- What is Zero Trust?
- Background for Zero Trust
- Basic Principles of Zero Trust
< li>Benefits of Zero Trust - Improved Security
- Reduced Security Implementation and Operation Costs
- Promotion of DX
- How to achieve Zero Trust
- ①For legacy intranets and data centers
- ②For branch offices
- ③Remote users/at home For workers
- ④For the cloud
- What is SASE? What is your relationship with Zero Trust?
- If you are aiming for zero trust
What is zero trust?
Zero trust means zero trust Literally "Trust nobody, nothing, verify all access" security thinking.
Advocated by the American research company Forrest Research in 2010.
Digital transformation (DX) and the promotion of telework due to the corona crisis are spurring the spread of Zero Trust.
Background of the Need for Zero Trust
The concept of security has fundamentally changed over the past few years. Until now, the general security model adopted by companies and organizations was the "perimeter security model".
The perimeter defense model separates the network into reliable parts (e.g. internal network) and unreliable parts (e.g. Internet), establishes a "boundary" between these two parts, and implements strong security measures. It is a model of taking measures to protect the inside.
However, these days, the boundaries between "inside" and "outside" have become ambiguous.
This is due to the increase in communication between servers over the Internet due to the use of cloud services. Telework has also made it possible for employees' computers to be connected via the Internet.
From a physical point of view, the information assets that should be protected have until now been confined to office buildings, but now they are scattered all over the Internet.
In such a situation, the perimeter defense model no longer works. The concept that emerged was Zero Trust.
Basic Principles of Zero Trust
Zero Trust is just a buzzword, simply explained as "a security concept that doesn't trust anything".
The US National Institute of Standards and Technology (NIST) published "Special Publication (SP) 800-207 Zero Trust Architecture" in August 2020 regarding specific policies and principles of Zero Trust. Among them are the 7 principles of Zero Trust.
- Consider all data sources and computing services as resources
- Secure all communications regardless of network location
- Access to corporate resources is granted on a per-session basis
- Access to resources is determined by dynamic policies including client ID, application, requested asset status, and other behavioral and environmental attributes li>
- The enterprise monitors and measures the integrity and security behavior of all assets
- Authentication and authorization of all resources is dynamic and before access is granted. Do it rigorously
- Companies collect as much information as possible about the current state of their assets, network infrastructure and communications and use it to improve their security measures
The Japanese translation officially licensed by NIST is published by PwC. NIST SP800-207 “Zero Trust Architecture” Explanation and Japanese Translation│PwC
NIST's 7 Principles of Zero Trust are theoretical and may give the general impression of being abstract.
However, it can be said that it is the origin of the concept of Zero Trust, so it would be good to refer to it when you are wondering what the Zero Trust that our company is trying to achieve in the first place is.
Advantages of Zero Trust
Zero Trust means ``trust nothing'', that is, ``doubt everything''. Many people wonder, “Is Zero Trust really worth it?”
However, with the widespread use of the cloud, BYOD, and remote work, there are many advantages compared to the conventional perimeter defense model.
Improved Security
Since "Trust nothing" is the general rule, you can easily imagine that security will improve.
Even if an attacker succeeds in illegally intruding, the information that can be accessed is extremely limited in the Zero Trust model, so it is possible to minimize the risk of information leakage.
Reduction of security introduction and operation costs
If you are told to "trust nothing" or "suspect anything", you will need to build a complex authentication system and perform complicated management and operation tasks, which will increase costs. Although it is often thought that it takes
Many products and solutions that incorporate the concept of Zero Trust are provided on the cloud, including the SASE described below. By taking advantage of the advantages of the cloud, it is possible to keep initial installation and operation costs low.
In addition, these products and solutions make full use of various technologies such as SSO, biometric authentication, and AI to ensure that users' legitimate access is not hindered. Promoting zero trust will also naturally reduce the burden on users to a minimum.
Promotion of DX
``Since our server can only be accessed from the inside, it is impossible to introduce the cloud and link it with the cloud.'' Have you heard from
In the case of a perimeter defense model that separates the inside and outside, it is difficult to introduce cloud, BYOD, remote work, etc., so it tends to be a factor that hinders the promotion of DX.
If you switch to zero trust, you can accelerate DX at once.
How to achieve Zero Trust
Zero Trust is a way of thinking and policy, not a product or solution, nor a product feature.
Then, what steps should be taken and what products and solutions should be used to achieve Zero Trust?
Here, using a typical corporate network as an example, we will introduce how to achieve zero trust in four parts of the network.
① Legacy intranets and data centers
The common network configuration seen several decades ago is to build an intranet at the head office, and if the scale is large, set up an internal or external data center. such as having.
Legacy networks like this are gradually shrinking due to the promotion of cloud and remote work, but they still exist.
In the case of large companies, it would be impossible to apply the Zero Trust model right away, so we will promote DX while operating the security based on the perimeter defense model that we have built up until now, and gradually promote the Zero Trust model. will need to shift to
In the case of small and medium-sized enterprises as well, many of them are likely to introduce, for example, firewalls and VPNs made by Yamaha as perimeter defense model security products. However, with fewer legacy IT assets, they may be more flexible and easier to switch to Zero Trust than large enterprises.
The products of the perimeter defense model mainly include the following.
These products have existed since the era of the perimeter defense model, but that doesn't mean they can't be used with zero trust.
As a method to achieve zero trust, there is a technology called SDP (Software-Defined Perimeter) that finely, virtually and dynamically configures the internal and external boundaries (perimeter) of the network by software control.
By combining with SDP products, firewalls, etc. can also be used in a zero trust model.
Products | Features and product examples |
---|---|
SDP | Grained, virtual, and dynamic configuration of network internal and external perimeters controlled by software Product example: Cyxtera AppGate SDP |
②Branch offices/branch offices
While DX is being promoted, legacy access to the head office intra-data center and access to cloud services such as Microsoft 365 and Zoom.
Based on the concept of the perimeter defense model, all branch office network traffic is once aggregated into the head office intranet, and defense is performed using firewalls, etc. at the head office's Internet exit.
However, with the heavy use of cloud services these days, such a configuration puts pressure on the bandwidth of the head office intranet, and from the point of view of branch office users, the network performance is poor.
Therefore, a technology called "SD-WAN" (*) is now widely used.
(*) Technology and products that use software-defined technology to control connections between sites for each application and manage them with policies (product example: Aruba EdgeConnect).
When using SD-WAN, branch office traffic can be dynamically divided between going to the head office intranet and going directly to the Internet as needed.
When using SD-WAN, terminals may directly access the Internet, so branch offices need to implement Zero Trust, just like remote users and telecommuters (details will be described later).
(3) For remote users and telecommuters
Remote users and telecommuters are areas where the concept of zero trust is most prevalent, and many products and solutions have been developed.
The following are typical examples.
Products | Features and Product Examples |
---|---|
Endpoint Security td> | A long time ago, it was called MDM (Mobile Device Management) and was created as a BYOD security measure for smartphones such as the iPhone. , and has developed into a form with functions such as monitoring Example product: Microsoft Endpoint Manager (Intune) |
Zero Trust Network Access (ZTNA) | ZTNA is a key product in enabling Zero Trust, combining integrated authentication and access control. Basically a cloud-based service that extends IDaaS and SSO Product example: Netskope Private Access |
CASB/SWG | CASB stands for Cloud Access Security Broker and SWG stands for Secure Web Gateway, both of which are proposed by Gartner. , to ensure the security of the terminal when accessing the Internet. CASB intervenes between the terminal and SaaS such as Microsoft 365, SWG intervenes between the terminal and general websites, and performs URL filtering and access control. Product Example: McAfee MVISION Cloud |
Cloud-based virtual desktop | Using a somewhat legacy concept, the terminal is a thin client and a virtual desktop (VDI) on the cloud technology to connect Example product: AWS Workspaces |
These products and solutions may be a little difficult to understand, but endpoint security products are among the legacy products known as "antivirus products." , ZTNA products are similar to VPN products, CASB/SWG products are similar to firewall products, and cloud-based virtual desktops are similar to personal computers.
In addition, when choosing a product or solution, it is important to actually evaluate it before introducing it.
Most Zero Trust-related products are cloud-based, so you can easily evaluate them.
Be sure to check the compatibility with other products and solutions that have already been introduced, and the ease of operation.
④ For the cloud
Most cloud services are designed on the premise of zero trust. Therefore, there is basically no need to introduce a separate product or solution.
For example, let's say you are using both EC2, an AWS cloud server, and S3, an AWS cloud storage.
At this time, even within the same account, by default this EC2 cannot access S3 at all.
In addition, in order to give access rights, it is necessary to set with a service called IAM (*). In this way, requiring authorization for all access, even within the same account and within the same environment, is a true manifestation of the Zero Trust philosophy.
(*) Abbreviation for Identity Access Management. Refers to a service tool that has the ability to finely define permissions based on the three elements of identity, resource, and action (product examples: AWS IAM, Azure RBAC)
What is SASE? What is your relationship with Zero Trust?
A concept that is often compared with Zero Trust is SASE (Secure Access Service Edge).
SASE is a cloud-based concept for providing both network (WAN) functions and network security functions proposed by Gartner in August 2019.
Zero Trust is just a "way of thinking" or "concept", but SASE is different in that it is a solution (a combination of one or more products) or a framework (definition of the functions that should be realized by products and solutions).
Although SASE includes "network (WAN) functions" and "network security functions", Zero Trust is only related to network security.
SASE focuses on the WAN part, but Zero Trust is not particularly conscious of WAN/LAN, so it also targets LAN Zero Trust such as corporate intranets.
In this way, SASE and Zero Trust are related to each other, but they are completely different concepts.
If you are aiming for Zero Trust
The market related to Zero Trust is still in the process of development, so there are many products on the market and the situation continues to be unstandardized. .
In addition, since it is a concept realized by introducing various network products and security products in combination, it is possible that the management load will increase.
One possibility is to reduce the installation and management burden by introducing a solution that covers a portion of Zero Trust, such as SASE.
It is also important to consult with an expert and ask them to make a proposal based on the company's scale and current network and security operation status.