Zero Trust: The New "Boundary" Of Network Security

In the "Ten Trends of industrial Internet Security (2021)" released recently, "zero trust architecture enters the application promotion period" is listed as one of the ten trends in the future. The report points out that as network protection evolves from traditional border security concept to zero trust concept, zero trust will become the mainstream architecture in the digital security era.

The so-called "zero trust" is actually a security concept put forward by Forrester analysts in 2010. Its core idea is that by default, anyone / device / system inside or outside the network should not be trusted, and the trust foundation of access control needs to be reconstructed based on authentication and authorization.

In short, the zero trust strategy is not to trust anyone. The existing traditional access authentication model only needs to know the IP address or host information, but in the "zero trust" model, more explicit information is needed. Requests that do not know the user identity or the authorization path are rejected.

Although zero trust security has been proposed for a long time, in fact, it did not rise in the field of domestic network security until these two years. In 2019, in the "guidance on promoting the development of the network security industry (Draft)" issued by the Ministry of industry and information technology, zero trust security was listed as the key technology of network security for the first time; the white paper on China's network security industry (2019) released by the China Institute of information and communications also listed zero trust security technology, 5g, cloud security, etc. as China's network security for the first time Technology of all key subdivision fields.

Focusing on the topic of "zero trust security", 21st century economic report interviewed a number of industry experts. They all said that zero trust security emphasizes never trust and always verify, which is a subversive security concept. It has become a very definite trend in the field of network security. In the future, more and more enterprises will gradually adopt zero trust security framework Structure.

Security architecture in cloud Era

In June 2020, under the guidance of the Standards Committee of China Industrial Internet development alliance, Tencent, together with 16 institutions and enterprises, including the national Internet Emergency Center, China Mobile Communications Group Design Institute and the Third Research Institute of the Ministry of public security, jointly established the first "zero trust industry standards working group" in China to promote the demand mining, technology research and development, technical standard development and Promotion and application.

Cheng Wenjie, general manager of Tencent security, told the 21st century economic report that Tencent introduced zero trust security into Tencent's intranet as early as 2016. Tencent's self-developed zero trust security management system IOA has been verified by Tencent's more than 60000 employees and 100000 service desktop terminals.

In Cheng Wenjie's opinion, zero trust security has been popular in the past two years because the traditional network boundary is gradually disappearing with enterprises going to the cloud. In particular, the sudden epidemic has forced almost all enterprises to work remotely. In the past, many enterprises may have had concerns about zero trust security, but when the risk gradually expands, they also choose to accept it Zero trust security architecture.

A research report released by Guoxin Securities in 2020 also pointed out that the rise of cloud and mobile Internet has gradually disintegrated the traditional border defense. This is because the traditional security philosophy takes boundary isolation as the core concept. Through firewalls, IPS and other devices, the "wall" is widely built to protect the intranet, and the internal is safe and trustworthy by default.

With the rise of cloud applications, some applications of the original enterprise "within the wall" have been moved to the cloud. At the same time, with the popularity of mobile office, the employees who originally worked in the enterprise also gradually went to "outside the wall". After the border security is broken, hackers can infiltrate the internal equipment of the enterprise by various means. Therefore, it is more and more powerless to "build a wall" at the boundary, and new protection methods are urgently needed in the "borderless" era.

In an interview with the 21st century economic report, Wei Xiaoqiang, vice president of 360 Cloud Security Research Institute, explained the difference between zero trust security and traditional security with an image metaphor. He said that the previous security defense system had boundaries, and the firewall was like the moat of a castle. Everyone outside wanted to enter the castle, he had to pass the inspection of the gate, but after entering, he would Will be the default is trustworthy, can walk around the castle at will.

"This system was feasible in the past, but now, the office space of enterprise employees may be the airport, Internet cafes and other places, so the situation becomes very complicated." Wei Xiaoqiang said that under the zero trust security framework, people outside the castle or those in the castle are not trusted, and their access requirements need to be verified.

According to the 2019 zero trust security market popularization industry report released by cybersecurity insiders and zscaler, 62% of the respondents said that the biggest application security challenge at present was to ensure the access security of private applications distributed in the data center and cloud environment.

This is also the key problem of zero trust. The report also shows that 78% of IT security teams hope to achieve zero trust network access in the future, and 15% of enterprises have implemented zero trust.

Based on identity

In fact, the concept of zero trust security has evolved over the past decade. LV Shibiao, vice president of nethouse technology, told the 21st century economic report that at the beginning of the concept, it mainly focused on fine-grained access control of the network through micro isolation, so as to limit the lateral movement of attackers. Later, it gradually formed an identity centered architecture.

According to Lu Shibiao, zero trust security has three main security features: first, "network stealth, default rejection". Enterprise business application system closes all ports by default, refuses all internal and external access, and only dynamically opens ports to legitimate clients' IP, which can directly avoid any illegal scanning and attacks.

The second is "continuous verification, authorization on demand". Zero trust security will continuously verify the access behavior of legitimate access users, and dynamically adjust the access rights of users on demand.

Finally, "micro isolation, minimum access authorization.". Zero trust security follows the principle of minimum authorization and application micro isolation, effectively reduces the attack surface of horizontal attack and avoids attack infection to the greatest extent.

In this regard, Wei Xiaoqiang also said that zero trust security is actually to remove security from the network, no longer relying on the network, but based on identity. It further pointed out that "any security is not perfect, and loopholes will never be completely eliminated. However, zero trust follows the principle of minimum authorization, which limits the minimum access rights. Therefore, even if the zero trust security defense system is broken, the loss caused by it will be minimized. It is not like that once the traditional security network is broken, it may be a nest of ends."

Of course, as Wei Xiaoqiang said, zero trust security is not perfect, it also has some disadvantages. "For example, zero trust security authentication and authorization are separate, and authentication is a decision-making process. If the decision-making process is attacked, the whole system will collapse." Wei Xiaoqiang said.

In Cheng Wenjie's view, the disadvantages of zero trust security include the rising cost and the impact of the reconstruction of security architecture on users' usage habits. "For example, some financial apps need to verify fingerprints every time they open them, which is quite common to us. However, if all apps are strictly verified, it will certainly greatly affect the user's acceptance. Therefore, it is also suggested that enterprises should follow the best practice when introducing zero trust security, comprehensively evaluate users' every visit and behavior and make more intelligent judgment, so as to reduce security risks and avoid affecting users' access experience as much as possible. "

But on the whole, zero trust security brings more advantages than disadvantages. Cheng Wenjie said that from Tencent's current security practice and customer feedback, zero trust security can greatly improve the enterprise's ability to resist security risks in the process of digital transformation, and the number of security incidents has also declined exponentially.

Lu Shibiao told reporters that the enterprise IT architecture is changing from "borderline" to "borderless". The zero trust security network based on wide coverage can better meet the security access requirements anytime and anywhere, and replace the traditional VPN from the networking mode, simplify the enterprise IT deployment, and more adapt to the enterprise security access requirements brought by the diversification of office mode in the future.

From a global perspective, Internet companies are currently the most active introducers of zero trust security. In addition to the Tencent case mentioned above, Google has also implemented the beyond Corp architecture for internal application security access, which enables employees to access the company's applications anytime and anywhere without requiring VPN.

However, it should be pointed out that although zero trust security is the future development trend of network security, it is more like an ultimate goal. "It is unrealistic for all enterprises to abandon the traditional security architecture and replace it with a zero trust security system. In the same enterprise, different businesses will adapt to zero trust security differently. Therefore, zero trust security and traditional security will coexist for a long time in the future." Wei Xiaoqiang said.

?