Zero Trust era: Centralized identity management, security regardless of “inside and outside”

During the epidemic, we suddenly found ourselves with a lot of “identification” : community pass, company building pass, Healthy treasure no abnormal proof, operator’s travel track on the 14th… Personal daily life is no longer general, but divided into countless scenes, in different scenes to verify different “identity”; ** On the other hand, the initial essence of epidemic security prevention and control is personal identity verification and access authorization. ** What is the inspiration for modern enterprise information security prevention and control and management?

I. Zero trust and identity management

Zero trust is a security concept. Since it was proposed in 2010, it has gradually moved from theory to practice in recent years. It argues that due to unreliable factors of network traffic, make the people, things and objects in the network environment the connection between the fragile, vulnerable to external or internal environment of the attack, so companies should not be internal or external automatic trust anyone/anything/content, should be before the authorization of any attempt to access enterprise system verify people/things/objects, strict access control.

A key background for the emergence of zero trust is that the traditional “firewall” security protection mechanism based on the network boundary has prominent shortcomings and is unable to cope with internal and external malicious attacks in the era of cloud computing. Therefore, the security architecture needs to be guided from “network centralization” to “identity centralization”.

On the one hand, as enterprise applications on the cloud, increasingly complex network environment, the enterprise personnel flow increasing, the traditional firewall mechanism in the face of external users access public cloud services potentially dangerous streaking seem able to cope, users in the network environment, equipment, applications, and the connection between the IT resources are exposed to high risk environment; Enterprise, on the other hand, it is difficult to the network environment, the application of internal staff operating behavior for accurate identification and judgment, lack of strong authentication mechanism, wrong operation, violate compasses operation is extremely difficult to be monitored, especially during the recent outbreak of telecommuting environment, this kind of problem focused exposure, and even some serious safety accidents.

** The zero-trust security system built around “identity” is designed based on the principle of permission minimization and carries out dynamic identity authentication and authorization according to the risk level of access, which can effectively reduce internal and external security risks of enterprises. * * * * in other words, the essence of zero trust is based on the identity of the access control, which is to ensure that the correct user * * can be assigned to the correct access, can be in the right situation on a visit to the right IT resources, and the user’s access will be ongoing assessment and ultimately to ensure the correctness of the access authorization and security.

At present, there are many schools of zero trust, such as Forrester’s ZTX, Google’s BeyondCorp, and Gartner’s CARTA. However, identity management is the core and constant security requirement no matter which solution is implemented.

Two, zero trust identity management system design principles

There are two important tasks to design identity management system under zero trust framework. First of all, to all the data resources and computing services as a “resource”, such as small memory equipment, staff from carrying equipment, second, to ensure that any are safe and reliable connection of the network, from any network access request should meet the same security requirements, and through the way of encryption or authentication on trusted certification.

Here are three principles for designing an identity management system.

1. After establishing a connection, authorize access to a single enterprise resource.

Before authorizing access requests, trust judgment must be performed on the identity of the access user, that is, only access requests initiated by users who have established connections with enterprise IT resources in advance can be allowed. At the same time, the user is only allowed to access the requested single resource, not other resources.

2. Resource access authorization is a combination of policies based on context attributes.

* * only for resources of enterprises, users, and users and resources access authorization of a clear definition, the corresponding relationship to its own resources for better protection, therefore resource access authorization should be combined with the enterprise business process requirements, according to the corresponding risk rating context properties analysis and automatically evoke the authorization policy. ** Context properties include the observed state of the user’s identity, the state of the application system that initiates the access request, and other behavioral properties. User status generally includes the account number used and related attributes; The status of the application system that initiates the access request includes device characteristics such as software installed version, network location, historical behavior and installation certificate, etc. Behavioral attributes include automated user and device analysis, as well as measurement biases in the presence of observation models.

3. Perform dynamic user authentication strictly.

** Enterprises can install automated account life cycle systems to manage user resource access authorization and increase security authentication protection by installing multi-factor authentication (MFA) capabilities. ** During the interaction between users and resources, the system will continuously monitor and re-authenticate user behaviors according to the defined policies, so as to ensure that the enterprise zero-trust architecture can achieve a balance in terms of security, availability, reliability, and cost efficiency.

As a new network security defense concept, zero trust advocates that all IT resources, including users, devices, systems, and networks inside and outside the enterprise, are integrated into the security system to protect the security of the enterprise’s overall services and core data assets. Identity management, as the core demand of zero trust, has gradually been attached importance to by domestic enterprises, but it still faces many challenges in practice. In the future, we will take IDaaS as an example to share the challenges and practical points in the process of building an identity management cloud platform. Please look forward to it.