Digital transformation of enterprises and business cloud make it difficult for the traditional network security architecture based on border protection to adapt to the new environment. Epidemic period, remote collaborative office allows companies to truly experience at the same time, improve efficiency, increase income has increased the internal data resources network exposed surface and the work of the complexity of the transmission environment, are more likely to encounter the outlaws advanced persistent threat, promoted the enterprise network security management difficulty, zero trust concept of security industry has been given to attention.

However, due to the temporary lack of unified and accurate guidance in the stages of scheme design, technical implementation, testing and evaluation, and actual deployment, the landing and development of zero trust is impeded. The industry urgently needs to establish forward-looking and agreed technical standards.

On June 24, 2020, Tencent jointly established the first “Zero Trust Industry Standards Working Group” in China with a number of authoritative industry-university-research and application institutions in the field of zero trust. After nearly a year of discussion and research, on June 30, 2021, drafted by Tencent Security, China’s first Technical Specification for Zero Trust System (hereinafter referred to as the Specification) compiled by the Third Research Institute of the Ministry of Public Security, the National Computer Network Emergency Response Technical Coordination Center, China Mobile Design Institute and other 16 zero-trust manufacturers, evaluation institutions and users in the industry was officially released.





(Technical Specifications for Zero-Trust Systems)

The specification stipulates the functional and performance technical requirements and corresponding testing methods for zero-trust system users under the two scenarios of “accessing resources” and “calling between services”, including logical architecture, authentication, access authorization management, transmission security, security audit, own security and so on. It is suitable for the design, technical development and testing of zero-trust system, which enables the “zero-trust” industry to have standardized technical specifications, and provides a solid foundation and direction guidance for the service, quality and development of all security manufacturers.

The Code not only fills the blank of domestic technical standards in the field of zero trust, but also provides highly operable guiding significance and reference standards in the development and upgrading of industrial technology, improvement of quality service and reduction of deployment cost.



(Schematic diagram of typical test environment)

First, the application scenario of zero trust

Zero trust in all the required access to resources for safety protection scenario can be used, the main scene is divided into two kinds, one kind is standing on the sponsors, user access to resources, refers to the user access to the internal resources, how to validate user is credible, how to ensure access to reliable source terminal, how to identify resources have access.

The other is standing on the service side, which is how the service resources securely access each other. However, whether to adopt it or not shall be decided by comprehensive consideration based on the acceptable level of security risk and input of the enterprise.

II. Technical requirements for user access to resource scenarios

In the case of user access to resources, there are mainly four logical components: access subject, zero-trust gateway, zero-trust control center and access object. The access subject is the initiator of the resource access, the zero-trust gateway provides the forwarding and intercepting function of the visit request, the zero-trust control center provides the authentication and continuous access control function of the visit request, and the access object provides the accessed resources.

In addition, the system can also connect with other systems in identity authentication, security analysis and intrusion detection through linkage interface.



(User Access Resource Scenario Logic Architecture Diagram)

III. Technical requirements for access scenarios between services

In the scenario of access between services, there are mainly two logical components: policy control point and policy enforcement point. The strategic control point is responsible for authentication and authorization judgment, and provides visibility of business flow; Policy enforcement points are used to make access control decisions to allow/deny communication or to negotiate encryption; Sometimes workload-related information is synchronized to the security control center to assist in decision-making.

Policy execution points come in two forms: one is a server-side proxy deployed on the workload, and the other is a gateway running on the network.



(Logical architecture diagram of access scenario between services)

In addition, the “specification” also “user access to resources” and “between services access” scenarios, the due function, system security, performance, deployment, disaster recovery technical requirements and test methods for a specific interpretation.



(Schematic diagram of typical test environment)

“Technical Specifications for Zero Trust System” is undoubtedly a milestone in the development of zero trust in China, and the achievement of this important stage result is inseparable from Tencent Security’s active promotion of the standardization construction of zero trust security concept.

  • In July 2019, the “Zero Trust Security Technology Reference Framework” led by Tencent was approved by the CCSA industry standard.
  • In September 2019, the ITU international standard “Guidelines for Continuous Security in Service Access Process” led by Tencent was officially approved, which achieved a breakthrough in the domestic international standard in the field of zero trust.
  • In June 2020, Tencent established the first zero-trust industry standard working group in China under the Industrial Internet Development Alliance with a number of authoritative industry-university-research-use institutions in the industry.
  • In August 2020, the working group took the lead in publishing the “Zero Trust Practical White Paper”.
  • In October 2020, the working group launched a zero-trust product compatibility mutual certification program to promote the compatibility and connectivity of zero-trust related products among different manufacturers.
  • In November 2020, the working group promoted the development of the alliance standard of “Technical Specifications for Zero-Trust Systems”.

As the first enterprise to practice zero trust in China, Tencent has always paid great attention to promoting the concept of zero trust security in China through standardization. In addition, I have implemented the zero-trust network architecture internally and developed the zero-trust IOA system by myself.

In the future, Tencent Security will continue to take its own technology and practical experience as the basis, cooperate with ecological partners to jointly promote the scale development of zero trust industry, provide reference and support for the landing of zero trust in various industries and fields, and help the healthy development of network security.

Click “Technical Specification of Zero Trust System” to download the full text.