美国国防部零信任参考架构（英文版）-104正式版

DepartmentofDefense(DoD)ZeroTrustReferenceArchitectureVersion2.0July2022PreparedbytheDefenseInformationSystemsAgency(DISA)andNationalSecurityAgency(NSA)ZeroTrustEngineeringTeamJuly2022DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease.Distributionisunlimited.DocumentPreparedByDateName:RobertFreterJune2022DISAZeroTrustProgramLead(ID2)iiJuly2022TableofContents1PURPOSEANDSTRATEGICGOALS91.1Introduction91.2Purpose91.3Scope101.3.1Stakeholders101.3.2OrganizationoftheReferenceArchitecture101.3.3Timeframe121.4VisionandGoals(CV-1)131.4.1VisionandHigh-LevelGoals(CV-1)141.4.2ZeroTrustStrategy151.5Cybersecurity(Transition)ProblemStatement(OV-1)161.6OverallTargetEnvironment(OV-1)181.7Assumptions191.8Constraints202PILLARSANDPRINCIPLES202.1Overview202.2ConceptandTenetsofZeroTrust202.3Pillars212.4ReferenceArchitecturePrinciples(OV-6a)233CAPABILITIES253.1CapabilitiesTaxonomy(CV-2)253.2FFP:Pillars,Resources&CapabilityMapping314USECASES354.1DataCentricSecurityProtections(OV-1)354.2Data-CentricSecurityProtections(OV-2)374.3DataEncryptionProtections(OV-2)394.4CoordinatingPolicyforData-CentricSecurityProtections(OV-2)41iiiJuly20224.5DataAnalytics&AI(OV-1)424.6DataAnalytics&AI(SV-1)444.7CentralizedOrchestration&PolicyManagement(OV-1)454.8CentralizedOrchestration&PolicyManagement(OV-2)464.9Dynamic,AdaptivePolicyFeedbackLoop(OV-1)474.10VPN-LessImplementation(OV-1)484.11East-WestSegmentation(OV-1)494.12GlobalUniformDeviceHygiene(OV-1)504.13GlobalUniformDeviceHygiene(OV-2)524.14Dynamic,ContinuousAuthentication(OV-1)544.15Dynamic,ContinuousAuthentication(OV-2)564.16ConditionalAuthorization(OV-1)604.17ConditionalAuthorization(OV-2)625TECHNICALPOSITIONS635.1EmergingTechnologies635.2Standards,AssociatedArchitecturesandGuides645.3LinkagestoOtherArchitectures655.3.1DoDCybersecurityReferenceArchitecture(CSRA)Integration655.3.2DoDICAMReferenceDesign(RD)665.3.3NISTSpecialPublication800-207ZeroTrustArchitecture676SECURITYASSESSMENT686.1Governance686.2DataGovernance(OV-2)686.3SecuringSupplyChain(OV-2)707ARCHITECTUREPATTERNS717.1ArchitecturePatterns(CV-4)717.1.1DomainPolicyEnforcementforResourceAccess(SV-1)727.1.2SoftwareDefinedPerimeter(OV-2)73ivJuly20227.1.3ZTBrokerIntegration(SV-1)747.1.4MicroSegmentation(SV-1)747.1.5MacroSegmentation(SV-1)787.2ExternalServices787.2.1SvcV-1:ExternalServices(SvcV-1)797.2.2SvcV-2:EnterpriseFederatedIdentityService(SvcV-2)808TRANSITIONARCHITECTUREPLANNING(FFP)818.1MaturityModel(FFP)818.2Baseline(OV-1)828.3Transition(OV-1)839APPENDIX(AV-2)849.1Systems859.2Services909.3GeneralTerms929.4DIV-1939.5StdV-1-2References969.6CapabilityTable9710REFERENCES104vJuly2022LISTOFTABLESTable1ReferenceArchitecturePrinciples(OV-6A) 24Table2DesignPatternTable(CV-4) 71viJuly2022LISTOFFIGURESFigure1LegendforPerformers 12Figure2ZeroTrustVision(CV-1) 13Figure3CybersecurityProblemStatement(OV-1) 16Figure4TargetEnvironment(OV-1) 18Figure5ZeroTrustPillars 22Figure6CapabilitytoPillarsMapping(FFP) 26Figure7ZeroTrustAuthenticationandAuthorizationCapabilityTaxonomy(CV-2) 27Figure8ZeroTrustInfrastructure,WorkloadandDataCapabilityTaxonomy(CV-2) 28Figure9ZeroTrustAnalyticsandOrchestrationCapabilitiesTaxonomy(CV-2) 29Figure10ZeroTrustEnablingCapabilitiesTaxonomy(CV-2) 30Figure11FFP:Pillars,Resources&CapabilityMapping(CV-7) 31Figure12DataCentricSecurityProtections(OV-1) 35Figure13Data-CentricSecurityProtections(OV-2) 37Figure14DataEncryptionProtections(OV-2) 39Figure15CoordinatingPolicyforData-CentricSecurityProtections(OV-2) 41Figure16BigDataAnalytics&AI(OV-1) 42Figure17DataAnalytics&AI(SV-1) 44Figure18CentralizedOrchestration&PolicyManagement(OV-1) 45Figure19CentralizedOrchestration&PolicyManagement(OV-2) 46Figure20Dynamic,AdaptivePolicyFeedbackLoop(OV-1) 47Figure21VPN-LessImplementation(OV-1) 48Figure22East-WestSegmentation(OV-1) 49Figure23GlobalUniformDeviceHygiene(OV-1) 50Figure24GlobalUniformDeviceHygiene(OV-2) 52Figure25Dynamic,ContinuousAuthentication(OV-1) 54Figure26Dynamic,ContinuousAuthentication(OV-2) 56Figure27PerformersRequiringAuthentication 58Figure28ConditionalAuthorization(OV-1) 60Figure29ConditionalAuthorization(OV-2) 62Figure31StandardsProfileforDoDZeroTrustArchitectures 64Figure32SecuringtheSupplyChain(OV-2) 70viiJuly2022Figure33DomainPolicyEnforcementforResourceAccess(SV-1) 72Figure34DesignPattern:SoftwareDefinedPerimeter(OV-2) 73Figure35SoSDesignPattern:ZeroTrustBrokerIntegration(SV-1) 74Figure36SoSMicroSegmentation(SV-1) 75Figure37SoSMicroSegmentation(SV-1) 76Figure38SoSMicroSegmentation(SV-1) 77Figure39DesignPatterns:SoSMacroSegmentation(SV-1) 78Figure40ExternalServices(SvcV-1) 79Figure41EnterpriseFederatedIdentityService(SvcV-2) 80Figure42ICAMService(SvcV-2) 80Figure43MaturityModel(FFP) 81Figure44TransitionArchitectureBaseline(OV-1) 82Figure45TransitionArchitectureTransition(OV-1) 83viiiJuly2022PURPOSEANDSTRATEGICGOALS1.1Introduction“ZeroTrustisthetermforanevolvingsetofcybersecurityparadigmsthatmovedefensesfromstatic,network-basedperimeterstofocusonusers,assets,andresources.ZeroTrustassumesthereisnoimplicittrustgrantedtoassetsoruseraccountsbasedsolelyontheirphysicalornetworklocation(i.e.,localareanetworksversustheInternet)orbasedonassetownership(enterpriseorpersonallyowned).”1ZeroTrust(ZT)requiresdesigningaconsolidatedandmoresecurearchitecturewithoutimpedingoperationsorcompromisingsecurity.Theclassicperimeter/defense-in-depthcybersecuritystrategyrepeatedlyshowstohavelimitedvalueagainstwell-resourcedadversariesandisanineffectiveapproachtoaddressinsiderthreats.TheDoDCybersecurityReferenceArchitecture(CSRA)documentstheDepartment’sapproachtocybersecurityandisbeingupdatedtobecomedatacentricandinfuseZTprinciples.ZTsupportsthe2018DoDCyberStrategy,the2019DoDDigitalModernizationStrategy,the2021ExecutiveOrderonImprovingtheNation’sCybersecurity,andtheDoDChiefInformationOfficer’s(CIO)visionforcreating“amoresecure,coordinated,seamless,transparent,andcost-effectivearchitecturethattransformsdataintoactionableinformationandensuresdependablemissionexecutioninthefaceofapersistentcyberthreat.”2ZTshouldbeusedtore-prioritizeandintegrateexistingDoDcapabilitiesandresources,whilemaintainingavailabilityandminimizingtemporaldelaysinauthenticationmechanisms,toaddresstheDoDCIO’svision.1.2PurposeAnarchitectureisbuiltforadefinedpurposeandshouldansweraspecificsetofquestionstoenablingdata-driven,informeddecisions.TheReferenceArchitecture(RA)establishesaframeworkthatprovidesguidanceviaarchitecturalPillarsandPrinciples.Itidentifieswhichoftheoverallstrategicneeds(goalsandobjectives)arethefocusoftheRA.TheRAisaconceptual,capability-centricdescriptionofthearchitectureandprimarilysupportscapabilityplanning,portfoliomanagement,andInformationTechnology(IT)investmentdecisions.Itestablisheshigh-levelserviceandoperationconcepts,architecturalquestionsofimportance,andtechnologyopportunitiesandconstraintsthatshapethedomainofanapproach.TheRAalsoincludesasynopsisofcurrentindustryandDoDapproachesandidentifieskeydeterminingstandardsthattogetherdescribeconstraintsandopportunities.1NISTSP800-207ZeroTrustArchitecture,August20202DoDDigitalModernizationStrategy,June2019.9July20221.3ScopeTheDoDZeroTrustEngineeringTeamdevelopedthisZeroTrustReferenceArchitecture(ZTRA)toalignwiththeDoDdefinition:“ReferenceArchitectureisanauthoritativesourceofinformationaboutaspecificsubjectareathatguidesandconstrainstheinstantiationsofmultiplearchitecturesandsolutions.”3ThisReferenceArchitecturedescribesEnterprisestandardsandcapabilities.Singleproducts/suitescanbeadoptedtoaddressmultiplecapabilities.Integratedvendorsuitesofproductsratherthanindividualcomponentswillassistinreducingcostandrisktothegovernment.Thisdocumentwillevolveasrequirements,technology,andbestpracticeschangeandmature.ZTpromotesanindividualjourneytoacollaborativegoalofcontinuousenhancements,whilealsoincorporatingbestpractices,tools,andmethodologiesofindustry.1.3.1StakeholdersTheDoDZTRAwillbeusedbyDoDMissionOwners(MOs)toguideandconstraintheevolutionofexistingDoDITandEnterpriseEnvironments.MOsareindividuals/organizationsresponsiblefortheoverallmissionenvironment,ensuringthatthefunctionalandcybersecurityrequirementsofthesystemarebeingmet.TheZTRAprovidesanend-statevision,strategy,andframeworkforMOsacrosstheDoDtoutilizeinordertostrengthencybersecurityandguidetheevolutionofexistingcapabilitiestofocusonadatacentricstrategy.ZTembedssecurityprinciplesthroughoutthearchitectureforthepurposeofprotectingdataandserviceoperations,preventing,detecting,responding,andrecoveringfrommaliciouscyberactivities.TheperspectiveoftheZTRAistoguidethedeveloper,operator,manager,anduserofZTinthedevelopmentofsolutionstoimplementaZTframeworkwithinanexistingenvironment.ThisZTRA’sintentisto:ProvidestakeholderswithoperationalcontextneededtobetterunderstandprinciplesandruleswhenapplyingaZTA.DefinecapabilitiesrequiredtoenableaZTA.ProvidebaselinedescriptionofZTforuseinmanagingchangeandriskassociatedwithevolvingoperationalneeds.DefinetheimportanceofZTbyshowcasinghowthemodelconstantlylimitsaccesswhenrequired,continuouslymonitors,andidentifiesanomaliesormaliciousacts.1.3.2OrganizationoftheReferenceArchitecture3DoDReferenceArchitectureDescription–June201010July2022ThisRAcontainsthefollowingsections:StrategyandVision(withbroadOperationalViews)PillarsandPrinciplesConceptualCapabilityArchitecture(capabilitiesorganizedintoafunctionaltaxonomy,hereassociatedwiththePillars)UseCasesandassociatedrequirementsTechnicalenvironmentdescribingemergingtechnology,commonindustryapproachesandkeystandardsSecurityAssessmentArchitecturepatterns(ThescopeofalternatewaystorealizeaconformantdesignandtherefiningofPerformersintoSystemsandServices)Example,TransitionArchitecturedirectionmeetingtheaboveconstraintsandbeingpursuedatthetimeoftheRA(MaturityModel,baseline,transition,target,phases)FollowingDoDstandards,theartifactsinthisRAarefromtheDepartmentofDefenseArchitecturalFramework(DoDAF).BecauseofthebroadaudiencethatneedstounderstandandadaptZT,aninformalstyleisusedfortheartifacts.Informaldrawingsareeasiertounderstandbyawideaudience,notallofwhomarefamiliarwithUnifiedProfileforDoDAF/MODAF(UPDM)modelrepresentations.Thesedrawingsshouldallowacommonrepresentativeofthetargetstakeholdertograspthemeaningoftheartifact.WiththeRA,itisthecontentthatisimportant.However,thisisstilladigitalarchitecturalmodelandincludesartifactswithdescriptions,listsofdefinitions,andtablesofinteraction.Entities(thenounsofDoDAF)aredefinedandusedintheartifactdrawingswhichtellastoryoffunctionandentityrelationships.TheAllViewIntegratedDictionary(AV-2)isorganizedbytypeofentityandmostofthesetablesareintheappendix.FromthisRA,ReferenceDesigns(RD)canbecreatedthatcaptureaZTlogicalarchitectureforspecificenvironmentsandfunctionalneeds.TheconceptualcapabilityarchitecturepredominatelyiscapturedinseveralOperationalViews[OV-1:High-LevelOperationalConceptGraphic,OV-2:OperationalResourceFlowDescription]andCapabilityViews[CV-1:Vision,CV-2:CapabilityTaxonomy].StrategiesarecapturedinaCV-1.Here,OV-1sdescribetheproblemandtheopportunitiesforaspecificfunctionalenvironment.ThencapabilitiesareexplainedinrelationtotheOV-1opportunities.The(entitytype)capabilitiesappearinthedrawingswithathinline.Thesearecapturedinacapabilitytaxonomy(CV-2)organizedbytheirassociationswithPillarsandresources.TheothermainviewtypeistheOV-2:OperationalResourceFlowDescription.Thiscapturesspecificresourcesandhowtheyinteractinaspecificusecaseorarchitecturalpattern(withsomeconceptualSV-1:SystemsInterfaceDescription&SvcV-1:ServicesContextDescription).11July2022Figure1LegendforPerformers1.3.3TimeframeThesearethegeneraltimelinesassociatedwiththedevelopmentoftheZTRA.30September2020:InitialZTRAv0.9submittedforreviewbyDISA,NSA,DoDCIO,andUnitedStatesCyberCommand04November2020:ZTRAv0.9submittedtoEnterpriseArchitectureEngineeringPanel(EAEP)forfeedback04December2020:ZeroTrustJointEngineeringTeamreceivedfeedbackandbeganadjudication24December2020:SubmissionofZTRAv0.95submittedtoEAEP04January2021:EAEPmembersvotedonZTRArelease11Febuary2021:DigitalModernizationInfrastructureInfrastructureExecutiveCommiteeapprovalofZTRAv1.013May2021:ZTRAv1.0publishedonDoDCIOLibrary30September2021:ZTRAv2.0draftdevelopmentcomplete21November2021:DCIOCSChiefArchitectdirectedZTRA2.0tobestaffedthroughCSRASteeringGrouponitswaytoEAEPand/orDMIEXCOM7February2022:CSRASteeringGroup-JointO-6/GS-15CATMSreviewofdraftZTRAv2.0completed24May2022:EAEPcompletedassessment1June2022:BriefedtheEAEPresultsofassessmentwithcompleteconcurrenceofthepanelmembers12July20221.4VisionandGoals(CV-1)Figure2ZeroTrustVision(CV-1)4Byreconfiguring,reprioritizing,andaugmentingexistingDoDcapabilities,theDoDwillbeabletoevolvetowardsanext-generationsecurityarchitecture,ZT.Withtheseaugmentedcapabilities,theagencywillbeabletosecureanddefendDoDinformation,systems,andcriticalinfrastructureagainstmaliciouscyberactivity,includingDoDinformationonthenon-DoD-ownedenvironments.Theabilitytodetect,deter,deny,defend,andrecoverfrommaliciouscyberactivitiesanddevelopascalable,resilient,auditable,anddefendableframeworkwillrequireseveraldifferentwaystostrategicallyprotectDoDenvironments.Theconceptoftrustednetworks,devicesandendpointsgearedtowardsperimeterbaseddefenseswillshifttowardanevertrust,alwaysverifyapproach.Movingsecurityawayfromtheperimeterandtowardsanintegratedsecurityarchitecturefocusingonprotectingdata,applications,andserverswillbecriticaltoachievingtheZTvision.Ascyberthreatsevolveandbecomemoreandmoresophisticated,ZTimplementorswillneedtostaycurrentonexistingandemergingcybertechnologiestosystematicallyimproveenterpriseenvironmentdefensesthatareinlinewithZTconcepts.Thesenewstrategicgoalsenabletheimplementationofsecurityinamoreconsistentandefficientmanner.42018DoDCyberStrategy13July20221.4.1VisionandHigh-LevelGoals(CV-1)VulnerabilitiesexposedbydatabreachesinsideandoutsideDoDdemonstratetheneedforanewandmorerobustcybersecuritymodelthatfacilitatesmissionenablingdecisionsthatareriskaware.ZTisacybersecuritystrategyandframeworkthatembedssecurityprinciplesthroughouttheInformationEnterprise(IE)toprevent,detect,respond,andrecoverfrommaliciouscyberactivities.Thissecuritymodeleliminatestheideaoftrustedoruntrustednetworks,devices,personas,orprocesses,andshiftstomulti-attribute-basedconfidencelevelsthatenableauthenticationandauthorizationpoliciesbasedontheconceptofleastprivilegedaccess.ImplementingZTrequiresdesigningaconsolidatedandmoreefficientarchitecturewithoutimpedingoperationstominimizeuncertaintyinenforcingaccurate,leastprivilegeper-requestaccessdecisionsininformationsystemsandservicesviewedascompromised.ZTfocusesonprotectingcriticaldataandresources,notjustthetraditionalnetworkorperimetersecurity.ZTimplementscontinuousmulti-factorauthentication,micro-segmentation,encryption,endpointsecurity,automation,analytics,androbustauditingtoData,Applications,Assets,Services(DAAS).AstheDepartmentevolvestobecomeamoreagile,moremobile,cloud-instantiatedworkforce,collaboratingwithmultiplefederalandnon-governmentalorganizations(NGO)entitiesforavarietyofmissions,ahardenedperimeterdefensecannolongersufficeasaneffectivemeansofenterprisesecurity.Inaworldofincreasinglysophisticatedthreats,aZTframeworkreducestheattacksurface,reducesrisk,andensuresthatifadevice,network,oruser/credentialiscompromised,thedamageisquicklycontainedandremediated.State-fundedhackersarewelltrained,well-resourced,andpersistent.Theuseofnewtactics,techniques,andprocedurescombinedwithmoreinvasivemalwarecanenablemotivatedmaliciouspersonastomovewithpreviouslyunseenspeedandaccuracy.Anynewsecuritycapabilitymustberesilienttoevolvingthreatsandeffectivelyreducethreatvectors,internalandexternal.ZTend-usercapabilitiesimprovevisibility,control,andriskanalysisofinfrastructure,applicationanddatausage.Thisprovidesasecureenvironmentformissionexecution.EnablingZTcapabilitiesaddressthefollowingissuesandhigh-levelgoals:ModernizeInformationEnterprisetoAddressGapsandSeams.Overtime,DoDenvironmentshavebeendecentralized.Usabilityandsecuritychallengesstemfromyearsofbuildinginfrastructurealongorganizational,operationalanddoctrinalboundaries,withmultiplesecurityandsupporttiers,enclavesandnetworks.Capabilitiesdevelopedinsiloshaveinevitablyresultedindisconnectsandgapsinthecommandstructureandprocessesthatprecludeestablishingacomprehensive,dynamic,andnear-realtimecommonoperatingpicture.Adversarieshaveexploitedtheselogical,technological,andorganizationalgapsandseams.SimplifySecurityArchitecture.Afragmentedapproachtoinformationtechnologyandcybersecurityhasledtoexcessivetechnicalcomplexity,creatingvulnerabilitiesinenterprisehygiene,inadequatelyaddressingthreatsandresultsinhighlevelsoflatency.Complexsecuritytechniquesrendertheuserexperienceunresponsiveandineffective.14July2022Thisisafactorthatdrivestheuseofunapprovedorunsecuretechnologiesasuserslooktocompletetheirmission.ProduceConsistentPolicy.Thisisacriticallesson-learnedfromindustrythatautomatedcybersecuritypoliciesmustbeconsistentlyappliedacrossenvironmentsformaximumeffectiveness.Systemownershavearesponsibilitytodefinegovernancepractices.Thisenforcesreliabilityandconsistencyaligningwithpolicyandrequirements.OptimizeDataManagementOperations.ThesuccessofDoDmissions,rangingfrompayrolltomissiledefense,areincreasinglydependentonstructuredtaggeddatawithinandexternaltooriginatingsystems.Advancedanalyticsalsodependonthesedependencies.Whiledatastandardsandpolicyexist,theyaredisparateandinconsistentlyimplemented.Thisresultsin:oInteroperabilitychallengesbetweenapplications,organization