Is the user authorized to access this service?. What was the business transactions made prior to this?. What was the previous resource accessed by this client?. Has the user accessed this service at this timing before in the past with this client?. Is the device healthy? Has it been patched? Did it posture change since the last time we learnt about it?. What device is he using? Corporate or personal?. Where the client is accessing from? Within the enterprise network, outside within the country or somewhere out in the world?. API), a lot of factors can be considered before granting access, for example: So in the context of a client accessing a service/resource provider (e.g. Zero Trust Architecture in a NutshellĪt the very essence of ZTA, it is about knowing who is attempting to access what (resource) and whether this (access) is permitted. Well, they pretty much mean the same thing but with different approaches. #BEYONDCORP ARCHITECTURE SOFTWARE#
While researching on this topic, you might come across similar sounding terms from various product vendors like software defined perimeter (SDP), identity perimeter, etc. All these makes ZTA implementation a whole lot more easier than in the past. Why ZTA got popular in recent years could also be attributed to advancement in technologies like microsegmentation, step-up multi-factor authentication, machine learning (ML), user and entity behavior analytics (UEBA), unified logging, virtual network functions (VNF), etc.
Inspect and log all traffic – from any source to any destination. Adopt a least-privileged strategy and strictly enforce access control. All resources are accessed in a secure manner regardless of location (i.e. Zero Trust is based on three (3) core principles: An adage commonly used to describe zero-trust is “ never trust, always verify” which is an evolution from the old “ trust but verify” approach to security. Even then, only the least amount of necessary access is granted. What zero trust model does is that access to resources is withheld until a user, device or even an individual packet has been thoroughly inspected and authenticated. So ZTA is not exactly a new idea but implementating it correctly is. The idea of Zero-Trust was mooted by John Kindervag in a Forrester report back in 2010 and Google shared their successful implementation (i.e. So does this strategy still apply to cloud deployments? Yes but Zero-Trust Architecture (ZTA) would also be appropriate. 
To address lateral movements, periodic log reviews are conducted.
Therefore, enterprises invest heavily in perimeter defence products like firewalls, data loss prevention, VPN, traffic inspection, etc. The downpoint of this strategy is that if you let a malicious actor in or if he/she is already inside the castle, they can freely access the resources within and take their time to pick the various locks protecting treasure chests or rooms while avoiding detection (a.k.a lateral movement). In digital sense, the castle refers to your home network while the external whole wide world is kept seperated by your home router (and it’s firewall) acting like a moat and drawbridge.
0 kommentar(er)
