零信任架构及解决方案（英文版）.pdf

Issue 1 Zero Trust Architecture and Solutions2 In the era of cloud computing and big data, the network security perimeter is gradually disintegrating, and internal and external threats are intensifying, leading to the failure of the traditional perimeter-based security architecture, therefore the zero trust security architecture comes into being. The zero trust security architecture establishes a dynamic digital identity-based perimeter with four key capabilities, which are identity-based schema, resource secure access, continuous trust evaluation and adaptive access control. It helps enterprises realize a new generation network security architecture with comprehensive identity, dynamic authorization, risk measurement, and management automation. This paper begins with the background, definition and development history of zero trust security, then proposes a general zero trust reference framework, and takes Qi An Xin Zero Trust Security Solution as an example to interpret the application scheme of zero trust reference framework, finally discusses the zero trust migration methodology, and puts forward the migration ideas with defining the vision, planning first and constructing step by step. 1. Introduction The enterprise network infrastructure is becoming more and more complex with gradually blurred perimeter. The digital transformation has driven the rapid evolution of information technology, new IT technologies such as cloud computing, big data, Internet of Things and mobile internet have brought new productivity to all industries, in the meantime, they also have brought great complexity to the enterprise network infrastructure. On one hand, the adoption of cloud computing, mobile internet and other technologies makes enterprises staff, businesses and data go outside of the enterprises digital walls; on the other hand, the open and collaborative demands for new technologies, such as big data and Internet of Things, lead the outside staff, platforms and services pass through the digital walls and go into the enterprises. The modern enterprise network infrastructure has no single, well-recognized and clear security perimeter anymore, in other words, enterprise security perimeter is gradually disintegrating, and the traditional perimeter-based network security architecture and solutions are found difficult to adapt to modern enterprise network infrastructure. Zero Trust Architecture and Solutions Zero Trust Architecture and Solutions 2 Research from Gartner Market Guide for Zero Trust Network Access 14 About Qi An Xin Group 21 Zero Trust Architecture and Solutions is published by Qi An Xin Group. Editorial supplied by Qi An Xin Group is independent of Gartner analysis. All Gartner research is 2020 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartners permission. The use or publication of Gartner research does not indicate Gartners endorsement of Qi An Xin Groups products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website3 3 In addition, the network security situation is not optimistic. External attacks and internal threats are intensifying, organized attacks, weaponized attacks, and advanced attacks with data and services as targets can still easily find loopholes that break through the perimeter of the enterprise, while internal threats such as unauthorized access to internal businesses, employee mistakes and intentional data theft have been popping out. Faced with such severe security challenges, the industrys security awareness has been paid more attention, and the security investment becomes also higher. However, the security effect is not that satisfactory, and security incidents emerge one after another. What is the root cause of the failure for the traditional security architecture? The fundamental basis of security is to deal with risks, and the risks are closely related to “loopholes”. What “loopholes” lead to the failure of traditional security architecture? The answer is trust. The traditional perimeter- based network security architecture assumes that the people and devices in the internal network are trustworthy, therefore the security strategy is to build the digital walls of the enterprise, and the security products such as firewalls, WAF, IPS are sufficient to protect the perimeter of the enterprise network. However, one should assume that there are always undiscovered loopholes in the network systems, there are always discovered but unpatched loopholes in the systems, the systems have always been infiltrated and that the insiders are always unreliable. These four “always” assumptions overturn the technical methods of traditional network security by segmenting network and building the walls, and overturn the abuse of “trust” under the perimeter security architecture, which the perimeter-based security architecture and solutions have been found difficult to deal with todays network threats. A new network security architecture is needed to cope with the modern and complex enterprise network infrastructure, and to cope with the increasingly severe network threat situation. Zero Trust Architecture emerges in this context and is an inevitable evolution of security thinking and security architecture. 1.1. Definition of Zero Trust Zero Trust Architecture has been developing rapidly and been gradually mature, while different versions of the definition are described in different dimensions. In the book Zero Trust Networks: Building Secure Systems in Untrusted Networks, Evan Gilman and Doug Barth definite that a zero trust is built upon five fundamental assertions: 1 The network is always assumed to be hostile. External and internal threats exist on the network at all times. Network locality is not sufficient for deciding trust in a network. Every device, user, and network flow is authenticated and authorized. Policies must be dynamic and calculated from as many sources of data as possible. In short, no person/device/application in the enterprise network should be trusted by default, no matter it is in the internal or external network. The fundamental basis of the trust should be based on the refactored access control using right authentication and authorization. Zero Trust Architecture has paradigmically changed traditional access control mechanism, and its essence is adaptive trusted access control based on identity. In the recently published “Zero Trust Architecture (NIST.SP.800-207-draft)”, NIST points out that “Zero Trust Architecture is an end-to-end approach to network/ data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure”. It considers zero trust as an architectural approach to data protection, while traditional security solutions focus only on perimeter defense with too much access open to authorized users. The primary goal of zero trust is to perform fine-grained access control based on identity in order to cope with the increasingly severe risk of overpowered lateral movement. Therefore, NIST defines Zero Trust Architecture as follows: Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services. 2 This definition identifies key issues that zero trust needs to address: eliminating unauthorized access to data and services, underscoring the importance of fine-grained access control. 1.2. History of Zero Trust Analyzing the development history of zero trust, it is not difficult to find that the different perspectives of zero trust finally show strong consistency after developing and merging. The earliest prototype of zero trust came from Jericho Forum, founded in 2004, whose mission was to define cyber security under de-perimeterization trends and to find solutions. The actual term “zero trust” was officially coined in 2010, indicating that all network traffic is untrusted by default, and all access requests for all resources need to be securely controlled. In the beginning, zero trust came up with a solution that focuses on fine-grained access control over the network through micro-segmentation to limit the attackers lateral movement. With the continuous evolution of zero trust, identity-based architecture has gradually gained mainstream acceptance in the industry. The transformation of this architecture is closely related to the adoption of mobile computing and cloud computing. In 2014, Google has published several papers on how to build Zero Trust Architecture for its employees internally, based on its own project BeyondCorp. BeyondCorp s starting point is that it is no longer enough to build 1 Evan Gilman and Doug Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks (OReilly Media, 2017) 2 NIST, Zero Trust Architecture, 2019.09, nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf4 security controls just for corporate perimeter, requiring access control to be moved from the perimeter to each user and device. By using Zero Trust Architecture, Google has successfully abandoned the adoption of traditional VPNs and ensured that all users from insecure networks have secure access to the enterprise business through a new architecture. 3 With the continuous improvement of zero trust theory and practice of the industry, zero trust has gone beyond the scope of the original micro-segmentation in network layer, evolved into a new generation of security solutions based on identity, which can cover many scenarios, such as cloud environment, big data centers and micro-services. Research organizations are also ready to optimize their security architectures and systems. By analyzing various definitions and frameworks of zero trust, it can be seen that the essence of Zero Trust Architecture is adaptive identity-based access control, the security capability of focusing on identity, trust, resource access and adaptive access control, and the multi-dimensional factors such as people, process, environment and access context based on business scenarios, and continuous assessment and evaluation of the zero trust is needed. The adaptive adjustment of authority by trust levels can help form a dynamic adaptive security closed loop with strong risk coping ability. 2. Zero Trust Reference Framework The key capabilities of zero trust security can be summarized as follows: identity-based schema, resource secure access, continuous trust evaluation and adaptive access control. These capabilities map to a set of interacting core architectural components that are highly adaptable to various business scenarios. 2.1. Key Capability Model The essence of zero trust is to establish an adaptive identity-based access control system between the access subject and the access object. Through the key capabilities of identity-based schema, resource secure access, continuous trust evaluation and adaptive access control, it encrypts, authenticates and enforces all untrusted access requests, based on the digital identity of all participating entities of the network, aggregates a variety of data sources for continuous trust evaluation, and adjust the permissions dynamically according to the trust levels, and eventually establish an adaptive trust relation between the access subject and the access object. In Zero Trust Architecture, the access object is the core protected resource, which should be protected by the protection surface, including the enterprises business applications, service APIs, operations, and asset data, and etc. The access subject includes digital entities such as people, devices, applications, and systems, all of which can be identified. In certain access contexts, those entities can also be combined to further clear and define the subject. Key capabilities of Zero Trust Architecture include: identity-based schema, resource secure access, continuous trust evaluation and adaptive access control. (See Figure 1 for a conceptual model.) 1) Identity-based Schema In order to construct access control system based on identity rather than network location, it is necessary to give digital identity to the people and device in the network, and combine the identified people and device at run-time to set up access subjects, and set up the least privilege for the access subject. Digital identity is the cornerstone of Zero Trust Architecture and it needs to realize “comprehensive identity “. It is not enough to simply create identities for people and/or devices, and all entities involved in network interactions. In fact, in the age of Internet of Things, things have become important participating entities, whose cardinal number has gone far beyond people. In Zero Trust Architecture, based on different access contexts, the access subject can be a dynamic combination of numeric digital entities, such as people, devices and applications, which is called “network agent” in the book Zero Trust Network. It is the term given to the combination of data known about the actors in a network request, typically containing a user, application, and device, which are the inextricable context of an access request. It is generated on- demand when authorization decision is made and thus it is usually of short time. Access agents constituent elements (users or devices) information are generally stored in the database for real-time query and combination when authorized, so the network agent represents the real-time state of the attributes of users and devices in each dimension at the time of authorization. 4 3 Google, 4 Evan Gilman and Doug Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks, Aug., 2019 Source Qi An Xin Group, 2019 Figu