You are evaluating solutions that can mitigate the threat of lateral movement. Which of the following least aligns with the principles of Zero Trust? (Wentz QOTD)
A. Place critical servers in the DMZ for isolation
B. Implement EAP-TLS for mutual authentication
C. Enforce 802.1X for network access control
D. Enable mirroring ports on switch hubs for sniffing

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Place critical servers in the DMZ for isolation.

No inherent trust in physical network locations or perimeter is the very first concept of Zero Trust. Traditionally, people thought hosts located in LAN are safer than those in DMZ, and those in DMZ is safer than those exposed to public networks. This is the traditional perspective of security that relies on physical network locations or perimeter, also known as the castle and moat model.

Zero Trust doesn’t rely on physical network isolation but the software-defined or virtual perimeter surrounding the data of interest.

Zero Trust

Zero Trust is a Cybersecurity Paradigm for a Fine-grained, Dynamic, and Data-centric Access Control that supports visibility.

• Fine-grained authorization based on attribute or risk can be supported by standards such as XACML.
• Dynamic access control means access control rules can be added or removed dynamically. For example, a firewall defaults to one and only one policy that denies all traffic; dynamic rules can be added through techniques such as port knocking.
• Data-centric or resource-centric means not to rely on the physical network perimeter but the software-defined or virtual perimeter that protects data or resources.
• Visibility refers not only to recording logs but also contents, e.g., network traffic.
• Access control is mediating the usage of resources by authentication, authorization, and accounting based on the principles of need-to-know and least privileges.
• I treat Zero Trust as Access Control 2.0.

Evolvement of Zero Trust Concepts

Zero Trust Cybersecurity Paradigm based on NIST SP 800-27

Reference

• What is Zero Trust?
• Zero Trust as Access Control 2.0
• Zero Trust Architecture (ZTA)
• InfoSec Taiwan 2020

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正在評估可以減輕橫向移動(lateral movement)威脅的解決方案。 以下哪一項最不符合零信任(Zero Trust)原則？(Wentz QOTD)
A. 將關鍵服務器放置在DMZ中以進行隔離
B. 實施EAP-TLS進行相互認證(mutual authentication)
C. 強制執行802.1X以進行網絡訪問控制
D. 在交換集線器上啟用鏡像端口以進行嗅探(sniffing)