Previous blog posts have introduced the basic concepts and related applications of the zero trust security framework. This issue will introduce the origin, current situation, and future prospects of zero trust from the perspective of the industry.
1. Pre-zero trust era
Over the past decade, the information security industry has experienced three major trends: mobility, cloud computing, and software as a service (SaaS). These three trends have redefined the way work is done, businesses are conducted, and information is consumed. According to Gartner's forecast, by 2022, global public cloud service expenditures by end users will exceed 480 billion US dollars, with a year-on-year increase of 21.7%. The traditional 9-to-5 on-site office model has long been gradually replaced by remote work, where employees can connect to the corporate network from home or on the go. The outbreak of the COVID-19 pandemic has forced people to self-isolate at home, further accelerating the popularity of remote work. Overnight, all employees except the core staff in the technology industry began full-time remote work.
At the same time, an increasing number of enterprises are adopting hybrid IT environments, which have raised new complex requirements for corporate network security. In the past, enterprises used data centers to run core applications and store sensitive data. Now, many large enterprises have started to purchase cloud services, migrating resources from local hardware to public clouds, with the aim of reducing costs and improving resource scalability. In order to obtain investment returns faster and further reduce the total cost of ownership (TCO), many enterprises have chosen SaaS applications instead of traditional self-hosted enterprise applications or enterprise-built solutions.
However, the above three trends have brought huge challenges to both corporate network security and user experience:
Traditional network security infrastructure is like a moat, with enterprise resources protected by corporate network boundaries equipped with network security devices, including antivirus software, firewalls, URL filtering, data loss protection, denial-of-service attack protection, and sandboxes. To adapt to the trend of remote and mobile office, enterprises have added virtual private networks (VPNs) to their existing architecture, forming a secure channel between the enterprise network and remote employees. However, VPNs may over-award users access privileges to the enterprise network and resources, and slow connection speeds are often encountered when the number of users reaches a certain level.
In terms of ensuring the security of remote access to SaaS applications, traditional methods are similar to 'Band-Aids', routing all traffic to the central data center where resources can be accessed from a centralized location. However, due to low traffic routing efficiency, limited scalability, various hidden costs, and poor security, traditional methods are difficult to implement smoothly.
Compared to traditional methods, the initial setup cost of cloud migration is lower, maintenance requirements are fewer, and workloads have both scalability and flexibility. However, many resources are isolated by the enterprise data center and public cloud vendors. In addition, dynamic, short-term, and interdependent cloud-native workloads require cloud-native security protection functions.
2. Entering the Zero Trust Era
In the past, the definition of corporate network security focused on using network protection methods to support network connection, monitoring, and detection. Now, the traditional network boundary methods based on location have been eliminated. Identity is beginning to play a core role in a completely new modern security framework, known as Zero Trust. The concept of Zero Trust is based on the following principles: 'Never trust, always verify'. This model replaces the implicit trust inferred from static location information with explicit trust based on dynamic situational data. The sources of situational data include user identity, application and attributes, endpoint status, network health status, and enterprise security policies.
Zero Trust Network Access (ZTNA) is used to ensure the security of dedicated networks, where only verified requests can perform conditional access. Zero-trust proxies continuously verify the identity, context, and policy of requests before granting or denying access. ZTNA ensures that applications are no longer visible to everyone, significantly reducing the attack surface. Due to the availability and scalability advantages of ZTNA, it has quickly gained industry attention as a replacement for VPN. In addition, the micro-segmentation (micro-segmentation) provided by ZTNA based on identity and context also supports fine-grained security controls. Compared to traditional network-based segmentation methods, micro-segmentation (micro-segmentation) can be more effective in preventing lateral movement attacks.
It is precisely because the traditional network boundary model can no longer meet the security and performance requirements of modern enterprises that an increasing number of companies are showing interest in zero-trust strategies. In 2019, Gartner combined the concepts of network connectivity and network security to create the Secure Access Service Edge (SASE) model. Under this model, enterprises can use identity-centric network access cloud services, as well as secure web gateways (SWG) and cloud access security brokers (CASB) to replace the original centralized radial network infrastructure to enhance efficiency and security. Another option is to use software-defined wide-area network (SD-WAN), identity and access management (IAM), SWG, and CASB to reduce or replace existing Multiprotocol Label Switching (MPLS).
3. Prospects for the future of zero-trust
1) Progress in the data plane and control plane of zero-trust
The best way to visualize the development and adoption of zero-trust is to explore the ideal zero-trust architecture. To this end, the implementation of the zero-trust framework can be abstracted as a combination of the data plane and the control plane. The data plane provides access to resources, while the control plane makes continuous real-time decisions on the access permissions to resources.
An ideal zero-trust framework should have the most efficient data plane and the most effective control plane.
The data plane of the zero-trust framework is based on a comprehensive secure dedicated network, through which the data plane can uniformly handle personnel, applications, workloads, and data connections, making it more secure and efficient than handling them separately.
In this case, a zero-trust secure mesh network can connect traffic from any resource, device, and user using any type of network infrastructure, covering the underlying physical network infrastructure such as broadband, fiber optics, 4G/5G, or WiFi. It abstracts the enterprise IT and security landscape from the physical topology, and can also establish logical relationships between personnel, applications, and resources based on identity, context, and policy, in line with the enterprise IT security needs.
The control plane of the zero trust framework refers to zero trust orchestration, including observation, monitoring, inspection, analysis, and taking action. The interaction between zero trust orchestration and secure mesh networks can control feedback loops.
Essentially, the three key characteristics of zero trust orchestration are integrability, bidirectionality, and continuity:
Integrability:Zero trust orchestration integrates various security signals and converts them into situational data. These signals may come from users, devices, applications, workloads, and various identity types, as well as from status data lists such as network traffic, terminal devices, workloads, applications, and emails. In addition, zero trust orchestration also incorporates access policies into the decision-making process of verification and authorization, session management, or resource revocation.
Bidirectionality:Zero trust orchestration performs two-way information exchange with security components such as identity providers, networks, terminals, and applications: data is collected by listening to event streams or associating historical input from security signals, then integrated using machine learning and rule-based methods, and finally, instructions are sent back to the security components to take action.
Continuity:Zero trust orchestration supports continuous security management, which means nearly real-time security execution throughout the lifecycle of the network connection, not just at connection points or access points. For example, when zero trust orchestration detects malicious activities or disabled user accounts, it can immediately request the identity provider to revoke token refresh or session refresh, suggest disconnecting the network and resources, and require the application to reverify the user's identity if necessary.
2) How zero trust and identity systems work together
Identity is the cornerstone of the zero trust framework. We need identity to describe and control almost all content, including employees, customers, contractors, local applications, SaaS applications, APIs, servers, virtual machines, containers, the Internet of Things (IoT), robots, datasets, and so on. To establish connections between identities, we need IAM, Privileged Access Management (PAM), Identity Governance and Administration (IGA), and authentication methods, among others. Zero trust security is one of the best examples of optimizing user experience and enhancing security posture by using identity. The zero trust security concept is also the core of Ningdun identity management, and the research and development of identity management products are focused on high compatibility, scalability, and openness to build a普惠 identity management system.
3) Call for internal cooperation within the security industry
From the perspective of industry internal research and acquisition, zero trust as a modern way to ensure corporate network security can promote industry integration. Currently, a large amount of investment in the security industry has been pouring into the zero trust sector, and dozens of companies have also launched zero trust products in recent days. However, in terms of network security, it is far from enough to be sufficiently secure; putting all eggs in one basket when building a security infrastructure is very dangerous. A better approach is to establish in-depth strategic partnerships with multiple security vendors, adopting the best product mix to resist potential network attacks. Collaboration can promote technological progress, allowing each user and enterprise to use any technology safely at any time and place. In the era of zero trust, the security industry can also achieve win-win cooperation.
评论已关闭