The zero-trust model is a powerful 身份验证 framework for today’s untrustworthy digital age. 在这个模型中, 每一个人, 端点, 移动设备, 服务器, 网络组件, 网络连接, 应用程序工作负载, 业务流程, 数据流本质上是不可信的.
像这样, they each must be authenticated 和 authorized continuously as every transaction is performed, 所有的行为都必须是实时的,事后的审计. 零信任是一个活生生的系统, 所有访问规则都在不断审查和修改中, 所有允许的交易都要不断复查. Gartner公司. 预测 that by 2026 10% of large enterprises will have a mature 和 measurable zero-trust program in place, 从今天的不到1%上升.“那么,为什么世界似乎花了这么长时间才接受零信任?? 因为很难在企业范围内的可伸缩级别进行集成.
Zero trust isn’t just a isn’t just a talking point about the state of things in five years time – it’s a necessary 和 fundamental change to how an organization approaches access, 身份验证, 授权, 审计, 持续监测. 一个健壮的 身份和访问管理(IAM) program is a starting point for each 和 every security organization trying to stay ahead of malicious actors.
你不可能一夜之间接受零信任, 但你今天就可以开始你的旅程, knowing that you're on the path to helping your organization protect itself from all manner of current 和 future threats.
零信任通过帮助安全组织认识到 最低权限访问(LPA) – the concept that individuals 和 components should only have the most minimal access necessary to perform a required action. It initially applies a second 身份验证 factor to a user previously verified by a preliminary set of credentials.
对整个身份验证尝试进行实时风险评估,以查看是否, 例如, 一个人的联系是在一个允许的地理范围内, 访问时间在该人员的正常操作模式内, 而且这个人还没有一个固定的会话.
Even if an attacker managed to obtain multi-factor codes via – 例如 – a weaker SMS 2因素身份验证 (2FA) that was all an organization could afford to implement – they may achieve a successful connection, 但不能访问所有内部网系统和服务. 事实上, the VPN connection would only grant them access to a defined set of 应用程序s or services. If the attacker makes any attempt to try a network scan or perform other behavioral network actions, monitoring systems would be alerted 和 that individual 和 connection would be quarantined for investigation.
每个事务都有一组定义好的身份验证, 授权, 和 behavior-审计 rules that continually let the overarching zero-trust system ensure the safety of the interactions.
零信任安全方法可以真正应用于任何设备, 应用程序, 或者人类连接到互联网或连接的系统. Authentication applies in all cases – especially those of a sensitive nature – in order to best protect the business. 让我们来看一些具体的用例:
Internet of Things (IoT) devices are constantly sending 和 requesting data from any number of 应用程序s on a company’s network. 在更传统的安全模型中, 基于多种因素,物联网设备被赋予了一定程度的信任. 随着这些设备的数量及其用户的攻击面不断扩大, it’s critical to implement zero trust so that security is hardened 和 everything is authenticated.
The p和emic was a gift for attackers due to companies around the world scrambling to set up a remote workforce to mitigate productivity downturns. Attack perimeters expanded almost overnight as proper security became secondary to keeping businesses running.
从大流行中复苏, 全球大部分劳动力都是混合型的——在办公室工作几天, a few days at home – so solutions like zero trust should remain in place in order to protect businesses in this new normal. Each worker must authenticate their access to corporate network 应用程序s, every day.
依赖第三方供应商和销售商是当今经济的底线. 任何企业或安全组织都不可能完全独立并蓬勃发展. Stakeholders must assume that any access to its network by a third party is a vulnerability. 因此, those outside vendors must continuously validate 和 authenticate their network presence in order to mitigate cyberthreats that may emerge from that supplier’s own environment.
的根本原因 ransomware 可归因于大量错误:配置错误, 人类, 弱认证协议, 以及普遍缺乏网络安全意识. 很多都是人类造成的. That’s why a zero-trust architecture is a crucial weapon in the fight against ransomware – it requires 身份验证 of access to only the area where a 人类 or 应用程序 needs to take action.
虽然这部分可以写满一整本书, 让我们来谈谈零信任旅程开始的场景. 迈出第一步, you'll need to pick at least one 业务流程 or service-access scenario to move to this new model.
Every component 和 individual responsible for enabling a 业务流程 or service must be identified 和 the architecture fully documented. 此时此刻, you may find you need to reimagine the architecture to ensure you have the necessary control 和 audit points in place.
然后需要身份验证, 授权, 审计, risk-assessing, 和 enforcement solutions to support the access decisions at each connection in the process or service. 最后, 您将需要人员来支持所执行的规则的创建和维护, 除了传统的 打补丁,缓解,和 配置管理 执法活动.
然后,对所有其他流程和服务重复上述步骤. 换句话说,实现可扩展的零信任需要付出相当大的努力.
然而, 你不应该——而且, 在现实中, 不能一次将所有业务流程和服务移至零信任. Once you've assessed that initial service, begin the groundwork of acquiring the necessary tools 和 雇佣必要的员工 确保一个成功的结果. 然后, you can transition that initial service over to zero trust when funding 和 time are on your side, 和 leave it in place for a while as you evaluate what it takes to maintain safety 和 resilience. 一旦您相应地调整了工具和人员配备计划, 您可以开始处理其余的流程或服务.
值得庆幸的是, you may have many of these components 和 personnel in place within existing security 和 compliance solutions 和 processes, 和 you can finally employ more of your existing investments' capabilities than the 5-15% most organizations generally utilize.
One of the biggest mindset challenges to overcome when introducing zero trust into your organization is the fear that the constraints that the model imposes will reduce productivity 和 hamper creativity. 这些恐惧可以通过正确的零信任框架来克服: