{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳統的網絡安全架構理念是基於邊界的安全架構,企業構建網絡安全體系時,首先尋找安全邊界,把網絡劃分爲外網、內網、DMZ區等不同的區域,然後在邊界上部署防火牆、入侵檢測、WAF等產品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種網絡安全架構假設或默認了內網比外網更安全,在某種程度上預設了對內網中的人、設備和系統的信任,忽視加強內網安全措施。不法分子一旦突破企業的邊界安全防護進入內網,會像進入無人之境,將帶來嚴重的後果。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着雲計算、大數據、物聯網、移動辦公等新技術與業務的深度融合,網絡安全邊界也逐漸變得更加模糊,傳統邊界安全防護理念面臨巨大挑戰。在這樣的背景下,零信任架構(Zero Trust Architecture, ZTA)應運而生。它打破傳統的認證,即信任、邊界防護、靜態訪問控制、以網絡爲中心等防護思路,建立起一套以身份爲中心,以識別、持續認證、動態訪問控制、授權、審計以及監測爲鏈條,以最小化實時授權爲核心,以多維信任算法爲基礎,認證達末端的動態安全架構。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一覽零信任發展史"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2004年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任的最早雛形源於2004年成立的耶利哥論壇,其成立的使命正是爲了定義無邊界趨勢下的網絡安全問題並尋求解決方案,提出要限制基於網絡位置的隱式信任,並且不能依賴靜態防禦。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國國防信息系統局(Defense Information Systems Agency, DISA)爲了解決全球信息柵格(Global Information Grid, GIG)中如何實時、動態地對網絡進行規劃和重構的問題,發起了BlackCore項目,將基於邊界的安全模型轉換爲基於單個事物安全性的模型,並提出了軟件定義邊界(Software Defined Perimeter, SDP)的概念,該概念後來被雲安全聯盟(Cloud Security Alliance, CSA)採納。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2010年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"著名研究機構Forrester的首席分析師John正式提出了零信任這個術語,明確了零信任架構的理念,該模型改進了耶利哥論壇上討論的去邊界化的概念,並提出三個核心的觀點:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"不再以一個清晰的邊界來劃分信任或不信任的設備;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的網絡;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的用戶。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2013年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國際雲安全聯盟成立軟件定義邊界(SDP)工作組。SDP作爲新一代網絡安全解決理念,其整個中心思想是通過軟件的方式,在移動和雲化的時代,構建一個虛擬的企業邊界,利用基於身份的訪問控制,來應對邊界模糊化帶來的粗粒度控制問題,以此達到保護企業數據安全的目的。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2014年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌基於其內部項目BeyondCorp的研究成果並陸續發佈6篇相關論文,介紹零信任落地實踐。Beyond Corp安全訪問方法作爲一種完全不信任網絡,採用了零信任模型安全機構,設計理念如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"所有網絡都不可信;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"以合法用戶、受控設備訪問爲主;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"所有服務訪問都要進行身份驗證、授權加密處理。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2017年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Gartner在安全與風險管理峯會上發佈持續自適應風險與信任評估(Continuous Adaptive Risk and Trust Assessment, CARTA)模型,並提出零信任是實現CARTA宏圖的初始步驟,後續兩年又發佈了零信任網絡訪問(Zero-Trust Network Access, ZTNA)市場指南(注:SDP被Gartner稱爲ZTNA)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CARTA是自適應安全架構的3.0版本,將零信任和攻擊防護相結合,強調通過持續風險和信任評估來判斷安全狀況,沒有絕對的安全和100%的信任,尋求一種0和1之間的風險與信任的平衡。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2018年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Forrester提出零信任拓展生態系統(Zero Trust eXtended, ZTX)研究報告,將視角從網絡擴展到用戶、設備和工作負載,將能力從微隔離擴展到可視化、分析、自動化編排,並提出身份不僅僅針對用戶,還包括IP地址、MAC 地址、操作系統等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡言之,具有身份的任何實體包括用戶、設備、雲資產、網絡分段都必須在零信任架構下進行識別、認證和管理。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2020年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NIST發佈的《SP800-207:Zero Trust Architecture》標準對零信任架構ZTA的定義如下:利用零信任的企業網絡安全規劃,包括概念、思路和組件關係的集合,旨在消除在信息系統和服務中實施精準訪問策略的不確定性。該標準強調零信任架構中的衆多組件並不是新的技術或產品,而是按照零信任理念形成的一個面向用戶、設備和應用的完整安全解決方案。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"新網絡安全規劃方法——零信任架構(ZTA)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着“雲、大、物、移”等新興技術的興起,網絡現狀變得愈加複雜,基於邊界的傳統網絡安全規劃方法已無法滿足政企客戶的網絡安全需求。於是,通過將零信任概念同政企客戶網絡及其業務現狀相結合,誕生了新的網絡安全規劃方法——零信任架構(ZTA)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任架構作爲一種企業網絡安全規劃,利用了零信任概念,囊括其組件關係、工作流規劃與訪問策略,聚焦數據保護,橫向擴展到所有政企網絡中的資產。它不是單一的網絡架構,而是一套網絡基礎設施設計和運行的指導原則,可以用來改善敏感級別的安全態勢。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與邊界模型的“信任但驗證”不同,零信任的核心原則是“從不信任、始終驗證”。傳統網絡安全都專注於邊界防禦,授權主體可廣泛訪問內網資源,而根據Evan Gilman《Zero Trust Networks》書中所述,零信任網絡建立在五個假設前提之下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"應該始終假設網絡充滿威脅;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"外部和內部威脅每時每刻都充斥着網絡;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"不能僅僅依靠網絡位置來確認信任關係;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"所有設備、用戶、網絡流量都應該被認證和授權;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"訪問控制策略應該動態地基於儘量多的數據源進行計算和評估。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任架構的三大技術“SIM”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NIST標準的發佈,首次提出了零信任的官方標準定義以及實踐技術架構,強調零信任是個安全理念而非技術,並指出目前實現零信任架構的三大技術“SIM”,即"},{"type":"text","marks":[{"type":"strong"}],"text":"軟件定義邊界(SDP)、身份識別與訪問管理(IAM)、微隔離(MSG)"},{"type":"text","text":"。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"軟件定義邊界(SDP)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDP旨在使應用程序所有者能在需要時部署安全邊界,以便將服務與不安全的網絡隔離開。SDP將物理設備替換爲在應用程序所有者控制下運行的邏輯組件,僅在設備驗證和身份驗證後才允許訪問企業應用基礎架構。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從架構上講,基於SDP的系統通常會實施控制層與數據層的分離,即控制流階段,用戶及其設備進行預認證來獲取豐富的屬性憑據作爲身份主體,以此結合基於屬性的預授權策略,映射得到僅供目標訪問的特定設備和服務,從而可以直接建立相應安全連接。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"身份識別與訪問管理(IAM)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任強調基於身份的信任鏈條,即該身份在可信終端,該身份擁有權限纔可對資源進行請求。傳統的IAM系統可以協助解決身份唯一標識、身份屬性、身份全生命週期管理的功能問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過IAM將身份信息(身份吊銷離職、身份過期、身份異常等)傳遞給零信任系統後,零信任系統可以通過IAM系統的身份信息來分配相應權限,而通過IAM系統對身份的唯一標識,可有利於零信任系統確認用戶可信,通過唯一標識對用戶身份建立起終端、資源的信任關係,並在發現風險時實施針對關鍵用戶相關的訪問連接進行阻斷等控制。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"微隔離(MSG)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微隔離本質上是一種網絡安全隔離技術,能夠在邏輯上將數據中心劃分爲不同的安全段,一直到各個工作負載級別,然後爲每個獨立的安全段定義訪問控制策略。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"它主要聚焦在雲平臺東西向流量的隔離,一是區別傳統物理防火牆的隔離作用,二是更加貼近雲計算環境中的真實需求。微隔離將網絡邊界安全理念發揮到極致,將網絡邊界分割到儘可能的小,能夠很好的緩解傳統邊界安全理念下的邊界過度信任帶來的安全風險。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"寫在最後:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任安全模型之所以一直受到行業廣泛關注,是因爲在傳統安全架構設計中,邊界防護無法確保內部系統的安全性能。尤其是隨着5G、雲計算等新興技術的融入,加劇了邊界模糊化、訪問路徑多樣化,造成傳統邊界防護無從入手。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"面對日益複雜的網絡環境,風險持續預測、動態授權、最小化原則的“零信任”創新性安全思維契合數字基建新技術特點,藉助雲、網絡、安全、AI、大數據的技術發展,着力提升信息化系統和網絡的整體安全性,成爲網絡安全保障體系升級的中流砥柱,推動了零信任安全架構時代的到來。"}]}]}
讀懂零信任:起源、發展與架構
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳統的網絡安全架構理念是基於邊界的安全架構,企業構建網絡安全體系時,首先尋找安全邊界,把網絡劃分爲外網、內網、DMZ區等不同的區域,然後在邊界上部署防火牆、入侵檢測、WAF等產品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種網絡安全架構假設或默認了內網比外網更安全,在某種程度上預設了對內網中的人、設備和系統的信任,忽視加強內網安全措施。不法分子一旦突破企業的邊界安全防護進入內網,會像進入無人之境,將帶來嚴重的後果。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着雲計算、大數據、物聯網、移動辦公等新技術與業務的深度融合,網絡安全邊界也逐漸變得更加模糊,傳統邊界安全防護理念面臨巨大挑戰。在這樣的背景下,零信任架構(Zero Trust Architecture, ZTA)應運而生。它打破傳統的認證,即信任、邊界防護、靜態訪問控制、以網絡爲中心等防護思路,建立起一套以身份爲中心,以識別、持續認證、動態訪問控制、授權、審計以及監測爲鏈條,以最小化實時授權爲核心,以多維信任算法爲基礎,認證達末端的動態安全架構。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一覽零信任發展史"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2004年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任的最早雛形源於2004年成立的耶利哥論壇,其成立的使命正是爲了定義無邊界趨勢下的網絡安全問題並尋求解決方案,提出要限制基於網絡位置的隱式信任,並且不能依賴靜態防禦。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國國防信息系統局(Defense Information Systems Agency, DISA)爲了解決全球信息柵格(Global Information Grid, GIG)中如何實時、動態地對網絡進行規劃和重構的問題,發起了BlackCore項目,將基於邊界的安全模型轉換爲基於單個事物安全性的模型,並提出了軟件定義邊界(Software Defined Perimeter, SDP)的概念,該概念後來被雲安全聯盟(Cloud Security Alliance, CSA)採納。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2010年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"著名研究機構Forrester的首席分析師John正式提出了零信任這個術語,明確了零信任架構的理念,該模型改進了耶利哥論壇上討論的去邊界化的概念,並提出三個核心的觀點:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"不再以一個清晰的邊界來劃分信任或不信任的設備;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的網絡;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的用戶。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2013年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國際雲安全聯盟成立軟件定義邊界(SDP)工作組。SDP作爲新一代網絡安全解決理念,其整個中心思想是通過軟件的方式,在移動和雲化的時代,構建一個虛擬的企業邊界,利用基於身份的訪問控制,來應對邊界模糊化帶來的粗粒度控制問題,以此達到保護企業數據安全的目的。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2014年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌基於其內部項目BeyondCorp的研究成果並陸續發佈6篇相關論文,介紹零信任落地實踐。Beyond Corp安全訪問方法作爲一種完全不信任網絡,採用了零信任模型安全機構,設計理念如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"所有網絡都不可信;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"以合法用戶、受控設備訪問爲主;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"所有服務訪問都要進行身份驗證、授權加密處理。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2017年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Gartner在安全與風險管理峯會上發佈持續自適應風險與信任評估(Continuous Adaptive Risk and Trust Assessment, CARTA)模型,並提出零信任是實現CARTA宏圖的初始步驟,後續兩年又發佈了零信任網絡訪問(Zero-Trust Network Access, ZTNA)市場指南(注:SDP被Gartner稱爲ZTNA)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CARTA是自適應安全架構的3.0版本,將零信任和攻擊防護相結合,強調通過持續風險和信任評估來判斷安全狀況,沒有絕對的安全和100%的信任,尋求一種0和1之間的風險與信任的平衡。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2018年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Forrester提出零信任拓展生態系統(Zero Trust eXtended, ZTX)研究報告,將視角從網絡擴展到用戶、設備和工作負載,將能力從微隔離擴展到可視化、分析、自動化編排,並提出身份不僅僅針對用戶,還包括IP地址、MAC 地址、操作系統等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡言之,具有身份的任何實體包括用戶、設備、雲資產、網絡分段都必須在零信任架構下進行識別、認證和管理。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2020年"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NIST發佈的《SP800-207:Zero Trust Architecture》標準對零信任架構ZTA的定義如下:利用零信任的企業網絡安全規劃,包括概念、思路和組件關係的集合,旨在消除在信息系統和服務中實施精準訪問策略的不確定性。該標準強調零信任架構中的衆多組件並不是新的技術或產品,而是按照零信任理念形成的一個面向用戶、設備和應用的完整安全解決方案。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"新網絡安全規劃方法——零信任架構(ZTA)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着“雲、大、物、移”等新興技術的興起,網絡現狀變得愈加複雜,基於邊界的傳統網絡安全規劃方法已無法滿足政企客戶的網絡安全需求。於是,通過將零信任概念同政企客戶網絡及其業務現狀相結合,誕生了新的網絡安全規劃方法——零信任架構(ZTA)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任架構作爲一種企業網絡安全規劃,利用了零信任概念,囊括其組件關係、工作流規劃與訪問策略,聚焦數據保護,橫向擴展到所有政企網絡中的資產。它不是單一的網絡架構,而是一套網絡基礎設施設計和運行的指導原則,可以用來改善敏感級別的安全態勢。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與邊界模型的“信任但驗證”不同,零信任的核心原則是“從不信任、始終驗證”。傳統網絡安全都專注於邊界防禦,授權主體可廣泛訪問內網資源,而根據Evan Gilman《Zero Trust Networks》書中所述,零信任網絡建立在五個假設前提之下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"應該始終假設網絡充滿威脅;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"外部和內部威脅每時每刻都充斥着網絡;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"不能僅僅依靠網絡位置來確認信任關係;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"所有設備、用戶、網絡流量都應該被認證和授權;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"訪問控制策略應該動態地基於儘量多的數據源進行計算和評估。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任架構的三大技術“SIM”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NIST標準的發佈,首次提出了零信任的官方標準定義以及實踐技術架構,強調零信任是個安全理念而非技術,並指出目前實現零信任架構的三大技術“SIM”,即"},{"type":"text","marks":[{"type":"strong"}],"text":"軟件定義邊界(SDP)、身份識別與訪問管理(IAM)、微隔離(MSG)"},{"type":"text","text":"。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"軟件定義邊界(SDP)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDP旨在使應用程序所有者能在需要時部署安全邊界,以便將服務與不安全的網絡隔離開。SDP將物理設備替換爲在應用程序所有者控制下運行的邏輯組件,僅在設備驗證和身份驗證後才允許訪問企業應用基礎架構。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從架構上講,基於SDP的系統通常會實施控制層與數據層的分離,即控制流階段,用戶及其設備進行預認證來獲取豐富的屬性憑據作爲身份主體,以此結合基於屬性的預授權策略,映射得到僅供目標訪問的特定設備和服務,從而可以直接建立相應安全連接。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"身份識別與訪問管理(IAM)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任強調基於身份的信任鏈條,即該身份在可信終端,該身份擁有權限纔可對資源進行請求。傳統的IAM系統可以協助解決身份唯一標識、身份屬性、身份全生命週期管理的功能問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過IAM將身份信息(身份吊銷離職、身份過期、身份異常等)傳遞給零信任系統後,零信任系統可以通過IAM系統的身份信息來分配相應權限,而通過IAM系統對身份的唯一標識,可有利於零信任系統確認用戶可信,通過唯一標識對用戶身份建立起終端、資源的信任關係,並在發現風險時實施針對關鍵用戶相關的訪問連接進行阻斷等控制。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"微隔離(MSG)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微隔離本質上是一種網絡安全隔離技術,能夠在邏輯上將數據中心劃分爲不同的安全段,一直到各個工作負載級別,然後爲每個獨立的安全段定義訪問控制策略。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"它主要聚焦在雲平臺東西向流量的隔離,一是區別傳統物理防火牆的隔離作用,二是更加貼近雲計算環境中的真實需求。微隔離將網絡邊界安全理念發揮到極致,將網絡邊界分割到儘可能的小,能夠很好的緩解傳統邊界安全理念下的邊界過度信任帶來的安全風險。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"寫在最後:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任安全模型之所以一直受到行業廣泛關注,是因爲在傳統安全架構設計中,邊界防護無法確保內部系統的安全性能。尤其是隨着5G、雲計算等新興技術的融入,加劇了邊界模糊化、訪問路徑多樣化,造成傳統邊界防護無從入手。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"面對日益複雜的網絡環境,風險持續預測、動態授權、最小化原則的“零信任”創新性安全思維契合數字基建新技術特點,藉助雲、網絡、安全、AI、大數據的技術發展,着力提升信息化系統和網絡的整體安全性,成爲網絡安全保障體系升級的中流砥柱,推動了零信任安全架構時代的到來。"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章