Which of the following best aligns with Zero Trust concepts?
A. Group resources into smaller segments protected by a segmentation gateway
B. Issue a security policy to prohibit connections from public places, e.g., cafeteria
C. Revise the contract to require vendors and contractors to work on-site
D. Allow remote workers to connect to corporate networks by VPN only
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Group resources into smaller segments protected by a segmentation gateway.
Zero Trust is a Cybersecurity Paradigm for a Fine-grained, Dynamic, and Data-centric Access Control that supports visibility. Access control is mediating the usage of resources by authentication, authorization, and accounting based on the principles of need-to-know and least privileges.
The core of Zero Trust is access control that fulfills the principles of need-to-know and least privileges. It can prevent data breaches and lateral movement. The most well-known or accepted concept of Zero Trust is that secure access to resources should be enforced regardless of network location or perimeter.
The following measures reflect the mindset that public networks are dangerous and LANs are safer, a mindset of security based on network location/perimeter.
- Issue a security policy to prohibit connections from public places, e.g., cafeteria
- Revise the contract to require vendors and contractors to work on-site
- Allow remote workers to connect to corporate networks by VPN only (a VPN client, in essence, is connected to the LAN)
Zero Trust and VPN
Zero Trust is a process, not an end state. It’s not a revolutionary initiative either, but an augment to legacy networks in terms of data or intention. We can adopt Zero Trust both in greenfield or greyfield settings. VPN works properly nowadays. Even though a pure Zero Trust environment doesn’t need VPN, it doesn’t mean we have to retire all the VPN implementations we have invested.
Zero Trust Concepts
Why can’t we build an environment to support employees (even with BYOD) working remotely without a VPN while enforcing security in the meantime? Zero Trust is the new Cybersecurity Paradigm to control access to resources which takes into account not only network location but various factors to better meet business requirements.
- Data-centric access control groups data and related resources into smaller pieces or segments protected by a segmentation gateway or next-generation firewall (Kindervag’s approach).
- No inherent trust (trust is a privilege; it is earned and given) refers to network-agnostic. That said, secure access to resources should be enforced regardless of network location. (commonly agreed concept)
- Before-access and continuous verification are part of authentication and authorization. For example, devices should be authenticated as well before they are connected to a network and a user authenticates to the ID provider.
- Fine-grained rules and dynamic policies better meet the business requirements through attribute-based or risk-based access control. For example, an NGFW firewall (configured with one and only one initial DENY ALL rule) dynamically inserts policies at runtime that supports identity-centric and attribute-based rules. Port knocking, single packet authorization (SPA), and XACML can be used to fulfill this concept.
- Inspection, logging, monitoring, and visibility are the accounting part of access control. Effective accounting leads to visibility and accountability.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
A. 將資源分為由分段網關(segmentation gateway)保護的較小分段