A decade ago, John Kindervag proposed the terms of "Zero Trust" and "Zero Trust Architecture".
Perhaps the idea of genius is always difficult to be universally recognized at the moment. In the first few years of being proposed, zero trust has only triggered small-scale discussions and attempts in some communities. Based on the traditional IT infrastructure, more enterprises still believe in the model of "moat", that is, outside the moat is the extranet, which is untrusted, and the inside of the moat is the intranet, which is considered trusted by default. While the moat consists of countless perimeter security devices.
However, as the threatening situation changes, the traditional IT infrastructure is at stake, and a moat can no longer resist threats from all directions and even internal fission...
The concept of zero trust fully awakened in the "ruins" By 2024, it is estimated that 30% of enterprise security service expenditure will be distributed to the development, implementation and maintenance of trust frameworks.
At the 2020 ZTAT Summit, it seems there is already a consensus on the situation that the traditional enterprise IT infrastructure is collapsing.
Indeed, in the golden age of firewalls, users, applications, data, and Tier 0 assets were all enclosed within the physical wall, and a perimeter defense was enough to ensure the security of corporate resources.
Nowadays, with the development of mobile internet and lOT equipment, enterprises have introduced a large number of equipment, and office networks have suffered a huge impact. Meanwhile, more and more enterprises choose to set their entire sites or key businesses on the cloud, and the entire IT defense environment has been changed as a result.
With the rise of massive and heterogeneous edge computing, the extensible hybrid IT environment has become the mainstream, mobile and remote access are breaking the physical network security boundary, and the perspective of "Intranet is trusted" is being overthrown due to the collapse of the flat IT architecture. At that time, enterprises urgently need a new security architecture system to protect dynamic and flexible data.
To quote Liu Chao, the founder of DataCloak, that is to "Tie a string to each kite (data) so that it can fly wherever it wants, and it can also be retrieved by pulling the string.” Zero trust provides solutions for the new generation of data security.
Zero Trust means that there is no default trust and all operations need to be verified. It also means that there is no permanent trust and all authentication and authorization will be dynamically granted. In the transformation of enterprise IT architecture, a new generation of architecture based on the concept of zero trust is rebuilding the trust in an untrusted network environment, enabling enterprises to regain control of the "intranet" and data flow.
In this regard, the enterprise's demand for zero trust is fully awakened.
Strike towards zero trust: the maturity of technologies such as IAM For each revolution, when demand begins to awaken, the next step is to equip weapons, that is, mature technologies.
In September 2019, the US National Institute of Standards and Technology (NIST) released "Zero Trust Architecture (ZTA) ". In October 2019, the US Defense Innovation Board (DIB) approved the white paper "The Road to Zero Trust (Security)" and urged the military to implement a zero trust architecture as soon as possible. In August 2020, China released the first "Zero Trust Practical White Paper" based on industrial defensive practices. Dr. Hao Chunliang of China Electronics Standardization Institute also revealed that the compilation of the zero trust cybersecurity standard practice guide is underway...
With the introduction of relevant regulations and research conducted by private organizations of enterprises, technologies and solutions based on the concept of zero trust continue to mature, and the market has shifted from wait-and-see to an open state.
It is noteworthy that zero trust itself is a security concept, strategy, and architecture design plan, rather than a specific security product. However, a plenty of excellent research and development products and solutions based on the zero trust concept, using technologies of IAM, SDP and other technologies, have emerged on the market, such as Forrester's ZTX, Google's BeyondCorp, Gartner's CARTA, and DataCloak's DAAG (Zero Trust Security Gateway) of China.
Unlike traditional security strategies, enterprises do not need to replace existing networks on a large scale or introduce a large number of new technologies in order to move toward to zero trust. The implementation of zero trust is a gradual progress, and there is a relatively large elastic space in scale and realization.
Therefore, resource access control centered on authentication is often the first step of attempt for most enterprises to achieve zero trust.
The following is the relevant information about DataCloak's zero trust security gateway, DAAG, which can support enterprises realize unified authentication and authority management without modification, so that enterprises can safely publish business to Internet access, and realize zero trust architecture transformation promptly at low cost.
Based on the concept of "Never Trust, Always Verify" of zero trust, enterprises can access the unified Identity and Access Management (IAM) system, with identity as the core, multi-factor authentication and encryption of untrusted access requests by default, combined with adaptive access control and continuous trust evaluation to realize the unified construction of secure access control capabilities at low cost. Moreover, it can also avoid the security risks caused by improper use of authorizations such as unauthorized operations by employees, scattered authorizations, and difficulty in accessing resources across sites/businesses.
In terms of access control, there are mainly 4 key points:
Minimize authorizations: Adhering to the principle of the least privilege when granting authorizations, that is, to clarify who can access which assets at what time and where, and to seek a balance between security and business sustainability.
Refine authorizations: For handling ultra-large-scale access data, the refined grant of authorizations can be efficiently managed through typical authorization control models such as RBAC and ABAC, that is to introduce the concepts of "roles" and "attributes". For example, if there are 100 grassroots employees in an enterprise, and their authorizations are the same, then by only setting a role of "grassroots employee", the authorization for those 100 employees can be adjusted synchronously.
Adaptive access control: Dynamically grant different operators with different authorizations, such as adaptively adjusting access permissions based on changes in time, location and other related factors.
Continuous trust evaluation: The security situation is changing all the time, so the concept of always verifying is consistently conducted, and the trust level is constantly monitored and evaluated during the interaction.
It can be said that by virtue of core technologies such as IAM, SDP and micro segmentation, the concept of zero trust has been realized, and it is effectively solving the problem of coarse-grained access control and poor effectiveness caused by the blurred boundary. However, is that already the ultimate happy ending of zero trust?
HyperCloak: The New Generation Infrastructure of Software-defined Zero trust is a concept, and IAM, SDP and micro segmentation are all considered as its core technologies. So what else will be implemented in the future? In fact, on the road of zero trust development, there is no lack of such questioning. With its core components such as authentication and access management technology, terminal equipment environmental risk assessment technology, and machine learning-based authentication analysis technology, it sounds like that there are not so many exciting new technologies involved. Even when the Zero Trust Network Access (ZTNA) represented by Google BeyondCorp is all the rage, there are still controversies on its protocol support and implementation.
Then how can zero trust win the trust of enterprises? Does access control equal to zero trust? What's interesting is that just a few days ago, DataCloak officially released an enhanced zero trust security framework, HyperCloak®, which is also the first zero trust security framework in China. From HyperCloak®, probably we can see the future of zero trust, which is also the key reason for me to explore and share information of this framework.
First of all, the main challenges confronted by the current zero trust framework include:
- Access: Lack of security in data storage, computing and transmission
- Transmission: Limited support protocol
- Cost: High cost of transformation of application and resource coordination
- Based on the situation, Data Cloak proposed to deepen the integration of the zero trust security framework and infrastructure from single point implementation (access) to full coverage (infrastructure), which is a quite good conception. Since the infrastructure determines the complexity of the security issue, then let zero trust cover the underlying infrastructure, which also proposes a leapfrog supplementary to the previous IT infrastructure.
The zero trust security infrastructure is deployed between the physical infrastructure and the application layer through the method of software-defined. The entire zero trust framework builds a trusted sandbox environment based on underlying trusted computing, thereby constructing a trusted security container and forming a trusted security workspace.
The sandbox container built on the terminal device can be set to different security levels, and the access to the internal resources of the enterprise can only be done through the application-level trusted tunnel. The trusted tunnel is also set with different fine grit distinctions to ensure that the communication of different containers in the tunnel is invisible to each other, thereby achieving a high degree of encryption of the access environment.
The emergence of the HyperCloak framework means that the security boundary is extended from the network level to countless terminal devices.
Once the user turns on the device, the security boundary will be virtually constructed on the device, forming an invisible shield.
When enterprises of Party A and Party B conduct cross-organization and cross-institution collaborative research and development, they often confront data management and control problems, that is, to achieve minimum access to Party A's data and avoid the secondary distribution by Party B. By isolating the data of multiple organizations and setting up a collaboration area, Party A sets a strategy to ensure the minimum access authorization, so that the data can be flowed within a controllable range and a safe R&D environment can be quickly formulated.
Through a new generation of infrastructure that includes secure containers, trusted tunnels, extensive protocol support, and indepth isolation, the trust level of "Data Availability and Inaccessibility" will be easily achieved. With its software-defined characteristics, application transformation exemption and almost zero cost can be realized during the process of upgrading the architecture.
Most probably, the software-defined network security infrastructure will be the future of the concept of zero trust. During the development process of the network security industry, countless new terms and new ideas have emerged, and zero trust is just one of them. Just like what Tan Xiaosheng said, maybe after a few years, zero trust will be changed to another term and it may no longer be novel, but so what? What matters is what changes the concept of zero trust will bring to network security, and whether zero trust vendors can truly become ecological leaders.
From the awakening of demand to the maturity of technology, to the practice of enterprises, the "utopia" hypothesis and argument of zero trust was ended. A revolution of zero trust spanning 10 years has sounded the clarion call for victory.
Liu Chao, CEO of DataCloak, believes, "The future IT environment will definitely be virtualized, borderless (from a simple physical boundary to a more fine-grained boundary), intelligent, and global." Meanwhile, it is also acceptable for us to imagine that the new generation of IT infrastructure will break away from the constraints of time, region, and equipment, completely subvert the traditional architecture, and bring a truly adaptive and trusted space.
Epilogue Zero trust, infrastructure, software defined, security framework, practical application, IST 2.0 (Information security technology-Baseline for classified protection of cybersecurity), IDC, Tan Xiaosheng...what will these keywords make up? The answer is 2020 ZTAT Summit.
As a new comer in the security summit, with its special theme, content and guest setting, it still greatly impressed the author with surprises and sincerity. Even the idea of this article also comes from its sharing in the summit.
The concept of zero trust has been put forward for more than a decade, and lots of zero trust vendors and products have emerged in China in recent years. However, the special feature of DataCloak, or HyperCloak's security framework, is that it is different from the zero trust primary products on the market based on IAM and other technologies. It proposed and implemented a zero trust security infrastructure, systematically considered the realization of zero trust from the underlayer and the architecture, providing new solutions for data security.
How HyperCloak will develop in China is worth looking forward to, and at the next ZTAT Summit, perhaps there will be an amazing answer...