版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
DepartmentofDefense(DoD)ZeroTrustReferenceArchitectureVersion2.0July2022PreparedbytheDefenseInformationSystemsAgency(DISA)andNationalSecurityAgency(NSA)ZeroTrustEngineeringTeamJuly2022DISTRIBUTIONSTATEMENTA.Approvedforpublicrelease.Distributionisunlimited.DocumentPreparedByDateName:RobertFreterJune2022DISAZeroTrustProgramLead(ID2)iiJuly2022TableofContents1PURPOSEANDSTRATEGICGOALS91.1Introduction91.2Purpose91.3Scope101.3.1Stakeholders101.3.2OrganizationoftheReferenceArchitecture101.3.3Timeframe121.4VisionandGoals(CV-1)131.4.1VisionandHigh-LevelGoals(CV-1)141.4.2ZeroTrustStrategy151.5Cybersecurity(Transition)ProblemStatement(OV-1)161.6OverallTargetEnvironment(OV-1)181.7Assumptions191.8Constraints202PILLARSANDPRINCIPLES202.1Overview202.2ConceptandTenetsofZeroTrust202.3Pillars212.4ReferenceArchitecturePrinciples(OV-6a)233CAPABILITIES253.1CapabilitiesTaxonomy(CV-2)253.2FFP:Pillars,Resources&CapabilityMapping314USECASES354.1DataCentricSecurityProtections(OV-1)354.2Data-CentricSecurityProtections(OV-2)374.3DataEncryptionProtections(OV-2)394.4CoordinatingPolicyforData-CentricSecurityProtections(OV-2)41iiiJuly20224.5DataAnalytics&AI(OV-1)424.6DataAnalytics&AI(SV-1)444.7CentralizedOrchestration&PolicyManagement(OV-1)454.8CentralizedOrchestration&PolicyManagement(OV-2)464.9Dynamic,AdaptivePolicyFeedbackLoop(OV-1)474.10VPN-LessImplementation(OV-1)484.11East-WestSegmentation(OV-1)494.12GlobalUniformDeviceHygiene(OV-1)504.13GlobalUniformDeviceHygiene(OV-2)524.14Dynamic,ContinuousAuthentication(OV-1)544.15Dynamic,ContinuousAuthentication(OV-2)564.16ConditionalAuthorization(OV-1)604.17ConditionalAuthorization(OV-2)625TECHNICALPOSITIONS635.1EmergingTechnologies635.2Standards,AssociatedArchitecturesandGuides645.3LinkagestoOtherArchitectures655.3.1DoDCybersecurityReferenceArchitecture(CSRA)Integration655.3.2DoDICAMReferenceDesign(RD)665.3.3NISTSpecialPublication800-207ZeroTrustArchitecture676SECURITYASSESSMENT686.1Governance686.2DataGovernance(OV-2)686.3SecuringSupplyChain(OV-2)707ARCHITECTUREPATTERNS717.1ArchitecturePatterns(CV-4)717.1.1DomainPolicyEnforcementforResourceAccess(SV-1)727.1.2SoftwareDefinedPerimeter(OV-2)73ivJuly20227.1.3ZTBrokerIntegration(SV-1)747.1.4MicroSegmentation(SV-1)747.1.5MacroSegmentation(SV-1)787.2ExternalServices787.2.1SvcV-1:ExternalServices(SvcV-1)797.2.2SvcV-2:EnterpriseFederatedIdentityService(SvcV-2)808TRANSITIONARCHITECTUREPLANNING(FFP)818.1MaturityModel(FFP)818.2Baseline(OV-1)828.3Transition(OV-1)839APPENDIX(AV-2)849.1Systems859.2Services909.3GeneralTerms929.4DIV-1939.5StdV-1-2References969.6CapabilityTable9710REFERENCES104vJuly2022LISTOFTABLESTable1ReferenceArchitecturePrinciples(OV-6A) 24Table2DesignPatternTable(CV-4) 71viJuly2022LISTOFFIGURESFigure1LegendforPerformers 12Figure2ZeroTrustVision(CV-1) 13Figure3CybersecurityProblemStatement(OV-1) 16Figure4TargetEnvironment(OV-1) 18Figure5ZeroTrustPillars 22Figure6CapabilitytoPillarsMapping(FFP) 26Figure7ZeroTrustAuthenticationandAuthorizationCapabilityTaxonomy(CV-2) 27Figure8ZeroTrustInfrastructure,WorkloadandDataCapabilityTaxonomy(CV-2) 28Figure9ZeroTrustAnalyticsandOrchestrationCapabilitiesTaxonomy(CV-2) 29Figure10ZeroTrustEnablingCapabilitiesTaxonomy(CV-2) 30Figure11FFP:Pillars,Resources&CapabilityMapping(CV-7) 31Figure12DataCentricSecurityProtections(OV-1) 35Figure13Data-CentricSecurityProtections(OV-2) 37Figure14DataEncryptionProtections(OV-2) 39Figure15CoordinatingPolicyforData-CentricSecurityProtections(OV-2) 41Figure16BigDataAnalytics&AI(OV-1) 42Figure17DataAnalytics&AI(SV-1) 44Figure18CentralizedOrchestration&PolicyManagement(OV-1) 45Figure19CentralizedOrchestration&PolicyManagement(OV-2) 46Figure20Dynamic,AdaptivePolicyFeedbackLoop(OV-1) 47Figure21VPN-LessImplementation(OV-1) 48Figure22East-WestSegmentation(OV-1) 49Figure23GlobalUniformDeviceHygiene(OV-1) 50Figure24GlobalUniformDeviceHygiene(OV-2) 52Figure25Dynamic,ContinuousAuthentication(OV-1) 54Figure26Dynamic,ContinuousAuthentication(OV-2) 56Figure27PerformersRequiringAuthentication 58Figure28ConditionalAuthorization(OV-1) 60Figure29ConditionalAuthorization(OV-2) 62Figure31StandardsProfileforDoDZeroTrustArchitectures 64Figure32SecuringtheSupplyChain(OV-2) 70viiJuly2022Figure33DomainPolicyEnforcementforResourceAccess(SV-1) 72Figure34DesignPattern:SoftwareDefinedPerimeter(OV-2) 73Figure35SoSDesignPattern:ZeroTrustBrokerIntegration(SV-1) 74Figure36SoSMicroSegmentation(SV-1) 75Figure37SoSMicroSegmentation(SV-1) 76Figure38SoSMicroSegmentation(SV-1) 77Figure39DesignPatterns:SoSMacroSegmentation(SV-1) 78Figure40ExternalServices(SvcV-1) 79Figure41EnterpriseFederatedIdentityService(SvcV-2) 80Figure42ICAMService(SvcV-2) 80Figure43MaturityModel(FFP) 81Figure44TransitionArchitectureBaseline(OV-1) 82Figure45TransitionArchitectureTransition(OV-1) 83viiiJuly2022PURPOSEANDSTRATEGICGOALS1.1Introduction“ZeroTrustisthetermforanevolvingsetofcybersecurityparadigmsthatmovedefensesfromstatic,network-basedperimeterstofocusonusers,assets,andresources.ZeroTrustassumesthereisnoimplicittrustgrantedtoassetsoruseraccountsbasedsolelyontheirphysicalornetworklocation(i.e.,localareanetworksversustheInternet)orbasedonassetownership(enterpriseorpersonallyowned).”1ZeroTrust(ZT)requiresdesigningaconsolidatedandmoresecurearchitecturewithoutimpedingoperationsorcompromisingsecurity.Theclassicperimeter/defense-in-depthcybersecuritystrategyrepeatedlyshowstohavelimitedvalueagainstwell-resourcedadversariesandisanineffectiveapproachtoaddressinsiderthreats.TheDoDCybersecurityReferenceArchitecture(CSRA)documentstheDepartment’sapproachtocybersecurityandisbeingupdatedtobecomedatacentricandinfuseZTprinciples.ZTsupportsthe2018DoDCyberStrategy,the2019DoDDigitalModernizationStrategy,the2021ExecutiveOrderonImprovingtheNation’sCybersecurity,andtheDoDChiefInformationOfficer’s(CIO)visionforcreating“amoresecure,coordinated,seamless,transparent,andcost-effectivearchitecturethattransformsdataintoactionableinformationandensuresdependablemissionexecutioninthefaceofapersistentcyberthreat.”2ZTshouldbeusedtore-prioritizeandintegrateexistingDoDcapabilitiesandresources,whilemaintainingavailabilityandminimizingtemporaldelaysinauthenticationmechanisms,toaddresstheDoDCIO’svision.1.2PurposeAnarchitectureisbuiltforadefinedpurposeandshouldansweraspecificsetofquestionstoenablingdata-driven,informeddecisions.TheReferenceArchitecture(RA)establishesaframeworkthatprovidesguidanceviaarchitecturalPillarsandPrinciples.Itidentifieswhichoftheoverallstrategicneeds(goalsandobjectives)arethefocusoftheRA.TheRAisaconceptual,capability-centricdescriptionofthearchitectureandprimarilysupportscapabilityplanning,portfoliomanagement,andInformationTechnology(IT)investmentdecisions.Itestablisheshigh-levelserviceandoperationconcepts,architecturalquestionsofimportance,andtechnologyopportunitiesandconstraintsthatshapethedomainofanapproach.TheRAalsoincludesasynopsisofcurrentindustryandDoDapproachesandidentifieskeydeterminingstandardsthattogetherdescribeconstraintsandopportunities.1NISTSP800-207ZeroTrustArchitecture,August20202DoDDigitalModernizationStrategy,June2019.9July20221.3ScopeTheDoDZeroTrustEngineeringTeamdevelopedthisZeroTrustReferenceArchitecture(ZTRA)toalignwiththeDoDdefinition:“ReferenceArchitectureisanauthoritativesourceofinformationaboutaspecificsubjectareathatguidesandconstrainstheinstantiationsofmultiplearchitecturesandsolutions.”3ThisReferenceArchitecturedescribesEnterprisestandardsandcapabilities.Singleproducts/suitescanbeadoptedtoaddressmultiplecapabilities.Integratedvendorsuitesofproductsratherthanindividualcomponentswillassistinreducingcostandrisktothegovernment.Thisdocumentwillevolveasrequirements,technology,andbestpracticeschangeandmature.ZTpromotesanindividualjourneytoacollaborativegoalofcontinuousenhancements,whilealsoincorporatingbestpractices,tools,andmethodologiesofindustry.1.3.1StakeholdersTheDoDZTRAwillbeusedbyDoDMissionOwners(MOs)toguideandconstraintheevolutionofexistingDoDITandEnterpriseEnvironments.MOsareindividuals/organizationsresponsiblefortheoverallmissionenvironment,ensuringthatthefunctionalandcybersecurityrequirementsofthesystemarebeingmet.TheZTRAprovidesanend-statevision,strategy,andframeworkforMOsacrosstheDoDtoutilizeinordertostrengthencybersecurityandguidetheevolutionofexistingcapabilitiestofocusonadatacentricstrategy.ZTembedssecurityprinciplesthroughoutthearchitectureforthepurposeofprotectingdataandserviceoperations,preventing,detecting,responding,andrecoveringfrommaliciouscyberactivities.TheperspectiveoftheZTRAistoguidethedeveloper,operator,manager,anduserofZTinthedevelopmentofsolutionstoimplementaZTframeworkwithinanexistingenvironment.ThisZTRA’sintentisto:ProvidestakeholderswithoperationalcontextneededtobetterunderstandprinciplesandruleswhenapplyingaZTA.DefinecapabilitiesrequiredtoenableaZTA.ProvidebaselinedescriptionofZTforuseinmanagingchangeandriskassociatedwithevolvingoperationalneeds.DefinetheimportanceofZTbyshowcasinghowthemodelconstantlylimitsaccesswhenrequired,continuouslymonitors,andidentifiesanomaliesormaliciousacts.1.3.2OrganizationoftheReferenceArchitecture3DoDReferenceArchitectureDescription–June201010July2022ThisRAcontainsthefollowingsections:StrategyandVision(withbroadOperationalViews)PillarsandPrinciplesConceptualCapabilityArchitecture(capabilitiesorganizedintoafunctionaltaxonomy,hereassociatedwiththePillars)UseCasesandassociatedrequirementsTechnicalenvironmentdescribingemergingtechnology,commonindustryapproachesandkeystandardsSecurityAssessmentArchitecturepatterns(ThescopeofalternatewaystorealizeaconformantdesignandtherefiningofPerformersintoSystemsandServices)Example,TransitionArchitecturedirectionmeetingtheaboveconstraintsandbeingpursuedatthetimeoftheRA(MaturityModel,baseline,transition,target,phases)FollowingDoDstandards,theartifactsinthisRAarefromtheDepartmentofDefenseArchitecturalFramework(DoDAF).BecauseofthebroadaudiencethatneedstounderstandandadaptZT,aninformalstyleisusedfortheartifacts.Informaldrawingsareeasiertounderstandbyawideaudience,notallofwhomarefamiliarwithUnifiedProfileforDoDAF/MODAF(UPDM)modelrepresentations.Thesedrawingsshouldallowacommonrepresentativeofthetargetstakeholdertograspthemeaningoftheartifact.WiththeRA,itisthecontentthatisimportant.However,thisisstilladigitalarchitecturalmodelandincludesartifactswithdescriptions,listsofdefinitions,andtablesofinteraction.Entities(thenounsofDoDAF)aredefinedandusedintheartifactdrawingswhichtellastoryoffunctionandentityrelationships.TheAllViewIntegratedDictionary(AV-2)isorganizedbytypeofentityandmostofthesetablesareintheappendix.FromthisRA,ReferenceDesigns(RD)canbecreatedthatcaptureaZTlogicalarchitectureforspecificenvironmentsandfunctionalneeds.TheconceptualcapabilityarchitecturepredominatelyiscapturedinseveralOperationalViews[OV-1:High-LevelOperationalConceptGraphic,OV-2:OperationalResourceFlowDescription]andCapabilityViews[CV-1:Vision,CV-2:CapabilityTaxonomy].StrategiesarecapturedinaCV-1.Here,OV-1sdescribetheproblemandtheopportunitiesforaspecificfunctionalenvironment.ThencapabilitiesareexplainedinrelationtotheOV-1opportunities.The(entitytype)capabilitiesappearinthedrawingswithathinline.Thesearecapturedinacapabilitytaxonomy(CV-2)organizedbytheirassociationswithPillarsandresources.TheothermainviewtypeistheOV-2:OperationalResourceFlowDescription.Thiscapturesspecificresourcesandhowtheyinteractinaspecificusecaseorarchitecturalpattern(withsomeconceptualSV-1:SystemsInterfaceDescription&SvcV-1:ServicesContextDescription).11July2022Figure1LegendforPerformers1.3.3TimeframeThesearethegeneraltimelinesassociatedwiththedevelopmentoftheZTRA.30September2020:InitialZTRAv0.9submittedforreviewbyDISA,NSA,DoDCIO,andUnitedStatesCyberCommand04November2020:ZTRAv0.9submittedtoEnterpriseArchitectureEngineeringPanel(EAEP)forfeedback04December2020:ZeroTrustJointEngineeringTeamreceivedfeedbackandbeganadjudication24December2020:SubmissionofZTRAv0.95submittedtoEAEP04January2021:EAEPmembersvotedonZTRArelease11Febuary2021:DigitalModernizationInfrastructureInfrastructureExecutiveCommiteeapprovalofZTRAv1.013May2021:ZTRAv1.0publishedonDoDCIOLibrary30September2021:ZTRAv2.0draftdevelopmentcomplete21November2021:DCIOCSChiefArchitectdirectedZTRA2.0tobestaffedthroughCSRASteeringGrouponitswaytoEAEPand/orDMIEXCOM7February2022:CSRASteeringGroup-JointO-6/GS-15CATMSreviewofdraftZTRAv2.0completed24May2022:EAEPcompletedassessment1June2022:BriefedtheEAEPresultsofassessmentwithcompleteconcurrenceofthepanelmembers12July20221.4VisionandGoals(CV-1)Figure2ZeroTrustVision(CV-1)4Byreconfiguring,reprioritizing,andaugmentingexistingDoDcapabilities,theDoDwillbeabletoevolvetowardsanext-generationsecurityarchitecture,ZT.Withtheseaugmentedcapabilities,theagencywillbeabletosecureanddefendDoDinformation,systems,andcriticalinfrastructureagainstmaliciouscyberactivity,includingDoDinformationonthenon-DoD-ownedenvironments.Theabilitytodetect,deter,deny,defend,andrecoverfrommaliciouscyberactivitiesanddevelopascalable,resilient,auditable,anddefendableframeworkwillrequireseveraldifferentwaystostrategicallyprotectDoDenvironments.Theconceptoftrustednetworks,devicesandendpointsgearedtowardsperimeterbaseddefenseswillshifttowardanevertrust,alwaysverifyapproach.Movingsecurityawayfromtheperimeterandtowardsanintegratedsecurityarchitecturefocusingonprotectingdata,applications,andserverswillbecriticaltoachievingtheZTvision.Ascyberthreatsevolveandbecomemoreandmoresophisticated,ZTimplementorswillneedtostaycurrentonexistingandemergingcybertechnologiestosystematicallyimproveenterpriseenvironmentdefensesthatareinlinewithZTconcepts.Thesenewstrategicgoalsenabletheimplementationofsecurityinamoreconsistentandefficientmanner.42018DoDCyberStrategy13July20221.4.1VisionandHigh-LevelGoals(CV-1)VulnerabilitiesexposedbydatabreachesinsideandoutsideDoDdemonstratetheneedforanewandmorerobustcybersecuritymodelthatfacilitatesmissionenablingdecisionsthatareriskaware.ZTisacybersecuritystrategyandframeworkthatembedssecurityprinciplesthroughouttheInformationEnterprise(IE)toprevent,detect,respond,andrecoverfrommaliciouscyberactivities.Thissecuritymodeleliminatestheideaoftrustedoruntrustednetworks,devices,personas,orprocesses,andshiftstomulti-attribute-basedconfidencelevelsthatenableauthenticationandauthorizationpoliciesbasedontheconceptofleastprivilegedaccess.ImplementingZTrequiresdesigningaconsolidatedandmoreefficientarchitecturewithoutimpedingoperationstominimizeuncertaintyinenforcingaccurate,leastprivilegeper-requestaccessdecisionsininformationsystemsandservicesviewedascompromised.ZTfocusesonprotectingcriticaldataandresources,notjustthetraditionalnetworkorperimetersecurity.ZTimplementscontinuousmulti-factorauthentication,micro-segmentation,encryption,endpointsecurity,automation,analytics,androbustauditingtoData,Applications,Assets,Services(DAAS).AstheDepartmentevolvestobecomeamoreagile,moremobile,cloud-instantiatedworkforce,collaboratingwithmultiplefederalandnon-governmentalorganizations(NGO)entitiesforavarietyofmissions,ahardenedperimeterdefensecannolongersufficeasaneffectivemeansofenterprisesecurity.Inaworldofincreasinglysophisticatedthreats,aZTframeworkreducestheattacksurface,reducesrisk,andensuresthatifadevice,network,oruser/credentialiscompromised,thedamageisquicklycontainedandremediated.State-fundedhackersarewelltrained,well-resourced,andpersistent.Theuseofnewtactics,techniques,andprocedurescombinedwithmoreinvasivemalwarecanenablemotivatedmaliciouspersonastomovewithpreviouslyunseenspeedandaccuracy.Anynewsecuritycapabilitymustberesilienttoevolvingthreatsandeffectivelyreducethreatvectors,internalandexternal.ZTend-usercapabilitiesimprovevisibility,control,andriskanalysisofinfrastructure,applicationanddatausage.Thisprovidesasecureenvironmentformissionexecution.EnablingZTcapabilitiesaddressthefollowingissuesandhigh-levelgoals:ModernizeInformationEnterprisetoAddressGapsandSeams.Overtime,DoDenvironmentshavebeendecentralized.Usabilityandsecuritychallengesstemfromyearsofbuildinginfrastructurealongorganizational,operationalanddoctrinalboundaries,withmultiplesecurityandsupporttiers,enclavesandnetworks.Capabilitiesdevelopedinsiloshaveinevitablyresultedindisconnectsandgapsinthecommandstructureandprocessesthatprecludeestablishingacomprehensive,dynamic,andnear-realtimecommonoperatingpicture.Adversarieshaveexploitedtheselogical,technological,andorganizationalgapsandseams.SimplifySecurityArchitecture.Afragmentedapproachtoinformationtechnologyandcybersecurityhasledtoexcessivetechnicalcomplexity,creatingvulnerabilitiesinenterprisehygiene,inadequatelyaddressingthreatsandresultsinhighlevelsoflatency.Complexsecuritytechniquesrendertheuserexperienceunresponsiveandineffective.14July2022Thisisafactorthatdrivestheuseofunapprovedorunsecuretechnologiesasuserslooktocompletetheirmission.ProduceConsistentPolicy.Thisisacriticallesson-learnedfromindustrythatautomatedcybersecuritypoliciesmustbeconsistentlyappliedacrossenvironmentsformaximumeffectiveness.Systemownershavearesponsibilitytodefinegovernancepractices.Thisenforcesreliabilityandconsistencyaligningwithpolicyandrequirements.OptimizeDataManagementOperations.ThesuccessofDoDmissions,rangingfrompayrolltomissiledefense,areincreasinglydependentonstructuredtaggeddatawithinandexternaltooriginatingsystems.Advancedanalyticsalsodependonthesedependencies.Whiledatastandardsandpolicyexist,theyaredisparateandinconsistentlyimplemented.Thisresultsin:oInteroperabilitychallengesbetweenapplications,organization
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 女生恋爱合同范例
- 仿古凉亭采购合同范例
- 农村教育用地租赁合同范例
- 公司合同范例在
- 游戏账号合同范例
- 果园供销合同范例
- 工厂正式员工合同范例
- 凉粉成品进货合同范例
- 鞋面委托加工合同范例
- 医院工程材料采购合同范例
- 国开电大《法律咨询与调解》形考任务3答案
- 装饰工程保修单
- 浙美版初中美术-《从生活中吸取设计的灵感》课件1课件
- 英语人称代词练习题(语法填空)-PPT
- 招商银行-陈翔老师-基于数据驱动的招行数字化应用实践
- 鞋厂开发技术部初步诊断报告改善方案
- 八年级上册unit6-The-story-of-100000-arrows10教学文案课件
- 现金赠与协议书范本(5篇)
- 二手车委托代理买卖协议书
- 工程部年终工作总结例文(二篇)
- HCIP-Intelligent Computing H13-211考试认证题库
评论
0/150
提交评论