What is zero trust
The concept of zero trust was first proposed in 2010 by then-Forrester analyst John Kindervag. Zero Trust recognizes the shortcomings of the traditional border security architecture in a distributed network environment, and believes that no matter where the host is located on the network, it should be regarded as an Internet host, and the network where they are located, whether it is the Internet or an internal network, must be regarded as an Internet host. A dangerous network full of threats .
The core idea of zero trust is: by default, no one, thing, or thing inside or outside the enterprise can be trusted, and any person, thing, or thing that tries to access the network and access network resources should be verified before authorization.
The core principles of Zero Trust Network include the following five aspects:
1. Identity is the foundation of access control
Trust comes from the identity of all objects end-to-end, building access control based on identity rather than network location.
2. The principle of least privilege
Resource visibility and access are allocated on demand, granting only the minimum privileges required to perform the task.
3. Real-time calculation of access control policies
Policy calculation is performed based on subject-object trust evaluation and access requirements, and continuous evaluation ensures real-time policy changes.
4. Controlled and secure access to resources
In all business scenarios, all resources are connected based on a single access request, and mandatory identification and authorization, authentication, and channel encryption are performed.
5. Continuous evaluation of trust level based on multi-source data
Diversity and reliability of real-time multi-source data including identity, access context, etc. improve the computing power of trust evaluation strategy.
Zero trust advocates the transformation of the security architecture from network centralization to identity centralization , and all access behaviors require fine-grained adaptive access control centered on identity.
Enterprises should not trust any person, device, system and application inside or outside the network by default, but should reconstruct the trust basis of access control based on authentication and authorization, and continuously trust visitors based on as many data sources as possible Degree evaluation, dynamically adjust authorization and access control policies according to the evaluation results.
The supporting system of the zero trust architecture is called the control plane, and the other parts are called the data plane. The data plane includes all applications, firewalls, proxy servers, and routers, and they directly process all traffic on the network. The data plane is commanded and configured by the control plane. .
Requests to access protected resources are first processed by the control plane, including authentication and authorization of devices and users. Fine-grained access control policies are also implemented at this layer. The control plane can be authorized based on roles, time, or device types in the organization .
Once the control plane checks that the request is legitimately authorized, it dynamically configures the data plane to accept traffic from that client (and only that client).
In addition, the control plane can also coordinate the specific parameters of encrypted access for the access requester and the accessed resource, including one-time temporary credentials, keys, and temporary port numbers.
The above refers to the "Network Security Advanced Technology and Application Development Series Report - Zero Trust Technology (ZeroTrust)" released by the Institute of Information and Communications Technology in August 2020
The relationship between trust domain and zero trust
Xinyu Security Cloud Network is designed according to the principle of zero trust security, and it is a simple and fast implementation scheme of zero trust network.
Yiyun believes that the essence of zero trust for enterprises is to upgrade from traditional border-type IP networks to distributed ID networks (identity networks). Focus on identity.
Zero trust actually means no longer trusting IP addresses. In a rapidly changing and globally distributed network, IP addresses themselves cannot represent individuals and have no connotation of security status. It is no longer necessary to use IP addresses as elements for access control or behavior research and judgment. Therefore, the core element of access control should be changed from IP address to entity identity.
The core change of zero trust is to upgrade the enterprise network from IP network to ID network.
The point-to-point cloud grid architecture of Xinyu Security Cloud Network, the identity of network data packets, and the identity-based distributed access control engine provide enterprises with a natural zero-trust network environment, making it easier for enterprises to implement zero-trust easy.
The method of Xinyu Security Cloud Network to realize the core principles of zero trust network is as follows:
Principle 1: Identity is the foundation of access control
In the traditional border network model, network access control is designed and implemented based on IP addresses. However, in a distributed enterprise, the network becomes more and more fragmented, and employees may access and access business resources from any location. Network IP addresses can only represent network locations, not people or terminals. Continuing to use the traditional border network model in a distributed network will inevitably make security policies more and more deviate from the control of people or terminals, bringing a lot of implicit trust Vulnerabilities and security operation and maintenance workload.
Most enterprises already have a unified identity management system. Whether using AD/LDAP, DingTalk or WeChat, each employee of the enterprise has a unique digital identity. Implementing zero trust in an enterprise is not about re-establishing a new identity system, but applying the existing unified identity of the enterprise to network access control.
Xinyu Security Cloud Network implants the unified identity of the enterprise into each network data packet, realizes identity from the bottom layer of the network, and adopts an identity-based distributed access control engine, no longer relying on IP addresses, but based on enterprise Unified identity for network access control of the entire network.
Principle 2: Principle of Least Privilege
Xinyu Security Cloud Network hides all enterprise business resources in the business LAN, and does not open any IP addresses and ports to the outside world, avoiding direct access from untrusted networks. All business access needs to be forwarded by the agent of the letter domain gateway. The letter domain gateway only accepts UDP network data packets sent from the letter domain client, and does not actively respond to any data packets. It performs identity verification on each data packet. If the verification fails, it is discarded immediately.
Authorization policies are designed based on accounts, terminals, client applications, business resources, service ports, application layer URIs or instruction sets, and fine-grained control policies are dynamically adjusted based on credible research and judgment results on users and terminals to achieve continuous minimum authorized.
Principle 3: Compute access control policies in real time
The fine-grained access control policy of the trust domain is generated by calculation, and the administrator configures the authorization policy centrally based on the attributes of the account, terminal, and business through the business language. access control strategy, and synchronize the fine-grained access control strategy to each letter domain client and letter domain gateway for distributed execution.
The trust domain intelligent analysis platform uses terminal environment data and user service access behavior data to conduct credible analysis on end users in real time, and adjust fine-grained access control policies in real time according to the credible analysis results.
Principle 4: Controlled Security Access to Resources
The letter domain adopts a distributed access control engine, and the fine-grained access control strategy is executed on the letter domain client and the letter domain gateway at the same time, and each access data packet is authenticated and authenticated, and packet-by-packet encryption and packet-by-packet authentication are enforced. Strategy.
If the user or terminal has no right to access the service resources, the terminal cannot send any data packets to access the service resources, and the gateway will not decrypt and forward the service access data packets from the terminal; The terminal embeds the account number and the identity information of the terminal into the data packet, encrypts it and sends it to the remote letter domain gateway, and the gateway performs identity verification, decryption and forwarding on the data packet after receiving the data packet.
Principle 5: Continuous assessment of trust levels based on multi-source data
The Xinyu intelligent analysis platform collects identity-based network traffic data and terminal environment data of the entire network, and uses AI technology to model the security of access subjects and objects, conduct credible analysis on people and terminals, and analyze business access behaviors and sensitive data access behaviors. Conduct threat research and judgment, dynamically adjust access rights based on detection and analysis results, and deal with abnormal or malicious accounts and terminals in real time.
Reposted from: Baidu Security Verification
Zero trust represents a new generation of network security protection concepts . Its key lies in breaking the default "trust". To sum it up in a popular saying, it is " continuous verification, never trust ". By default, no one, device, or system inside or outside the enterprise network is trusted, and the trust foundation of access control is rebuilt based on identity authentication and authorization, so as to ensure that identities, devices, applications, and links are trusted . Based on the principle of zero trust, it can guarantee the three "security" of the office system: terminal security, link security and access control security .
Development Background
Traditional network security is based on the physical boundary defense of the firewall , which is also known as the "intranet". The concept of a firewall originated in the 1980s. The premise of this defense model is that all office equipment and data resources of an enterprise are on the intranet, and the intranet is completely trusted.
However, with the continuous rise of emerging technologies such as cloud computing, big data, and the Internet of Things, enterprise IT architecture is changing from "boundary" to "boundaryless", and traditional security boundaries are gradually disintegrating . With the continuous advancement of new infrastructure represented by 5G and the Industrial Internet, the evolution process of "borderless" will be further accelerated. At the same time, zero trust security has gradually entered people's field of vision and has become a new concept and new architecture to solve network security problems in the new era.
Memorabilia
On June 24, 2020, under the guidance of the Standard Committee of the China Industrial Internet Development Alliance, Tencent joined forces with 16 institutions and enterprises in the field of zero trust to jointly establish the "Zero Trust Industry Standard Working Group", covering production, learning, research and application. In four major areas, promote the research, development and industrialization of zero trust series group standards, and improve the application efficiency of zero trust technology.
On August 20, 2020, under the guidance of the China Industrial Internet Development Alliance, the Zero Trust Industry Standard Working Group, which gathered more than 20 zero trust industry-university-research institutions such as Tencent, held an online press conference and officially released the first domestic summary based on offensive and defensive practices. Zero Trust Security White Paper - "White Paper on Zero Trust Practical Combat".
In September 2020, the international standard "Reference Framework for Continuous Protection of Service Access Process" led by Tencent was successfully established, becoming the first zero-trust security technology standard in the world. This standard has important and far-reaching significance for promoting the healthy development of the global network security industry and accelerating the rapid development and popularization of zero trust technology and services.
In 2020, the China Electronics Industry Standardization Technology Association's first domestic zero trust group standard "Zero Trust System Technical Specifications". The standard was drafted by Tencent, and jointly compiled by more than 10 zero-trust manufacturers, evaluation agencies and users in the industry, including the Third Research Institute of the Ministry of Public Security, the National Computer Network Emergency Technology Processing and Coordination Center, and China Mobile Design Institute, filling the domestic zero-trust field. blank technical standards.
In July 2021, the Ministry of Industry and Information Technology's "Three-Year Action Plan for High-Quality Development of the Network Security Industry (2021-2023)" proposed to develop innovative security technologies and accelerate the development of security systems such as the zero trust framework.
In September 2021, Forrester released a report ("Zero Trust Network Access in the Third Quarter of 2021"), and Tencent was selected as the only domestic manufacturer.
In October 2021, the ITU-T International Telecommunication Union, one of the world's three major international standardization organizations, released the first zero trust international standard "Guidelines for Coutinuous protection of the service access process". For the healthy development of the network security industry, it is of great and far-reaching significance to accelerate the rapid development and popularization of zero trust technology and services.
In November 2021, Gartner released "Best Practices for Zero Trust Network Access (ZTNA)" and gave five major recommendations.
Reposted from: Baidu Encyclopedia - Verification