Which of the following least aligns with the concept of Zero Trust? (Wentz QOTD)
A. Record network traffic for visibility
B. Encrypt traffic over LAN using IPSec
C. Dynamically open ports using port knocking
D. Implement multi-tier firewalls as part of the defense-in-depth strategy
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Implement multi-tier firewalls as part of the defense-in-depth strategy.
The concept of Zero Trust was incepted as early as 2003 when de-perimeterization, removing the physical network locations, was prevalent. Many organizations started initiations to implement similar concepts. NIST published the special publication 800-207 in Aug. 2020, that unified various perspectives, introduced the Zero Trust concepts and environment and proposed a Zero Trust Architecture.
Never trust, always verify. The fundamental concept of Zero Trust is no reliance on physical locations to authorize access implicitly (trust). Every access has to be authenticated, explicitly authorized, and logged; data flow needs to be encrypted and recorded. A fine-grained and dynamic mechanism should be implemented to support access control. As a result, I conclude Zero Trust is a new cybersecurity paradigm for access control, or Access Control 2.0, that features data-centric, fine-grained, dynamic, and visibility.
- Accounting and recording network traffic provides visibility.
- Zero Trust is location agnostic. Encrypting traffic over LAN using IPSec as what happened in the WAN.
- Port knocking applies authentication at the port level and supports dynamic policies. Besides, we also use network access control (e.g., 802.1X) and user authentication at the application level. Never trust, always verify.
- Multi-tier firewalls imply security is enforced by physical network locations, e.g., external, DMZ, and internal networks. It’s not a Zero Trust flavor, which centers on data or assets and uses logical boundary or software-defined perimeter.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
以下哪一項最不符合零信任(Zero Trust)的概念？(Wentz QOTD)
C. 使用端口敲門(port knocking)來動態打開端口