零信任不是“銀彈”

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020 年,新冠疫情的爆發和大流行,迫使企業紛紛實行遠程辦公,Facebook、Twitter 等互聯網公司甚至宣佈永久遠程辦公。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"自新冠疫情發生以來,遠程辦公已經成爲一種常態,企業數字化轉型也在加速。同時,企業對網絡安全的訴求也發生了改變,零信任網絡興起,併成爲業界一股熱潮。去年 9 月,Gartner 把基於零信任的遠程員工安全列爲 2020 年度十大安全項目之一。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與以往不同,遠程辦公的員工不僅位於企業內網之外,而且使用自己的設備辦公。如何保障員工安全地,且儘可能體驗友好地訪問企業網絡和應用成爲企業亟待解決的重要問題。如果還是使用傳統的方法,那顯然不可行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據瞭解,傳統的網絡安全架構理念是基於邊界的安全架構。企業在構建網絡安全體系時,首先尋找邊界,把網絡劃分爲外網、內網、DMZ 區等不同的區域,然後在邊界上部署防火牆、入侵檢測、WAF 等產品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種理念通過“邊界”來區分“可信”與“不可信”。在邊界內,人、設備、系統和網絡環境等都是默認可信的;邊界之外,所有東西都不可信。這種網絡安全架構假設或默認了內網比外網更安全,在某種程度上預設了對內網中的人、設備和系統的信任,忽視加強內網安全措施。不法分子一旦突破企業的邊界安全防護進入內網,就會像進入無人之境,後果不堪設想。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而“邊界”在現實里正逐漸模糊,甚至在消失。yyang 在《零信任(下)》一文中寫道:"},{"type":"text","marks":[{"type":"strong"}],"text":"移動和雲的使用挑戰了邏輯上的網絡邊界,內部人威脅則否定了基於“邊界”區分可信與“不可信”的有效性"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據 Fortinet 北亞區首席技術顧問譚傑介紹,在疫情發生後,許多企業的業務由線下轉移到線上,企業對遠程辦公、雲安全和終端安全的需求明顯提升。另一方面,泛邊界安全不斷增多,包括用戶邊緣、5G 邊緣、端點邊緣、IoT 邊緣等。在這樣的背景下,零信任有了更大的舞臺,可以發揮更大的作用。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/3c\/3ccad6e47339601be8c4e3988173cba3.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"Fortinet 北亞區首席技術顧問譚傑"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任並非一種技術"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,零信任的最早雛形源自 2004 年成立的耶利哥論壇,其成立的使命正是爲了定義無邊界趨勢下的網絡安全問題並尋求解決方案,提出要限制基於網絡位置的隱式信任,並且不能依賴靜態防禦。2010 年,Forrester 的首席分析師 John 正式提出了零信任,明確了零信任架構的理念,該模型改進了耶利哥論壇上討論的去邊界化的概念,並提出三個核心觀點:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不再以一個清晰的邊界來劃分信任或不信任的設備;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的網絡;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不再有信任或不信任的用戶。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在 Fortinet 北亞區首席技術顧問譚傑看來,零信任分爲狹義概念和廣義概念,其中狹義概念叫零信任網絡訪問(ZTNA),解決的是人、用戶、物、設備和終端的信任問題。“由一個控制點控制它怎樣對 IT 資源進行訪問,授予它什麼權限”。而廣義概念指 NIST 提出的零信任架構(ZTA),它是基於數據的安全,從各方面採集多種數據,包括網絡數據、安全數據、終端數據、身份數據等,利用這些數據做信任的計算和決策,真正動態的判斷全網安全態勢,最終做好決策後再交給部署在整個數字架構中各種各樣的決策執行點(可能是一個網關、一個軟件或 API),來決定是否允許此次訪問以及能訪問到何種程度。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡言之,"},{"type":"text","marks":[{"type":"strong"}],"text":"零信任是一種思想理念或戰略框架,它主要聚焦在用戶身份與 IT 資源之間的互動關係、訪問權限上。它通過一種持續的動態評估手段不斷分析整個網絡訪問的安全態勢,然後動態的授予訪問者權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳統的訪問控制是粗粒度授權,並且是靜態的,但是黑客的攻擊或惡意行爲卻在不斷變化,因此,這會導致一系列安全問題,“零信任希望改變傳統的靜態安全策略帶來的一些安全隱患”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“如果我們的安全體系不能動態地適應威脅,企業還是採用靜態規則,那麼肯定跟不上形勢,最終會產生各種各樣的問題。”譚傑說。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,很多企業的員工遠程訪問主要依賴 VPN,即虛擬專用網絡。以筆者爲例,在家辦公時會通過 VPN 訪問公司 CMS 平臺,但是不僅訪問速度慢,而且經常無法連接上,整個體驗很不好。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑表示,相比 VPN,零信任的安全性更高,“傳統 VPN 策略的粒度是比較粗的,一旦開放後,幾乎處於不設防的狀態”,零信任則針對每一種應用、每一次會話做一次安全控制,所以其安全性更好。我們知道,安全問題很多時候來自人爲失誤,因爲操作太複雜,而零信任則把管理員和用戶從複雜操作中解放出來,降低了犯錯機率,從另一個角度提升了安全性。並且在用戶體驗上,零信任的易用性也會更友好一些。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任不是“銀彈”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據 MarketsandMarkets 的數據,全球零信任安全市場規模預計將從 2020 年的 196 億美元增長到 2026 年的 516 億美元,從 2020 年到 2026 年的複合年增長率(CAGR)爲 17.4%。Gartner 估計,到 2022 年,面向生態系統合作伙伴開放的 80% 新數字業務應用程序將通過零信任網絡(ZTNA)進行訪問。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,國內對零信任技術的炒作從 2015 年開始逐步在各個行業市場展開。但是,它在當時並不成熟,且缺少可參考的案例。NIST(美國國家標準與技術研究院)在 2020 年發佈的《SP800-207:Zero Trust Architecture》標準意味着零信任理念成熟。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑稱,市場上的零信任方案更多聚焦於身份和訪問控制,驗證用戶身份確保其可信後,給用戶分配有限權限。“但是惡意用戶分好多種,既有外部黑客,也有內部被攻陷的主機,還有真正意義上的內鬼,這是零信任無法解決的”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"舉個例子,微盟在去年發生“刪庫跑路”事件。該公司研發中心運維部核心運維人員通過 VPN 登入服務器,並對線上生產環境進行了惡意破壞,結果 300 萬家商鋪癱瘓,公司市值蒸發超 10 個億。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對內鬼問題,譚傑的建議是“對訪問者行爲和威脅進行持續性的監控和防禦,與零信任這套基於身份和態勢的訪問控制相結合”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,值得注意的是,零信任中依然要有內外網的劃分。“零信任思想其實告訴我們一件事:不能僅僅根據用戶 ID 和 IP 地址就充分授權,但是這並不意味着 ID 和 IP 不重要”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"做安全永遠是在追求平衡,因爲安全、效率和成本三者不可兼得。“做安全,一件重要的事情是對資產進行分類、分級和分域。假如我們完全不區分內網、外網,不區分任何場景,在任何地方都把安全等級按最嚴格部署,這肯定既不經濟,也不科學。所以,我們在做安全建設前還是要先劃分內網、外網“。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然,在零信任中,信任邊界會劃分地更詳細。企業資產的分類、分級、分域不能一概而論,還要結合企業的業務模型。“同時,結合《網絡安全法》、‘等保 2.0’和信息安全管理體系(ISO 27001)等要求,再看企業業務對安全、性能和成本的要求,我們從中找到一個平衡點“。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑說:“在整個零信任架構中,我們把它分成決策點、控制點兩個最核心的組件。一個思路是控制點應儘可能覆蓋數字化基礎架構的各個節點,不管是終端,還是網絡通道或是雲端,我們都要有相應的策略實施點可以預先埋進去。當我們想在這個地方做一個信任域的劃分和策略實施時,我們可以很快切入到零信任的架構中。“"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任落地,企業會面臨哪些挑戰?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,很多企業正走在零信任建設體系的路上。據譚傑介紹,零信任在業務生產環境落地上面臨一些挑戰:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第一,"},{"type":"text","marks":[{"type":"strong"}],"text":"老舊應用改造難度大"},{"type":"text","text":"。目前,很多零信任解決方案需要用戶對應用環節進行改造,但是一些老舊應用改造空間小,或者軟件服務提供商不在了,因此應用升級就很困難;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二,"},{"type":"text","marks":[{"type":"strong"}],"text":"用戶的使用習慣要改變"},{"type":"text","text":"。對用戶來說,企業實行零信任後,原有的一些工作流程會發生改變。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第三,"},{"type":"text","marks":[{"type":"strong"}],"text":"成本問題"},{"type":"text","text":"。在建設零信任時,用戶有時容易陷入急功近利的狀態,把一切推倒重來,完全按照零信任的體系做一遍,這樣成本會很高,用戶體驗也會有問題。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對企業來說,零信任是安全理念戰略的終極目標,不能一蹴而就。“零信任是一個持續過程,安全建設同樣也是一個持續過程,所以用戶應該選擇一種混合式結構來循序漸進地部署零信任”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對改造難的老舊應用,譚傑提出“可以通過一些微創或非侵入式解決方案”,比如在網絡上對用戶行爲進行中斷。簡單說,通過實時觀察和分析訪問者的身份和安全態勢,一旦其風險達到預設值後,再把授予它的權限撤銷,這樣也能達到零信任的效果。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"值得注意的是,大型企業在零信任落地上還將面臨性能挑戰。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑對此表示,“這幾年,我們談軟件定義一切,其好處不說了,但也容易遇到性能問題。因爲 X86 平臺沒有做過特別優化,所有性能壓力都壓在軟件上,效率是不是最高?是否容易遇到瓶頸?我們的一個理念是軟件定義一切不代表要排斥硬件“。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在他看來,專用硬件是解決性能問題的一個方案。據悉,Fortinet 一直在研發專用硬件,該公司最新發布的 NP7 芯片能在 20W 功率下達到純 X86 架構幾十上百倍的吞吐能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"另一種解決方案是利用雲原生 Scale out(向外擴展)能力,比如做虛機雲、容器雲,用軟件方式向外實現彈性擴展,從而滿足企業對大規模訪問的需求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“我們有不少公有云用戶,沒辦法使用專用硬件,只有 X86 虛擬機,我們做了 VSPU,即虛擬的安全處理器,也能在標準的 X86 硬件平臺上獲得很大的性能提升。同時,再配合雲原生平臺資源池的 Scale out 彈性擴展,來應對這種大規模訪問的挑戰。”他說。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"零信任給企業帶來的收益"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑認爲,實施零信任對企業有三大好處:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第一,"},{"type":"text","marks":[{"type":"strong"}],"text":"安全性更強"},{"type":"text","text":"。零信任的出現將網絡防禦範圍從廣泛的網絡邊界轉移到單個或小組資源,基於身份認證和授權,重新構建訪問控制的信任基礎,確保身份可信、設備可信、應用可信和鏈路可信,自然可以提高企業安全。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二,"},{"type":"text","marks":[{"type":"strong"}],"text":"帶來企業安全思路的轉變"},{"type":"text","text":"。以前,企業談安全會把關注點放在攻防對抗上,經常出現分隊時,攻方一大堆人報名而守方卻沒人去的事。“Fortinet 一直秉承的理念是不能把安全押寶在某個單點上。攻防並非不重要,但是如果整體的零信任體系都沒搭建好,僅僅盯着某幾臺服務器,看有沒有漏洞,可能有點捨本逐末”。零信任的實施過程可以讓企業認識到一個良好的強壯的體系可能比某些單點的技術對它來說更重要。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第三,"},{"type":"text","marks":[{"type":"strong"}],"text":"提高員工安全意識"},{"type":"text","text":"。零信任的實施過程相當於幫企業把整個工作流程和安全制度做了一遍梳理,整個人員的安全意識也會有所提高。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從雛形到概念再到理念成熟和實踐,零信任經歷了十幾年的發展,其落地越來越多,可參考案例也不斷增加。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據譚傑介紹,互聯網行業、先進製造業和金融行業都有 Fortinet 零信任架構的實踐。以先進製造業爲例,它在接入 OT 網時非常謹慎,因爲裏面是一些生產型設備,所以它對零信任的要求會更高。這要求零信任架構能嚴格控制所有端點到端點,從 IT 網控制系統到 OT 網的生產系統,不管是內網接入,還是服務商過來排錯或升級操作,都要應用這套零信任框架,從而保證 OT 環境的安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"採訪嘉賓:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譚傑,現任 Fortinet 公司北亞區首席技術顧問,擁有 20 年信息安全從業經驗,曾參與衆多知名企業及機構安全建設,對網絡信息安全主流技術、IT 前沿發展趨勢、安全防禦體系研究建設有深刻理解。"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章