版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Zerotrust:
Fromaspirationtorapidimplementation
Zerotrusthasbecomean
essentialcybersecurity
philosophyfororganizations.
Thesteadytrickleofzero
trustsecurityawareness
sinceitsprincipleswere
formalizedin2004hasbuilttoaHoodofadoptiontoday.
Thewayweworkhaschangedradically,withremotewoΓkin9commonplaceando代ceoccupancyΓates
intheUSandUKatrecordlows.1Thetraditional
hardshell/softinteriorcybersecuritymodelthathasdominatedfordecadesisvirtuallyobsolete.
BefoΓe2020,whenuseΓsmadeΓequestsfoΓHexibleremoteworking,thecybersecuritytosupportitwasoftenregardedas“toohard”.Theglobalpandemicforcedthepaceofchangeandachangeinmindset.Organizationsnowfacilitateremoteworking,
supportcollaborativeworkingwithpartnersandsuppliers,andmanyhavemovedmuchoftheirIT
tothecloud.IndustryintelligenceproviderGartnerhaspredictedthatITspendingoncloud-related
categorieswillcontinuetogrow,reaching51%by2025.2Thishasimplicationsforthedemandssuchtransformationwillplaceonbusinesses’cybersecurity.
Ascloudadoptioncontinues,cyber-attacksare
simultaneouslyincreasingtothepointwherethe
costofcybercrimeispredictedtoreach$10.5trillionby2025.3Increasedgeopoliticaltensionstoo,have
increasedthenumberofexternalcyberattackers,theirmotivation,andtheresourcesavailable
tothem.
Giventhiscontext,organizationsnowrealize
thattheΓeisnolon9eΓacleaΓ,easilydefinable
cybersecurityperimeteraroundtheirnetworks,witheverydevicepotentiallyvulnerableCyberdefense
canberampedupbymovingprotectionclosertoassets,anapproachknownasdeperimeterization,whichisunderpinnedbythezero-trustphilosophy.
Thezerotrustphilosophy:Trustnoone
Theaccelerationtowardswidespreadadoption
ofzerotrustbecameundeniablewhen,in2021,
theUSgovernmentmandatedallfederalagencies
toadoptzerotrustprinciplesby2024.4TheUS
federalstandardsagencies,theNationalInstituteofStandardsandTechnology(NIST),andCybersecurityandInfrastructureSecurityAgency(CISA),haveset
upvendor-agnosticframeworkstohelporganizationsmovetowardszerotrustapproaches.Inzerotrust,
thesecuritydefaultisthat“everythingisbroken”,
andanypartofthesystemmaybecompromised,
ratherthanapresumptionthataperson,deviceorsystemcanbetrustedbecausetheyareworkinginatrustedlocation.Foreveryaccessrequest,auserordevicemustbuildupenoughtrustbeforeaccessisgranted,wherevertheyare.
Traditionally,asingleauthenticationand
authorizationdecisionallowedwide-rangingaccesstointernalsystemsanddata,whichwasasecurityriskasauserordevicecouldbecompromisedat
anytime.Withzerotrust,thecoreprincipleistheadaptiveevaluationoftrust.Thisisdynamicandcontext-based,andaimstoestablishinformationabouttheuseranddevicethroughaprocessof
interrogationeverytimeaccessisrequested.Thefollowingquestionsaretypical:
•Couldtheuserbeaccessingfromadevicethatmaybecompromised?
•Aretheyaccessingwithinnormalworkinghours,
ordidtheystartaccessingatmidnightandfromanunusuallocation?
•Whichnetworkaretheyusing?
•Howsensitiveisthesystemordatatowhichtheyarerequestingaccess?
•Didtheuserauthenticateusingasimplepasswordoramoresecuremethod?
•Isthereaknownsecurityvulnerabilityintheservicethattheuserisattemptingtoaccess?
1AkilaQuinio,
“OfficespacevacanciesinUSandLondonreachat
least20-yearhighs
”,TheFinancialTimes,January24,2023
2
“GartnerSaysMoreThanHalfofEnterpriseITSpendinginKeyMarket
SegmentsWillShifttotheCloudby2025
”,Gartner,February9,2022
3
CybersecurityTrends&StatisticsFor2023;What
YouNeedtoKnow,
Forbes,March2023
Movingtozerotrust:Visionandstructure
Thecomplexityandchangeinorganizational
behaviorrequiredwhenmovingtozerotrustisnot
tobeundeΓestimatedandwilla氏ectthebusinessatalllevels.Itisachangeinapproachtocybersecuritygovernancethatfeedsintooperatingmodelsand
principles,architectureanddesign,processes,and,ofcourse,technology.
Buy-infromtheC-suite,suchasthechiefinformationo代ceΓoΓchieftechnolo9yo代ceΓ,andcollaboΓationacrosstowersofthebusinessareessentialfor
success.Increatingavisionfortransformation,
businessleadersshouldapplyafullspectrumapproachtodesigningalong-termprogramforimplementation.
This9ivesacleaΓeΓviewofthefinalcostofchan9in9organizationalarchitectureandthebestrouteto
zerotrust’sfullsecurityadvantages.BusinessgoalsshoulddeteΓminethefinaltechnolo9y9oals,not
thereverse.
Ifthereisnocommandingvisionoftheultimate
destination,costsarelikelytomount,aseach
technologytower,businessunitorsitemoves
separatelytonewmodelsandbuytheirown
solutions,withastrongpossibilityofcompatibilityissuesandunnecessarycostsduetoduplication.Arigorouslystructuredchangeprogramwilldeliveramoresecuresystemandlowerthetotalcost
ofownershipthroughagreementonacommon,consolidatedtechnologystackandapproach.
2|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|3
Thezerotrust
organizationalstructure-
upheldbypillars
Responsibilityforimplementationofcybersecuritymeasuresisoftendistributedacrossvariousgroupsortowers,forexample,betweenidentity,network,operationaltechnology,andengineeringteams.
TheCISAmodelforzerotrust(figure1)isdividedintofivepillars:identity,devices,networks,applications,workloads(e.g.,virtualmachinesandcontainers),
anddata.Theseareabovethreefoundationallayers:visibilityandanalytics,automationandorchestration,andgovernance.Eachpillarcangeneratethesignalsandmetricsusedtomakesmartaccesscontrol
decisions.Forexample,deviceposturedata,suchasOSandbrowserversion,ordiskencryptionandantivirusstatus,couldindicatethatthedeviceisatincreasedriskofbeingcompromised.
Sincezerotrustcontrolsaredistributedanddelegatedthroughoutallfivepillarsandthe
organization,thismayrepresentachallengefor
thosewhoareusedtotheestablishedstructureandallocationofresponsibilityforsecurity.Thismakeschangemanagementcommunicationapriorityforeffectiveacceptance.
FoundationofZeroTrust
Device
Applications
&Workloads
Networks
Identity
Data
VisibilityandAnalytics
AutomationandOrchestration
Governance
figure1CisaZeroTrustMaturityModel
4|ZeroTrust:Fromaspirationtorapidimplementation
ZeroTrust:Fromaspirationtorapidimplementation|5
Faster,smarter,andsaferdecision
Thedecisioncenterofzerotrustisthepolicyengine.Itisherethattrustisdefined,metricsareset,and
thebarriertoaccessrequestsishenceestablished.Theavailabilityofamplebandwidth,machine
learningandAI,andfastprocessingatrelativelylowcosthavecometogethertomakezerotrustsignalanalysisviableinrealtime.
Thepolicyenginereliesonarangeofdatasourcestogeneratesignalsandfinalizeanaccessdecision.Thesecanincludeinformationon:
•Softwarecomponentsandoperatingsystems;
•Industrycompliance.
•Threatintelligence.
•Softwareflawsorreportedattacks.
•Networkandsystemlogs.
•Dataandsystemaccesspolicies.
•Publickeyinfrastructure.
•Identitymanagement;and
•Securityinformation,suchasauthenticationstatus.
Thepolicyenginefeedsthefullrangeofinputs
toatrustalgorithm,whichleadstoanaccess
decision.Signalsthatcanshowsuspiciousactivityareprocessedattheautomationandorchestrationlayer(aspertheCISAframework).Thearchitecturemakespossiblefullyautomated,dynamic,context-based,least-privilegeaccesstoservicesanddata;
andinteroperabilitywithcontinuousmonitoringandcentralizedvisibility.5
Whilezerotrustisamajorstepforwardin
cybersecurity,itismorethanjustthat.Itisamodelforgovernancethatshapesownershipoftheoverallvision,transformationprogramandoutcomes.It
setsbusiness-alignedsecuritypolicyandallocatesresponsibilitytostakeholders.Italsodeterminesifaparticularimplementationresultsinasuccessfultransformationinoperations.
Intheconversiontozerotrust,thenewenvironment
hastobedesignedwithmetricsinplaceto
demonstratesuccessandeffectivelymanageefficiencyandcosts.
Examplesofhowthesemetricscoulddemonstratevalue:
•Areductionininsurancecosts,whereaninsurer
recognizesreducedriskofcyber-attackbymovingtozerotrust
•Improveduserexperience,provenviaemployeesurveysandmetricsfromZscalerDigital
Experience(ZDX)
•Fewersecurityincidentsbyeliminatingexposedinternetattacksurface,loweringoperating
expenses
•Reducedcostofmigrationtocloudservicesusingaconsistentapproach
•Reducednetworkingcostsbyswappingexpensive
•routinglinks(e.g.,MLPS)forZscalerviainternet
•Reducedtotalcostofownershipforsecuritythroughtoolingconsolidation.
5CybersecurityandInfrastructureSecurityAgency,
“ZeroTrustMaturityModel,Version2.0
”,April2023,p.9
Damagelimitationthroughmicrosegmentation
Amajorvulnerabilityofthehardshell/softinteriormodelhasbeenthefreedomanattackerhashadtodoasmuchdamageastheywantedoncethey
managedtobreakthroughthehardshellaroundanorganization’snetwork.Zerotrust’smicro
segmentationcapabilityreducestheaffectedareaofanattack.
Commonpracticehasbeenthateachapplicationhashadeitheranassociatedcertificate,orusername
withapassword,whichitcanusetoaccessother
applicationsanddata.Credentialscanbefound
onthedarkweb,forexample,throughaleaktoa
GitHubrepository,orinacarelesslysavedtextfile,
orthroughcaptureandreplay.Thisenablesattackers
tomasqueradeasanapplication,orotherworkload.Onceinthesoftcenter,theyoftenhavethefreedomtoattackatwill.
Inthezero-trustmodel,accessmaystillbepossible,butasignalthattheuserisaccessingfroman
unusualplace,orthatanapplicationisaccessing
certainunusualdata,willtriggeranalertandbegin
aninterrogationprocesswithcontextualquestions
toidentifyapotentialcompromise,andsubsequentlyblockit.Wealsoimplementtheprincipleofleast
privilege,bywhichusersandapplicationsareonly
allowedaccesstotheservicesanddatathatthey
needtofulfiltheirfunction.Forexample,ratherthancontrollingwhichserverscantalktootherservers,
wecontrolwhichspecificapplicationsonthoseserverscantalktootherapplications.
6|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|7
Simplificationformergersandacquisitions
Inamergeroracquisitionsituation,organizations
needtoconsolidatetheirnetworksandsecurity
tooling,whichmightdescribeanedgerouter,a
firewall,aVPN—hardwareforInternetconnectivity.Eachpartywillbringtheirownwideareanetwork
(WAN)andrelatednetworksecuritytoolingindatacentersandamerger/acquisitionhasstrictdeadlinestoadheretoforchangeofcontrolrequirements,
requiringintegrationunderpressure.
Duringintegration,acloud-deliveredzerotrust
networkaccessservicesuchasZscaler,aleader
Protectinglegacysystemsinzerotrustsolutions,
allowsuserstoaccessapplicationswithoutrequiringextensivenetworkchangesordeliveringconnectivityviaaremoteaccessservicelikeaVPN.Itconsolidatestechnologysetsfromdifferentbusinessesby
providingthesamesetofcapabilitiesinonepackage.Enterprisescanpublishtheirbusinessapplications
toacentralexchange,fromwhereuserscanrequestaccessregardlessofwhichbusinessentitytheyarefrom.Thisbringsconsiderablesimplificationand
accelerationtomergers.
Protectinglegacysystems
Therehasbeenamonumentalshifttocloud-basedsystems,butagingITinfrastructurepersistsand
requiresprotection.Shiftingtozerotrustbrings
costsavingsthroughsaferetirementoflegacy
securitytechnologybutchangecanbedifficulttoimplementinlegacyenvironments.Withzerotrust,securityisachievedbyring-fencinglegacysystems,puttingcontrolsaroundtheboundary,andblockingaccessunlessarequestforaccesspassesallchecks.Similarly,auserwillnotbeabletoexitthelegacy
environmentwithoutpassingcontext-basedzerotrustchecks.
8|ZeroTrust:Fromaspirationtorapidimplementation
ZeroTrust:Fromaspirationtorapidimplementation|9
Zerotrustforaglobalpharmagroup
Alargepharmaceuticalgroupwithmorethan150locationsgloballyandover20,000usersbrought
Capgeminiintodeliverzerotrustaspartofalargerinfrastructurere-design.
Theinfrastructurewascomplexduetomultiple
systemarchitecturesafteraseriesofmergersandacquisitions.Itwasalsoexpensivetomaintain
withnumerousgatewaydevices,softwareagents,identitysourcesandsecuritypolicies.
Thegoalsfortheprogramwere:
•Improvetheuserexperiencewithcorporate
applicationsandserviceaccessinahybrid
environment,whichwouldalsobringproductivitybenefits
•Reducethevisibleattacksurfaceofcriticalbusinessservicesandapplications
•Initiatea‘leastprivilege’policyforusers,meaninglimitinguseraccesstothespecificdata,resources,andapplicationsneededforatask
•Meetusers’expectationof“anytime,anywhere,anydevice”(ATAWAD).
Theclientsettwostrategicobjectives.Firstly,
toachieveareturnoninvestmentforcapital
expenditure(CAPEX)andoperationalexpenditure(OPEX)whilethezero-trustjourneywasunderway.Secondly,toenablethegrouptoprogressfuture
mergersandacquisitionsregardlessofidentitysourcesandnetworkconstraints.
Capgeminiexecutedacustomertransformation
programtoadaptamoderndigitallandscapetoonewheretheInternetbecamethecorporatenetwork.Thisincludedcreatingacorporatezerotrust
roadmapandidentifyingrelevantfutureusecasestodefinethearchitectureaccordingly.
Usinganend-to-endprocess,theprojectachievedsignificantuserexperienceenhancement.ThiswasachievedwithasinglezerotrustZscalerPrivate
Accesssoftwareagentandstreamlinedglobaltechnicalinfrastructureforinternalapplicationsaccess,simplifyingongoingmanagement.ThetransformationalsoledtoOPEXandCAPEX
optimizationviaadynamiccloud-basedsecurityservicesconsumptionmodel.
Capgemini’send-to-endmethodologyforzerotrustimplementation
Capgemini’sapproachtodeliveringzerotrustforclientsbeginswithanalysisofanorganization’s
culture,goals,andbusinessstrategy.Itisvitalthatsecurityarchitecturesandsolutionsalignwithandsupportthegreaterbusinessgoals.
Wereviewthecurrentsecuritycapabilitiesoftheorganizationwithrespecttozerotrust,in
alignmentwiththeindustrystandardmaturitymodeldevelopedbytheUSsecurityagencyCISA.
Wehelpourclientswithallelementsofzerotrust,fromgovernance,operatingmodels,andprinciples,througharchitectureanddesign,allthewaythroughtoimplementation(technologyandprocess)and
managedservicesonceinoperation.
Ourteamscaneitherworkwithyou,toenable
knowledgesharing;orforyou,totr
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 卵巢肿瘤术前术后护理
- 植物细胞工程课件下载
- 颅脑损伤护理查房
- 2025年中国后备UPS电源市场调查研究报告
- 2025年中国三瓣加硬斜度铣刀市场调查研究报告
- 癫痫个案护理查房
- 礼仪与护理礼仪
- 告别童年班会课课件
- 2025至2030年中国鲫鱼苗行业发展研究报告
- 2025至2030年中国高压薄膜袋行业发展研究报告
- 2025年中国鲅鱼市场研究分析与投资建议策略报告
- 有责任有担当的核心素养培养
- 法制移植与本土化交融研究
- 综合呈现2025年入团考试试题及答案
- 2025届广西壮族自治区部分学校高三下学期三模英语试题(原卷版+解析版)
- 《建筑电气工程施工》课件
- 2025-2030中国多发性骨髓瘤的治疗行业市场发展趋势与前景展望战略研究报告
- 脑卒中后吞咽障碍患者进食护理的团体标准应用案例分享课件
- 2025高考长郡中学物理小题冲刺训练+题目
- 道教全真考试试题及答案
- 2025+CSCO妇科肿瘤诊疗指南解读
评论
0/150
提交评论