版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Zerotrust:
Fromaspirationtorapidimplementation
Zerotrusthasbecomean
essentialcybersecurity
philosophyfororganizations.
Thesteadytrickleofzero
trustsecurityawareness
sinceitsprincipleswere
formalizedin2004hasbuilttoaHoodofadoptiontoday.
Thewayweworkhaschangedradically,withremotewoΓkin9commonplaceando代ceoccupancyΓates
intheUSandUKatrecordlows.1Thetraditional
hardshell/softinteriorcybersecuritymodelthathasdominatedfordecadesisvirtuallyobsolete.
BefoΓe2020,whenuseΓsmadeΓequestsfoΓHexibleremoteworking,thecybersecuritytosupportitwasoftenregardedas“toohard”.Theglobalpandemicforcedthepaceofchangeandachangeinmindset.Organizationsnowfacilitateremoteworking,
supportcollaborativeworkingwithpartnersandsuppliers,andmanyhavemovedmuchoftheirIT
tothecloud.IndustryintelligenceproviderGartnerhaspredictedthatITspendingoncloud-related
categorieswillcontinuetogrow,reaching51%by2025.2Thishasimplicationsforthedemandssuchtransformationwillplaceonbusinesses’cybersecurity.
Ascloudadoptioncontinues,cyber-attacksare
simultaneouslyincreasingtothepointwherethe
costofcybercrimeispredictedtoreach$10.5trillionby2025.3Increasedgeopoliticaltensionstoo,have
increasedthenumberofexternalcyberattackers,theirmotivation,andtheresourcesavailable
tothem.
Giventhiscontext,organizationsnowrealize
thattheΓeisnolon9eΓacleaΓ,easilydefinable
cybersecurityperimeteraroundtheirnetworks,witheverydevicepotentiallyvulnerableCyberdefense
canberampedupbymovingprotectionclosertoassets,anapproachknownasdeperimeterization,whichisunderpinnedbythezero-trustphilosophy.
Thezerotrustphilosophy:Trustnoone
Theaccelerationtowardswidespreadadoption
ofzerotrustbecameundeniablewhen,in2021,
theUSgovernmentmandatedallfederalagencies
toadoptzerotrustprinciplesby2024.4TheUS
federalstandardsagencies,theNationalInstituteofStandardsandTechnology(NIST),andCybersecurityandInfrastructureSecurityAgency(CISA),haveset
upvendor-agnosticframeworkstohelporganizationsmovetowardszerotrustapproaches.Inzerotrust,
thesecuritydefaultisthat“everythingisbroken”,
andanypartofthesystemmaybecompromised,
ratherthanapresumptionthataperson,deviceorsystemcanbetrustedbecausetheyareworkinginatrustedlocation.Foreveryaccessrequest,auserordevicemustbuildupenoughtrustbeforeaccessisgranted,wherevertheyare.
Traditionally,asingleauthenticationand
authorizationdecisionallowedwide-rangingaccesstointernalsystemsanddata,whichwasasecurityriskasauserordevicecouldbecompromisedat
anytime.Withzerotrust,thecoreprincipleistheadaptiveevaluationoftrust.Thisisdynamicandcontext-based,andaimstoestablishinformationabouttheuseranddevicethroughaprocessof
interrogationeverytimeaccessisrequested.Thefollowingquestionsaretypical:
•Couldtheuserbeaccessingfromadevicethatmaybecompromised?
•Aretheyaccessingwithinnormalworkinghours,
ordidtheystartaccessingatmidnightandfromanunusuallocation?
•Whichnetworkaretheyusing?
•Howsensitiveisthesystemordatatowhichtheyarerequestingaccess?
•Didtheuserauthenticateusingasimplepasswordoramoresecuremethod?
•Isthereaknownsecurityvulnerabilityintheservicethattheuserisattemptingtoaccess?
1AkilaQuinio,
“OfficespacevacanciesinUSandLondonreachat
least20-yearhighs
”,TheFinancialTimes,January24,2023
2
“GartnerSaysMoreThanHalfofEnterpriseITSpendinginKeyMarket
SegmentsWillShifttotheCloudby2025
”,Gartner,February9,2022
3
CybersecurityTrends&StatisticsFor2023;What
YouNeedtoKnow,
Forbes,March2023
Movingtozerotrust:Visionandstructure
Thecomplexityandchangeinorganizational
behaviorrequiredwhenmovingtozerotrustisnot
tobeundeΓestimatedandwilla氏ectthebusinessatalllevels.Itisachangeinapproachtocybersecuritygovernancethatfeedsintooperatingmodelsand
principles,architectureanddesign,processes,and,ofcourse,technology.
Buy-infromtheC-suite,suchasthechiefinformationo代ceΓoΓchieftechnolo9yo代ceΓ,andcollaboΓationacrosstowersofthebusinessareessentialfor
success.Increatingavisionfortransformation,
businessleadersshouldapplyafullspectrumapproachtodesigningalong-termprogramforimplementation.
This9ivesacleaΓeΓviewofthefinalcostofchan9in9organizationalarchitectureandthebestrouteto
zerotrust’sfullsecurityadvantages.BusinessgoalsshoulddeteΓminethefinaltechnolo9y9oals,not
thereverse.
Ifthereisnocommandingvisionoftheultimate
destination,costsarelikelytomount,aseach
technologytower,businessunitorsitemoves
separatelytonewmodelsandbuytheirown
solutions,withastrongpossibilityofcompatibilityissuesandunnecessarycostsduetoduplication.Arigorouslystructuredchangeprogramwilldeliveramoresecuresystemandlowerthetotalcost
ofownershipthroughagreementonacommon,consolidatedtechnologystackandapproach.
2|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|3
Thezerotrust
organizationalstructure-
upheldbypillars
Responsibilityforimplementationofcybersecuritymeasuresisoftendistributedacrossvariousgroupsortowers,forexample,betweenidentity,network,operationaltechnology,andengineeringteams.
TheCISAmodelforzerotrust(figure1)isdividedintofivepillars:identity,devices,networks,applications,workloads(e.g.,virtualmachinesandcontainers),
anddata.Theseareabovethreefoundationallayers:visibilityandanalytics,automationandorchestration,andgovernance.Eachpillarcangeneratethesignalsandmetricsusedtomakesmartaccesscontrol
decisions.Forexample,deviceposturedata,suchasOSandbrowserversion,ordiskencryptionandantivirusstatus,couldindicatethatthedeviceisatincreasedriskofbeingcompromised.
Sincezerotrustcontrolsaredistributedanddelegatedthroughoutallfivepillarsandthe
organization,thismayrepresentachallengefor
thosewhoareusedtotheestablishedstructureandallocationofresponsibilityforsecurity.Thismakeschangemanagementcommunicationapriorityforeffectiveacceptance.
FoundationofZeroTrust
Device
Applications
&Workloads
Networks
Identity
Data
VisibilityandAnalytics
AutomationandOrchestration
Governance
figure1CisaZeroTrustMaturityModel
4|ZeroTrust:Fromaspirationtorapidimplementation
ZeroTrust:Fromaspirationtorapidimplementation|5
Faster,smarter,andsaferdecision
Thedecisioncenterofzerotrustisthepolicyengine.Itisherethattrustisdefined,metricsareset,and
thebarriertoaccessrequestsishenceestablished.Theavailabilityofamplebandwidth,machine
learningandAI,andfastprocessingatrelativelylowcosthavecometogethertomakezerotrustsignalanalysisviableinrealtime.
Thepolicyenginereliesonarangeofdatasourcestogeneratesignalsandfinalizeanaccessdecision.Thesecanincludeinformationon:
•Softwarecomponentsandoperatingsystems;
•Industrycompliance.
•Threatintelligence.
•Softwareflawsorreportedattacks.
•Networkandsystemlogs.
•Dataandsystemaccesspolicies.
•Publickeyinfrastructure.
•Identitymanagement;and
•Securityinformation,suchasauthenticationstatus.
Thepolicyenginefeedsthefullrangeofinputs
toatrustalgorithm,whichleadstoanaccess
decision.Signalsthatcanshowsuspiciousactivityareprocessedattheautomationandorchestrationlayer(aspertheCISAframework).Thearchitecturemakespossiblefullyautomated,dynamic,context-based,least-privilegeaccesstoservicesanddata;
andinteroperabilitywithcontinuousmonitoringandcentralizedvisibility.5
Whilezerotrustisamajorstepforwardin
cybersecurity,itismorethanjustthat.Itisamodelforgovernancethatshapesownershipoftheoverallvision,transformationprogramandoutcomes.It
setsbusiness-alignedsecuritypolicyandallocatesresponsibilitytostakeholders.Italsodeterminesifaparticularimplementationresultsinasuccessfultransformationinoperations.
Intheconversiontozerotrust,thenewenvironment
hastobedesignedwithmetricsinplaceto
demonstratesuccessandeffectivelymanageefficiencyandcosts.
Examplesofhowthesemetricscoulddemonstratevalue:
•Areductionininsurancecosts,whereaninsurer
recognizesreducedriskofcyber-attackbymovingtozerotrust
•Improveduserexperience,provenviaemployeesurveysandmetricsfromZscalerDigital
Experience(ZDX)
•Fewersecurityincidentsbyeliminatingexposedinternetattacksurface,loweringoperating
expenses
•Reducedcostofmigrationtocloudservicesusingaconsistentapproach
•Reducednetworkingcostsbyswappingexpensive
•routinglinks(e.g.,MLPS)forZscalerviainternet
•Reducedtotalcostofownershipforsecuritythroughtoolingconsolidation.
5CybersecurityandInfrastructureSecurityAgency,
“ZeroTrustMaturityModel,Version2.0
”,April2023,p.9
Damagelimitationthroughmicrosegmentation
Amajorvulnerabilityofthehardshell/softinteriormodelhasbeenthefreedomanattackerhashadtodoasmuchdamageastheywantedoncethey
managedtobreakthroughthehardshellaroundanorganization’snetwork.Zerotrust’smicro
segmentationcapabilityreducestheaffectedareaofanattack.
Commonpracticehasbeenthateachapplicationhashadeitheranassociatedcertificate,orusername
withapassword,whichitcanusetoaccessother
applicationsanddata.Credentialscanbefound
onthedarkweb,forexample,throughaleaktoa
GitHubrepository,orinacarelesslysavedtextfile,
orthroughcaptureandreplay.Thisenablesattackers
tomasqueradeasanapplication,orotherworkload.Onceinthesoftcenter,theyoftenhavethefreedomtoattackatwill.
Inthezero-trustmodel,accessmaystillbepossible,butasignalthattheuserisaccessingfroman
unusualplace,orthatanapplicationisaccessing
certainunusualdata,willtriggeranalertandbegin
aninterrogationprocesswithcontextualquestions
toidentifyapotentialcompromise,andsubsequentlyblockit.Wealsoimplementtheprincipleofleast
privilege,bywhichusersandapplicationsareonly
allowedaccesstotheservicesanddatathatthey
needtofulfiltheirfunction.Forexample,ratherthancontrollingwhichserverscantalktootherservers,
wecontrolwhichspecificapplicationsonthoseserverscantalktootherapplications.
6|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|7
Simplificationformergersandacquisitions
Inamergeroracquisitionsituation,organizations
needtoconsolidatetheirnetworksandsecurity
tooling,whichmightdescribeanedgerouter,a
firewall,aVPN—hardwareforInternetconnectivity.Eachpartywillbringtheirownwideareanetwork
(WAN)andrelatednetworksecuritytoolingindatacentersandamerger/acquisitionhasstrictdeadlinestoadheretoforchangeofcontrolrequirements,
requiringintegrationunderpressure.
Duringintegration,acloud-deliveredzerotrust
networkaccessservicesuchasZscaler,aleader
Protectinglegacysystemsinzerotrustsolutions,
allowsuserstoaccessapplicationswithoutrequiringextensivenetworkchangesordeliveringconnectivityviaaremoteaccessservicelikeaVPN.Itconsolidatestechnologysetsfromdifferentbusinessesby
providingthesamesetofcapabilitiesinonepackage.Enterprisescanpublishtheirbusinessapplications
toacentralexchange,fromwhereuserscanrequestaccessregardlessofwhichbusinessentitytheyarefrom.Thisbringsconsiderablesimplificationand
accelerationtomergers.
Protectinglegacysystems
Therehasbeenamonumentalshifttocloud-basedsystems,butagingITinfrastructurepersistsand
requiresprotection.Shiftingtozerotrustbrings
costsavingsthroughsaferetirementoflegacy
securitytechnologybutchangecanbedifficulttoimplementinlegacyenvironments.Withzerotrust,securityisachievedbyring-fencinglegacysystems,puttingcontrolsaroundtheboundary,andblockingaccessunlessarequestforaccesspassesallchecks.Similarly,auserwillnotbeabletoexitthelegacy
environmentwithoutpassingcontext-basedzerotrustchecks.
8|ZeroTrust:Fromaspirationtorapidimplementation
ZeroTrust:Fromaspirationtorapidimplementation|9
Zerotrustforaglobalpharmagroup
Alargepharmaceuticalgroupwithmorethan150locationsgloballyandover20,000usersbrought
Capgeminiintodeliverzerotrustaspartofalargerinfrastructurere-design.
Theinfrastructurewascomplexduetomultiple
systemarchitecturesafteraseriesofmergersandacquisitions.Itwasalsoexpensivetomaintain
withnumerousgatewaydevices,softwareagents,identitysourcesandsecuritypolicies.
Thegoalsfortheprogramwere:
•Improvetheuserexperiencewithcorporate
applicationsandserviceaccessinahybrid
environment,whichwouldalsobringproductivitybenefits
•Reducethevisibleattacksurfaceofcriticalbusinessservicesandapplications
•Initiatea‘leastprivilege’policyforusers,meaninglimitinguseraccesstothespecificdata,resources,andapplicationsneededforatask
•Meetusers’expectationof“anytime,anywhere,anydevice”(ATAWAD).
Theclientsettwostrategicobjectives.Firstly,
toachieveareturnoninvestmentforcapital
expenditure(CAPEX)andoperationalexpenditure(OPEX)whilethezero-trustjourneywasunderway.Secondly,toenablethegrouptoprogressfuture
mergersandacquisitionsregardlessofidentitysourcesandnetworkconstraints.
Capgeminiexecutedacustomertransformation
programtoadaptamoderndigitallandscapetoonewheretheInternetbecamethecorporatenetwork.Thisincludedcreatingacorporatezerotrust
roadmapandidentifyingrelevantfutureusecasestodefinethearchitectureaccordingly.
Usinganend-to-endprocess,theprojectachievedsignificantuserexperienceenhancement.ThiswasachievedwithasinglezerotrustZscalerPrivate
Accesssoftwareagentandstreamlinedglobaltechnicalinfrastructureforinternalapplicationsaccess,simplifyingongoingmanagement.ThetransformationalsoledtoOPEXandCAPEX
optimizationviaadynamiccloud-basedsecurityservicesconsumptionmodel.
Capgemini’send-to-endmethodologyforzerotrustimplementation
Capgemini’sapproachtodeliveringzerotrustforclientsbeginswithanalysisofanorganization’s
culture,goals,andbusinessstrategy.Itisvitalthatsecurityarchitecturesandsolutionsalignwithandsupportthegreaterbusinessgoals.
Wereviewthecurrentsecuritycapabilitiesoftheorganizationwithrespecttozerotrust,in
alignmentwiththeindustrystandardmaturitymodeldevelopedbytheUSsecurityagencyCISA.
Wehelpourclientswithallelementsofzerotrust,fromgovernance,operatingmodels,andprinciples,througharchitectureanddesign,allthewaythroughtoimplementation(technologyandprocess)and
managedservicesonceinoperation.
Ourteamscaneitherworkwithyou,toenable
knowledgesharing;orforyou,totr
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 自助餐饮创新创业
- 冷链物流挂靠合作合同
- 腰疼的预防及护理
- 老年口腔知识科普
- 学校培训展示
- 股权投资基金合同回购兜底:新趋势与合同规范
- 2024沅陵县职业中等专业学校工作人员招聘考试及答案
- 2024淮南市文汇女子职业学校工作人员招聘考试及答案
- 民事离婚合同样本指南
- 腾讯员工培训
- 施工组织设计-暗标
- 小区车位出租合同范本(三篇)
- 道路桥梁隧道工程监理单位抽检记录表
- GB/T 20522-2006半导体器件第14-3部分:半导体传感器-压力传感器
- GB/T 13824-2015旋转与往复式机器的机械振动对振动烈度测量仪的要求
- 三相三线电能表错误接线分析课件
- 三体系管理手册ISO
- 开关柜局部放电检测技术课件
- 机械式停车设备
- 高层外墙GRC拆除方案
- 2022年成都九联投资集团有限公司招聘笔试题库及答案解析
评论
0/150
提交评论