Core Concept of Zero Trust

What is Zero Trust?

Zero Trust provides a series of concepts and ideas. Assuming that the network environment has been compromised, it reduces the uncertainty of the decision-making accuracy during each access request in information systems and services. Zero Trust architecture (ZTA) is a planning for enterprise network security, which is based on the zero-trust concept and is constructed around the component relationships, workflow planning, and access strategies.

Example

The big bad wolf sees the three little pigs, just like black hat actors see the huge interests that enterprises can steal. The big bad wolf (black hat) attacks the houses (enterprise business systems) through various means to eat the three little pigs (steal interests). The strength of the three little pigs' houses is like the security protection measures of enterprises. In reality, enterprises will add fences, locks, anti-theft doors and other measures outside the house to strengthen the house and prevent it from being destroyed inside. Black hat actors can open the door by buying off the 'bad pig' and can also disguise as a 'pig mother' to enter the house.

If the three little pigs understand 'zero trust', they can protect themselves by judging who is the 'bad pig', exposing the fake 'pig mother', and preventing the big bad wolf from entering the house; of course, even if the big bad wolf enters the house with good camouflage, it can be directly expelled to cut off the risk if the risk level is high, through continuous analysis and supervision, adopting different disposal methods at different risk levels.

Houses are their security boundaries, and if the houses are breached, they will be eaten. The rapid development of emerging technologies such as cloud computing and the Internet of Things in the digital age is making the traditional network-boundary security architecture of enterprises gradually ineffective. Zero Trust security, which does not take boundaries as a condition of trust and focuses on 'people' as the core, is more in line with the current business security needs of enterprises.

The development of zero trust

Since 2004

The Jerusalem Forum proposed the concept of de-bordering security

By 2010

“Zero Trust Payment”John kindervag proposed the concept of the zero-trust network model, in 2019 the CSA Greater China SDP Working Group released industry-related standard white papers and practice guides

By 2020

The solution has been implemented in multiple industries, and related zero-trust standards have been陆续 released. Zero Trust security is rapidly popularizing and will become an inevitable choice for enterprise IT security construction.

Zero Trust means never trusting and always verifying. By default, no one/equipment/system inside or outside the network is trusted, and the trust basis of access control needs to be reconstructed based on authentication and authorization.

User: The subject of access, which is the user's identity mapping in the network.

Terminal: The device used to initiate access, system environment hardware and software, as well as the executable program code for initiating access.

Resource: The object to be accessed and obtained in the end, usually the application system within the internal network.

Link: Terminal

Zero Trust Value

The construction of a zero-trust security architecture, with the high integration of technologies such as artificial intelligence and big data with business, can provide enterprises with multi-dimensional practical social value including:

First aspect: Capable of detecting and resolving identity fraud risks caused by information leakage, impersonation, theft, privileged accounts, account sharing, etc.

Second aspect: Capable of detecting and resolving security risks of various mobile terminals, and solving the re-authentication of network devices, servers, Wi-Fi and other devices, thereby avoiding fraud risks of various types of devices.

Third aspect: Based on artificial intelligence technology, dynamic behavior monitoring is realized through continuous authentication, dynamic authorization is realized through rule engines, and new risks are discovered through machine learning engines, thereby enabling real-time discovery and resolution of user behavior risks.

Fourth aspect: Compatible with emerging application scenarios such as mobile internet, Internet of Things, 5G, etc., providing effective security guarantees for the information construction or digital transformation of enterprises in the new era.

The core idea of the zero-trust architecture is to transform the traditional network-based trust into an identity-based trust mechanism. Zero trust does not mean distrust; it refers to building trust from scratch. Through identity governance, it achieves comprehensive identityization of entities such as devices, users, and applications, and starts to build an identity-based trust system from scratch, establishing a new identity boundary for the enterprise.

Core Concept of Zero Trust

Network-Centric

Identity-Centric

Zero Trust Logical Architecture

NIST SP 800-207 Zero Trust Architecture (Second Draft of NIST Zero Trust Architecture)

There are many components involved in building a zero-trust architecture. The external support systems are on both sides, while the core area in the middle is logically independent through data planes and control planes, separating PDP and PEP. This prevents corporate assets and resources from being directly accessed on the network. The data plane is used by enterprises in daily production tasks and business operations. PDP communicates with PEP and manages connections through the control plane to allow authorized and approved entities (users/computers) to access objects (data). The zero-trust architecture ensures that the subjects are 'trusted' and the requests are valid, and PDP/PEP will pass appropriate judgments to allow access to resources.