We hope you have learned a lot both about networking and networking from Rocket Yards network and security suite. So far, this series includes:
Today we are talking about a new IT security model that changes the way companies look to secure their networks: Zero Trust Security . To explain how it works and how it differs from traditional network security models, we need to look at how today's models work.
The security concept of Castle and Moat
For most businesses, network security is currently based on what is called " castle-and-moat concept " In the physical analogy, think of a castle that is surrounded by a deep moat, preferably filled with alligators, there is only one way in and out of the castle, over a heavily guarded wooden bridge, anyone trying to enter the castle must pass a rigorous security check of some cautious guards looking for weapons, check the identity of the person, etc.
When that person is trusted, they have free access to the castle and everything in it. In fact, everyone in the castle is by default proud. There is a problem with this of course – if a person access access is actually an attacker, they have free government to destroy everything inside the castle.
Use this for network security, think of the castle as an internal network of a company and the turning bridge and guards as a traditional firewall and passport d challenge / response system. If a hacker happens to access the network by breaking a password through brute force methods, he has confidence in the network and can begin to take down internal systems one by one …
This vulnerability even worse is that the companies no longer store their data or have their system in one place – they are distributed among a number of guardians, making the security control more difficult.
The traditional concept can also be regarded as " trust, but verifying ". In other words, you can pretty much rely on the vast majority of people trying to access your network are not hackers , but you have to verify that they have the correct credentials to access.
Security Model Zero Trust Security
Zero Trust Security means that no one is trusted by default, either inside or outside a corporate network, so verification is required from anyone who wants access to resources on the network. During a conference I attended a few weeks ago, a speaker used a line from the great 1990 series of the sci-fi classic "The X-Files" to describe Zero Trust Security – " Trust No One ".
] Activating zero trust security requires strict identity verification for each person and entity attempting to access resources on a private network, whether within or outside the corporate network. There is no particular technology related to the zero confidence model; Instead, it can be considered a holistic approach to network security that includes different principles and technologies.
The term "zero trust" originated only in 2010 when a Forrester Research Inc. analyst first presented the concept. Just a few years later, Google announced that they had implemented zero confidence in the network, which led to increased interest in adopting the technical community.
Principles and Technologies Behind the Zero Trust Security Model
The image at the top of this article shows the basic principles of the null security model. The network verifies who the user is, confirming that the device being used is actually authorized to enter the network, and then the user is limited to what he / she can access. The zero confidence model is paranoid by design – you assume attackers are everywhere, inside and out of the network, so no devices or users are automatically trusted. Let's look at some of these principles.
A principle of zero confidence model is least privilege access . This means that users only get as much access as they need resources on the network. Each user's exposure to sensitive parts of the network is minimized by giving them no access to systems they do not need access to, and giving them as good access to do their job. In another analogy, think of this as a maritime admiral that gives officers and seafarers information because of the need to know.
Micro-segmentation is also used by zero trust networks. This is the use of breaking up the security perimeters into small zones, and maintaining separate access for different parts of the network. As an example, a network of files stored in a single data center using micro-segmentation may have a dozen separate secure zones. A person or program with access to one of these zones will not have access to any of the other zones without obtaining authorization first.
Another key bit of zero confidence security is one that many Rocket Yard readers may be familiar with: Multifactor Authentication ( MFA ). MFA means more than just a single password is required to approve a user and access a network – two or more types of evidence are required.
MFA is most commonly seen in 2-factor authentication ( 2FA ) systems that can be used on many popular online platforms, including iCloud, Facebook, Amazon and Google. A user requesting access first writes a password, but must also enter a code that is sent to another device as a smartphone. By doing so, the user has provided two proofs that they are the ones they claim to be.
Finally, not only user access is controlled, but zero trust also requires strict control of device access. A well-designed zero trust system monitors how many devices are attempting to access the network and ensures that all devices are authorized. This can be done in several ways, by including a digital key on each device or corresponding media access control (MAC) addresses for each approved device when attempting to connect to the network.
Next week we discuss Virtual Private Networks (VPN), which is the current "castle-and-moat" method of attempting to provide encrypted access to networks. VPNs do not take into account user access policies, user authentication by identity is difficult, and they can also reduce system access. Zero trust networks enforce access rules on the edge of the network rather than at the source, so latency is not a problem and users find their system access is fast. Despite the problems with VPNs, it can be many years before all companies use zero confidence, so VPN is a simple and cost-effective interim solution.