and fine-grained authority control is achieved.
Trusted Access:
1. Use SPA technology to hide the network entrance and converge the exposed surface.
2. Realize the establishment of a secure encrypted tunnel at the application layer through a secure proxy gateway.
3. One-time authentication can be realized through the same client and the same architecture, which can not only realize the authentication of network access, but also realize the access authentication of zero trust, and comprehensively guarantee the access security.
Trusted devices : Continuously detect, control and comprehensively audit terminal security.
Trusted application : Business-oriented systems can be minimized and authorized on demand. At the same time, the black and white list management of applications is implemented on the terminal side, the security status of applications is detected, and access rights are controlled by scoring mechanisms.
Trusted data : Based on some accumulation and experience in data security, it helps users sort out scenario-based solutions, minimize the impact of security on business processing, and achieve a balance between security and efficiency.
4Zero Trust Network Access
From 2004 to 2022, LianSoft's technology development route for the entire product is very consistent with the development route of zero trust:
The development history of Liansoft zero trust products:
In 2004 , with the proposal of de-network boundary, LinkSoft launched the network access control system in 2004, becoming an earlier network control access manufacturer in China
In 2010 , Forrester proposed the concept of zero trust security. In 2011, Liansoft launched the RBAC-based NAC admission control technology
Subsequently , Liansoft launched EMM and SDP products based on the concept of zero trust in 2013 and 2017 respectively
In 2019 , Liansoft integrated the two products of EMM and SDP in a unified manner, with a set of architecture and a set of platforms to realize unified zero-trust management of mobile and PC
In 2020 , based on Liansoft's SDP, Huawei's security analysis system, and Zhuyun's IAM system, a complete set of zero-trust solutions has been formed, and a zero-trust ecological alliance has been built to provide customers from all walks of life with complete zero-trust solutions.
The application scenarios and practical capabilities of Unisoft Technology in the field of zero trust
01 Scenario 1
Requirement Description
Remote access environment, including remote office, remote development, remote production and remote operation and maintenance . There are three core issues that need to be resolved first, including the convergence of Internet exposure, security access control, and data security.
solution
Through the deployment of Liansoft's zero trust solution, it helps users solve some security problems in remote access scenarios from seven aspects.
1. The SPA based on the UDP protocol of Liansoft can truly realize the hiding of the network entrance and the stealth of the service.
2. Comprehensive identity : Help users reconstruct a digital identity, which will be continuously verified and verified throughout the entire zero-trust access process.
3. Ensure the security of access terminals : monitor the behavior of end users in real time.
4. Minimize privileges : Dynamically authorize accessible applications, perform fine-grained privilege control, and prevent unauthorized access and privileged access.
5. Security proxy gateway : establish an application-layer encrypted tunnel for the access subject, trusted subject and available resources to ensure data security during the entire transmission process.
6. Data security : Data protection is achieved through the combination of digital watermarking, sandbox and other technologies.
7. Security audit : Conduct all-round audits for all login operations and access behaviors of users, and trace and locate security risks.
02 Scenario 2
Requirement Description
Branches have high access costs and difficult management . For the multi-branch and multi-organization of enterprises, most of the enterprise-level users basically realize interconnection through VPN point-to-point.
solution
The UniSoft solution focuses on applications and data, and deploys zero-trust products in a centralized manner in the data center. Each branch office only needs to pass through the zero-trust client to access the business of the data center, pass identity authentication and security checks, and dynamically allocate which services can be accessed in the data center based on identity and security status .
03 Scenario 3
Requirements Description
Multi-cloud/multi-data center access . The traditional VPN architecture is difficult to adapt to unified security access, unified policy management, and unified security configuration in a multi-cloud and multi-data center environment.
solution
Through the deployment of the zero trust solution, the distributed modular deployment of the management platform and the security gateway can realize the effective separation of the control plane and the data plane. Users provide security authentication and authorization management through a unified management platform , which reduces the pressure on operation and maintenance and improves user experience.
04 Scenario 4
Requirement Description
Cross-level/cross-department business access . The informatization construction of each level/department is independent, the degree of data sharing at each level/department is low, and the phenomenon of "data island" is serious.
solution
Liansoft's cross-level and cross-departmental solutions can build a zero-trust architecture for each level or department. In addition to providing zero-trust access at its own level/department, if it involves cross-business centers and cross-department access, you can use the same client of UnitedSoft to access by switching portals.
05 Scenario 5
Requirement Description
One machine with multiple functions . There are multiple isolated networks in the enterprise. In order to ensure network isolation and data isolation, traditional users generally configure separate terminals and VDI cloud desktops on each network, which leads to high investment costs and operation and maintenance costs. Moreover, data in high-security domains and low-security domains are mixed on one terminal, which may also cause a relatively high risk of data leakage.
solution
For one machine with multiple functions, Liansoft provides the above-mentioned zero-trust standardized security capabilities, and can adopt different management methods according to the customer's network isolation and related operation and maintenance management requirements. In the centralized management mode, customers can use a unified platform and a business portal entrance to conduct identity authentication, terminal security checks, and authority management access; if a separate zero-trust management platform is deployed in each business area, the portal can also be quickly switched through a client on the terminal side to improve user experience.
From the perspective of data security, local data isolation is achieved through the sandbox of the terminal to ensure data security.
06 Scenario 6
Requirement Description
Client-free access to mobile H5 applications . In recent years, more and more enterprises like to use WeChat, DingTalk or Feishu for instant messaging and remote business access. The access portals of CRM and H5 applications need to open corresponding ports and services separately on the Internet side. Whether it is from compliance or the requirements of the enterprise's own security, it is necessary to achieve the convergence of the exposed surface of the Internet.
solution
The Liansoft EMM solution can install a client on the customer's mobile phone, and at the same time, through the third-party applications such as WeChat and DingTalk, it can integrate a secure SDK to realize the application of H5 and App to effectively reduce the exposure of the Internet, and achieve device management, data management, application management security, etc.
At the same time , for H5 applications, Liansoft launched a client-free access solution . In the Unisoft zero trust architecture, the security gateway can provide related ports to the outside world to realize application access. On the premise of not needing to install any client, after the user has passed the enterprise WeChat and DingTalk authentication, when accessing the H5 application, he first accesses the zero-trust security product, and transfers the product to the corresponding H5 application to achieve the convergence of exposure and ensure the user experience .
Next Generation Zero Trust Access Management System: Unisoft Uni SDP P Series
Unisoft Uni SDP P series follows the Unisoft Zero Trust architecture system and integrates the management platform and security gateway into one. The functional modules of the P series revolve around five important directions, secure access, trusted identity, trusted terminal, trusted application, and trusted data . Basically, the modular deployment of all-in-one machines can realize the synchronization of policy data and audit information, ensuring a high-availability experience for users, and can also synchronize audit information and related traffic information to third-party platforms.
Core functions
Single Pack License for 1SPA
Really guarantee the effectiveness of network stealth in different complex scenarios.
2 Trusted Access Capability
Using the encryption technology of pure application layer, it has realized the encryption of standard passwords and the encryption of domestic commercial passwords.
3 access security
The P series continuously checks and verifies the security status of the terminal, and minimizes the authorized access application for the identity and the environment of the terminal.
4 Single Netcom
When a user accesses a business system of a network, it can be restricted to not be able to access business systems of other networks at the same time, realizing logical isolation on a network. For users, only one client can be directly installed to realize multi-network access.
5 multi-portal
It mainly involves cross-department and cross-level scenarios. The P series can quickly switch to another portal directly through the client, and access the corresponding business system after identity authentication and security check, so as to realize secure access through one client, multiple scenarios, and multiple portals.
6Data Security
Digital watermarking technology. When accessing different business systems, different screen watermarks are loaded. Linksoft provides various technologies such as plain text watermark, vector watermark, QR code watermark, blind watermark and so on.
The value of the P series solution lies in reshaping security, ease of use, and efficient operation and maintenance.
For small, medium and micro customers, it can quickly implement deployment and implement zero-trust security, and supports one-hour rapid deployment under the condition of resources and complete equipment .
For customers with a large amount of concurrency, load balancing linkage is supported, and the permissions of the P series products to the Internet side and the permissions to the intranet side applications are opened . After a series of security rule checks through identity authentication, you can quickly access related services.
---------------------------
Let’s take a look at Convinced again:
product description
The zero-trust access control system aTrust is an innovative security product launched by Sangfor based on the zero-trust security concept with "traffic identity" and "dynamic adaptive access control" as the core. Through core capabilities such as network stealth, dynamic adaptive authentication, terminal dynamic environment detection, full-cycle business access, intelligent authority baseline, dynamic access control, and multi-source trust evaluation, the product meets the security access needs of enterprise applications in multiple scenarios under the new situation. At the same time, aTrust, as the core component of Sangfor Zero Trust Platform ZTA, supports the connection of various security devices such as situational awareness, EDR, and AC. The security capabilities continue to grow, helping users' network security systems migrate to zero trust architectures, and helping users realize a new generation of network security architecture with traffic identity, intelligent permissions, dynamic access control, and extremely simplified operation and maintenance management.
Product technical advantages
Simple implementation and deployment
The solution is lightweight and easy to implement: using the standard SDP architecture, two components can complete the secure access delivery of multiple scenarios, which is lighter and easier to deploy.
Strong authentication docking ability: a variety of open authentication interfaces can be standardized to connect to various authentication platforms through oauth2, CAS, HTTP(S) LDAP, and Radius interfaces, simplifying the third-party authentication docking work when deploying and going online. With more than ten years of experience in SSL VPN and rich docking experience, more than ten mainstream IAM/4A manufacturers have been docked in the project.
Simple configuration: When the device is put on the shelf, the device deployment configuration can be guided, and the device can be easily put on the shelf according to the wizard map.
good user experience
Good compatibility: Sangfor has more than ten years of experience in SSL VPN, and has accumulated rich practical experience in terminal compatibility. It is compatible with various mainstream terminals and domestic terminals, and is compatible with various mainstream browsers and national secret browsers.
Fast access speed: When there are multiple Internet exits, the network delay is automatically calculated and the optimal line is automatically selected; the login is successful in seconds, and there is no need to wait for the tunnel to be established.
strong security
Rich authentication methods: more than ten authentication methods, OTP one-time password, passwordless authentication, enhanced authentication, etc. to enhance identity security.
In-depth terminal detection: Supports process-level detection, which can discover and block untrusted application processes on the terminal; when logging in and every time accessing services, it continuously detects and authenticates the terminal environment to ensure terminal compliance.
Comprehensive protection: Supports process-level detection, which can discover and block untrusted application processes on terminals; when logging in and every time accessing services, continuously detect and authenticate the terminal environment to ensure terminal compliance.
The exposure area is completely shrunk: the third-generation SPA single-package authorization mechanism and the unique "one person, one code" realize "network stealth", hide key services, and reduce the exposure area.
The security of the device itself is high: the security of the device itself is ensured through multiple aspects such as framework security, interface security, source code security, SDL process, and public testing services.
mass access
Large-scale concurrent software architecture: supports the deployment and application of millions of scale concurrency, 100,000-level resources, and authority management.
Strong horizontal expansion capability: adopts split design, supports horizontal expansion of proxy gateway, supports local clusters and remote clusters, and meets ultra-large-scale concurrent access.
Strong horizontal expansion capability: intelligent resource control, no downtime, business availability, and no request failure during sudden traffic peaks; overpressure stability test, 20,000 concurrency scale in actual operation, continuous pressure test at 30,000 concurrency.
Product Details
aTrust-1000-B series
Suitable for remote office, UEM terminal data leakage prevention, mobile APP business security access, etc.
- 1U-2U chassis
- Encrypted traffic throughput covers 300Mbps-10Gbps
- The maximum number of theoretical concurrent users covers 400-20000
aTrust-1000-S series
It is suitable for remote office, UEM terminal data leakage prevention, mobile APP business security access, and users have other confidentiality evaluation needs
- 1U-2U chassis
- Encrypted traffic throughput covers 480Mbps-2.1Gbps
- The maximum number of theoretical concurrent users covers 1000-16000
Virtualization aTrust-1000-V Series
Can be mirrored and deployed on various types of cloud platforms, suitable for remote office, UEM terminal data leakage prevention, mobile APP business security access
Users configure virtual machines on demand to meet the maximum encrypted traffic throughput and the maximum theoretical number of concurrent users
aTrust-1000-GA series
The Phytium CPU is equipped with the Galaxy Kylin OS, which is suitable for localized transformation of remote office, UEM terminal data leakage prevention, mobile APP business security access, and can also meet the confidentiality evaluation needs of customers.
- 1U-2U chassis
- Encrypted traffic throughput covers 600Mbps-750Mbps
- The maximum number of theoretical concurrent users covers 1200-6000
aTrust-1000-LS series
Haiguang CPU is equipped with Galaxy Kylin OS, which is suitable for remote office after localization transformation, UEM terminal data leakage prevention, mobile APP business security access, and can also meet customers' confidentiality evaluation needs
- 2U chassis
- Encrypted traffic throughput coverage up to 2.5Gbps
- The maximum number of theoretical concurrent users is as high as 2.5w