Why is the zero trust architecture identity management platform more reliable?

News 2023-08-19 03:22:21 views: null

With the continuous advancement of information technology and the popularization of cloud computing, Internet of Things and mobile devices, security issues such as information leakage are becoming more frequent. Recently, an information leakage incident of a college student has sparked widespread discussion. The students of the school took advantage of their identities to illegally obtain a large number of private information such as names, student numbers, and photos of students.

After the discussion of this hot topic, people once again realized the importance of private information and raised concerns about the security of identity management.

The theft of identity information is not only related to personal privacy and property security, but also leads to the leakage of enterprise core data and affects the normal production of enterprises. Therefore, whether it is for individuals or enterprises, a reliable identity management system is important and necessary.

In the face of complex and diverse information security threats in the digital age, the identity management system of the traditional border security architecture is no longer reliable. In order to protect the sensitive data and resources of the enterprise and ensure the security of personal privacy information, the establishment of an identity management platform based on a zero-trust architecture has become a reliable way for people to improve the security of identity management.

01. What is Zero Trust Architecture

Zero Trust Architecture is an identity-centric network security model. It advocates access control based on the principle of least privilege, and no longer judges whether access can be performed based on network boundaries and user identities.

In the book "Zero Trust Network", the author abstracts the zero trust architecture through five assumptions:

  • The network is in a dangerous environment all the time.
  • There are always external or internal threats in the network.
  • The location of the network is not sufficient to determine the trustworthiness of the network.
  • All devices, users and network traffic should be authenticated and authorized.
  • Security policies must be dynamic and calculated based on as many data sources as possible

A zero trust architecture follows a "never trust, always verify" strategy. By default, no one, thing, or thing inside or outside the enterprise can be trusted, and any user must be authenticated and authorized to access resources.

According to the understanding of zero trust architecture, the principles of zero trust architecture can be summarized as follows:

  • Identity as the basis for access control: A zero trust architecture relies on authenticating all participating objects to establish trust relationships. These participating objects include basic networks, devices, users, and applications. The zero trust architecture gives all objects digital identities, and builds an access control system based on identities rather than network locations.
  • Principle of Least Privilege: Zero Trust Architecture emphasizes allocating resources on demand and granting only the minimum permissions needed to perform tasks, while limiting the visibility of resources. By using technical means such as port hiding, unauthenticated access subjects cannot see resources. Authorization decisions consider the combination of entity identities such as personnel, devices, and applications, as well as access requirements, trust evaluation, and permission policy calculations to determine whether to grant access.
  • Real-time calculation of access control policies: Authorization decisions are calculated in real time based on the subject's identity information, authority information, environment information, and current subject's trust level to form access control policies. During the resource access process, if the authorization decision basis changes, the calculation and analysis will be re-calculated, and the authorization decision will be changed immediately if necessary.
  • Controlled and secure access to resources: The zero trust architecture requires mandatory identification and authorization judgments for each access request in all business scenarios and resources, ensuring that the permissions and trust levels of access requests meet the requirements of security policies before releasing them, and implementing session-level fine-grained access control. Zero trust assumes an insecure networked environment and requires all access connections to be encrypted.
  • Continuous evaluation of trust level based on multi-source data: Subject trust level is one of the basis for determining zero trust authorization decision, which is calculated based on real-time multi-source data (such as identity, authority, access log, etc.). The more accurate the evaluation of the trust level, the more types of data involved in the calculation and the higher the reliability. The rapid development of artificial intelligence technology provides support for trust evaluation. Through artificial intelligence technologies such as expert systems, model training, and machine learning, the calculation efficiency of trust evaluation strategies can be improved for application scenarios, and zero trust architecture can be achieved in terms of security, reliability, usability and security. Comprehensive balance of cost and other aspects.

02. Advantages and key technologies of zero trust architecture

The traditional boundary security architecture considers that there is a clear dividing point between the "inside" and "outside" of an enterprise, and distinguishes them through boundaries. Such an architecture usually grants broad access rights to users and devices within the perimeter, and cannot refine relevant permissions. Once an attacker gains access rights, all content within the perimeter will be seriously threatened.

The zero-trust architecture, on the other hand , is based on the policy of "never trust, always verify" and authenticates every transaction and connection every time it is accessed. Once authenticated, extremely limited access privileges are also obtained based on the principle of least privilege. Compared with the traditional border security architecture, the zero trust architecture can effectively prevent information leakage and has strong security.

Zero trust architecture is not a technology, but a security concept. According to NIST, there are three core technologies "SIM" to realize the zero trust architecture, which are software-defined perimeter (SDP), identity and access management (IAM), and micro-segmentation (MSG).

Software Defined Perimeter (SDP)

Software-defined perimeter is a key technology in zero trust architecture, which can achieve a higher level of security by hiding network resources and restricting access. SDP leverages encryption and access control policies to establish a virtual, transparent network perimeter to protect applications and data. SDP enables only authenticated users and devices to access authorized resources, while unassociated users and devices cannot see and access these resources. With SDP, network resources are only visible to authorized users while providing finer-grained access control, reducing the attack surface for attackers.

Identity and Access Management (IAM)

Identity and access management is another key technology in the zero trust architecture, which is responsible for managing and controlling user authentication and authorized access. IAM controls user access to systems and resources by identifying users and based on their roles, permissions, and contextual information. In a zero trust architecture, every user needs to be authenticated and assigned appropriate permissions as needed to access the required resources. IAM can also detect and respond to anomalous behavior, as well as implement multi-factor authentication to increase security and protect systems from unauthorized access.

Micro-Segmentation

Micro-segmentation is a network security technique used in a zero trust architecture to reduce the attack surface and the possibility of lateral movement by dividing the network into multiple tiny security zones. Micro-segmentation ensures that each workload in the network is in an independent security domain, using fine-grained access control policies to restrict traffic and connections. This way, even if one workload is compromised, it is difficult for the attacker to move laterally into other workloads. Micro-segmentation also detects and blocks anomalous traffic and malicious behavior, and provides secure isolation for each workload to increase overall network security and reliability.

03. Practice of identity management platform based on zero trust architecture

In the zero trust architecture, the traditional perimeter defense model is replaced, and the focus of trust is shifted from the network perimeter to the authentication and authorization of each user and device. Identity management plays a key role in this process, managing and authenticating users' identities and granting appropriate access rights.

Identity management is an important line of defense to ensure information security. As a next-generation event-driven cloud-native identity governance platform, Authing Identity Cloud is the product realization of the identity management system under the zero-trust architecture. Authing Identity Cloud also puts the principles of Zero Trust Architecture into practice through capabilities in authentication, access control, identity governance and privileged identity management:

  • Multi-factor authentication (MFA) :  Establish trust by confirming the identity of the entity, and combine passwords, verification codes, fingerprints, faces and other factors to make identity verification more secure and reliable.
  • Unified identity management: Adopting a unified identity management system can centrally manage user identity authentication information and permissions, improve management efficiency, and ensure consistency and accuracy.
  • Dynamic access control: Based on factors such as user identity, equipment, and environment, dynamically assign and adjust access rights to ensure that users can only access specific resources when necessary.
  • Minimize authority: regularly scan server assets, close unnecessary ports and services in time, ensure minimum external authority, filter unsafe services, assign minimum necessary authority to users, limit user access scope, and reduce potential risks.
  • Data security audit: Provide detailed data access and operation log audit, and security audit covers detailed tracking records of all data activities. The generated result report makes all data activities visible in detail, such as login failure, privilege escalation, plan change, illegal access, sensitive data access, etc., and whether these actions are compliant can be seen at a glance, so that all user operations can be traced.

In terms of authentication and authorization, although MFA can avoid the risk of credential theft to a certain extent, it cannot effectively cover all scenarios of authentication due to the limitations of objective factors such as equipment (for example, equipment needs to support fingerprint and face recognition), technology, etc. And adding unnecessary factors to the authentication process can also burden the user experience.

Gartner also pointed out in related reports that in the current network security environment, the implementation of MFA cannot effectively deal with complex and continuous network attacks, and also requires higher management costs. At the same time, Gartner advocates the continuous adaptive trust (CAT) approach, so that only entities that continue to be trusted are allowed to continue to access, so as to more securely adapt to the changing threat environment.

Gartner: Shifting focus from MFA to Continuous Adaptive Trust (CAT)

CAT's dynamic and continuous trust verification and authorization method is also an important embodiment of the zero trust architecture. Based on this, Authing Identity Cloud also implements a more secure authentication method - Continuous Adaptive Multi-Factor Authentication (CAMFA) in terms of MFA capabilities. CAMFA continuously evaluates the trust of the user throughout the entire usage journey to determine whether an additional authentication process needs to be added. It makes up for the shortcomings of MFA and effectively solves enterprise security risks and user experience problems.

03. Case Practice: Construction of University Identity Governance Platform

demand challenge

A certain university has always paid more attention to information security, and has purchased dozens of application systems for internal management of the school and management of teachers and students. However, under the trend of digitalization, when Efficient hopes to achieve unified management of the self-developed system, the external application system has brought many challenges to the digital construction:

The single sign-on problem in the self-developed BIM system is more complicated, and it is necessary to combine the self-developed system (BIM system) and the three-party system (Odoo, Strapi, http://C9.io ) for unified authentication and authorization. However, the BIM system itself R&D is extremely complicated. If the R&D of single sign-on is carried out at the same time, it will slow down the project launch speed and ultimately affect the use of users.

The self-developed BIM system not only has a web terminal, but also a small program terminal. Multi-terminal and cross-platform user system development will introduce other complex issues, such as data synchronization, version control, compatibility, etc.

Due to the complexity of the self-developed BIM organization, fine-grained authority classification is required, and the role-based authorization model is very complicated to implement and has a long construction period.

solution

For the problem of multi-application login, Authing Identity Cloud uses the OAuth 2.0-based single sign-on solution to quickly help the university solve the login problem of connecting the BIM system with Odoo, Strapi and http://C9.io, which greatly improves the efficiency of operation  and  maintenance , to help the construction of smart campus.

Based on identity login and authorization issues, the RBAC-based authorization scheme is used to uniformly classify the authorization of organizations and staff, fully realize identity governance, improve information security, and strengthen risk control.

Using the cross-platform SDK of Authing identity cloud , only five lines of code are needed to realize the cross-platform user system (including applets), which greatly simplifies the development process, shortens the development cycle, and improves the development efficiency.

Both zero trust architecture and identity management are strategies and measures taken to establish a secure network environment and protect sensitive data. Applying the zero trust architecture to the identity management platform can strengthen identity verification, dynamic access control, and activity monitoring. Enterprises and organizations can improve security, reduce the risk of data leakage, and provide users with a more convenient access experience.

The Authing identity cloud based on the zero-trust architecture will also serve as a reliable identity management platform to more effectively protect sensitive data and resources of enterprises, and protect user privacy information more securely to cope with growing and changing cyber threats.

Guess you like

Origin blog.csdn.net/Authing/article/details/131807619
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com