5. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
攻擊落地容易成功,攻擊者不可避免會進到內網機器
從實際案例觀察到的,內網安全是⼤部分企業最脆弱的⼀點,攻擊者進
內網後,有極⾼機率可以拿下整個Domain
WFH
Partnership
6. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
2009 Google BeyondCorp
2010 年由 Forrester 研究員 John Kindervag提出,以資料為中
⼼(data-centric)、由內⽽外設計網路架構
2020 年 8 ⽉ NIST 發布 NIST SP 800-207
2022 年 6 ⽉ NIST 發布 NIST SP 1800-35
7. CyCraft Proprietary and Confidential Information
CyCraft Proprietary and Confidential Information
NIST SP 800-207
由政府單位發布的⽩⽪書,與廠商提出的⽩⽪書比起來,各⽅⾯都比較客觀。
2020年8⽉提出後,已有相當多討論。主要 Zero Trust 廠商也做了與 NIST
SP 800-207 的 Mapping
確定問題範圍與架構
Logical Components of Zero Trust Architecture
Deployment Scenarios/Use Cases
業界參考指引,提出具體的作法,如何漸進⾄ZTA的⽅式
Migrating to a Zero Trust Architecture
Hybrid ZTA and Perimeter-Based Architecture
Steps to Introducing ZTA to a Perimeter-Based Architected Network
8. CyCraft Proprietary and Confidential Information
NIST SP 1800-35
由 NIST’s National Cybersecurity Center of Excellence
(NCCoE) 發布
與產業界的合作夥伴共同撰寫這份文件
利⽤商業產品實作 ZTA,並確保其可互相操作性(interoperable)、
整合性
在⼀個公開 Spec 的 Lab 環境中,建置 ZTA。並附上安裝整合步
驟。
Still in draft version, and gradually update with time
9. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Trust will Change !
HITCON - Trust in the Untrusted
World
10. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Trust will Change !
Assume breach
Network perimeters cannot
be trusted
No persistence trust
Concept Assumption
11. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Assume breach
Network perimeters cannot
be trusted
No persistence trust
Assumption High Level Method
No implicit trust,
always verify
Centralize & dynamic policy
enforcement
Dynamically reflect
Risk Assessment to Policy
12. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
ZTA is …
Zero Trust Arch
authentication/authorization
verify session-based
Dynamic Policy
Situation Aware
Policy
E.g.
Important but frequently overlook - visibility
Audit, Investigation, info to improve future authentication
E.g. protect ransomware
13. CyCraft Proprietary and Confidential Information
Logical Components in NIST SP 800-207
NIST SP 800-207
政策引擎 (PE) – PE 負責根據政策和 CDM 系統與威脅情報
服務的輸入來判斷是否該授予存取權限。
政策管理員 (PA) – PA
負責根據 PE 的決策來
建立或關閉通訊。
政策落實點 (PEP) – PEP 負責准許、監控和終止連線。
https://www.trendmicro.com/zh_tw/w
hat-is/what-is-zero-trust/zero-trust-
architecture.html
14. CyCraft Proprietary and Confidential Information
Logical Components in NIST SP 1800-
35
PIP
Situation Awareness
PDP
15. CyCraft Proprietary and Confidential Information
風險評分機制
Dynamic policy
User/Device Security Posture
Situation awareness
Time
Location
Threat
Log
Cyber Threat Intelligence, Device
Monitoring, Threat Hunting
Could be including in Situation
awareness
16. CyCraft Proprietary and Confidential Information
Zero trust here
Feedback to ZT
Not only Identify & Protect
18. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust is Not ….
Zero Trust is Not Trust No One
Zero Trust still trusts on the authentication process, the security of
the policy infra becomes more critical
No implicit trust à Zero (Implicit) Trust
Zero Trust could be “every resource has it's own boundary”
People may confuse that “zero trust arch has no boundary”
r2
r1
r3
Check 1
Check 1
Check 1
Check 2
Check 2
Check 3
user
19. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust is Not ….
MFA(Multi-Factor Authentication)
MFA is an important component of ZT, but using MFA only is not ZT
Use MFA enter the intranet, and access many resource à Not zero trust
Use MFA with other factor to make decision every request to resource
MFA contextual
Policy
The core concept of ZT is dynamic, live authentication
20. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
What Zero Trust does not cover
PKI – ZTA Server PKI
E.g. CI/CD
ZTA
ZTA
Endpoint
E.g. USB PEP
PEP
ZTA
21. CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust cannot solve everything
Zero trust cannot prevent social engineering and phishing email
Zero trust cannot protect devices from malware
Zero trust cannot defense zero-day
….
22. CyCraft Proprietary and Confidential Information
零信任與供應鏈仍是兩個⾯向的問題,
採⽤零信任無法直接解決供應鏈攻擊
但可以緩解橫向移動的部分
24. CyCraft Proprietary and Confidential Information
About NIST SP 1800-35
NIST SP 1800-35 分成四個部分
NIST SP 1800-35 A - Executive Summary
NIST SP 1800-35 B – Approach, Architecture, and Security
Characteristics
NIST SP 1800-35 C – How-To Guides
NIST SP 1800-35 D - Functional Demonstrations
如何利⽤現有產品建置 ZTA
根據不同職務,可以看不同份⼦文件
25. CyCraft Proprietary and Confidential Information
Challange
導入 ZTA 的困難點
清點資產到資源的層級,並設計符合IT 現有架構的 ZTA
沒有單⼀產品可以完成 ZTA,須整合不同的資安系統
如何選擇、或利⽤已有的資安系統建置 ZTA
如何整合這些資安系統
是否會影響使⽤者體驗以及組織業務流程
26. CyCraft Proprietary and Confidential Information
ZTA
NIST SP 1800-35 提出以下三種實現 ZTA 的⽅法
Enhanced Identity Governance (EIG)
Micro-Segmentation
Network Infrastructure and Software Defined Perimeters
NIST SP 1800-35 還在草稿階段,⽬前完成針對 EIG 的部分,其
他兩項尚未完成
27. CyCraft Proprietary and Confidential Information
Enhanced Identity Governance (EIG)
EIG actor (identity) policy
device health access policy
EIG micro-
segmentation Software Defined Perimeters
Zero Trust /
ZTA
28. CyCraft Proprietary and Confidential Information
ICAM
EIG ICAM ICAM
Identity management
Access and credential management
Federated Identity
Identity governance
Okta Identity Cloud Azure AD
ICAM
30. CyCraft Proprietary and Confidential Information
The FIRST Step towards ZTA
jjj
Enhanced
Identity
Governance (EIG)
ICAM PDP, PEP
31. CyCraft Proprietary and Confidential Information
Physical Architecture of ZTA Lab
NIST SP 1800-35
Lab
EIG
EIG Enterprise 1
Build 1 (E1B1)
EIG Enterprise 3
Build 1 (E3B1)
32. CyCraft Proprietary and Confidential Information
DigiCert CertCentral TLS Manager
AWS - GitLab,
WordPress
Ivanti Access ZSO,
Ivanti Neurons for
UEM, Lookout MES,
Okta Identity Cloud,
and Tenable.io
Ivanti Tunnel
Ivanti Neurons for Unified
Endpoint Management
(UEM) Platform
E1B1 Products
and Technologies
33. CyCraft Proprietary and Confidential Information
Successful Access Request in E1B1
Dynamic Access
Policy
Okta, Ivanti
34. CyCraft Proprietary and Confidential Information
ICAM Information Architecture – New
User Onboarding (E1B1)
Policy
SailPoint, Okta,
Radiant Logic
demo
Policy
Policy
35. CyCraft Proprietary and Confidential Information
DigiCert CertCentral TLS Manager
Microsoft Azure AD,
Microsoft Defender for
Endpoint, Microsoft
Endpoint Manager,
Microsoft Office 365,
Microsoft Sentinel,
Tenable.io
Guacamole
GitLab
E3B1 Products
and Technologies
36. CyCraft Proprietary and Confidential Information
Successful Access Request in E3B1
Dynamic Access
Policy
Lookout,
AzureAD, MS AD
39. CyCraft Proprietary and Confidential Information
Future Direction
enhanced
identity
governance
MICRO-
Segmentation
software-defined
perimeter
Zero Trust
40. CyCraft Proprietary and Confidential Information
Summary of NIST SP 1800-35
NIST SP 1800-35 NIST NCCoE ZTA
ZTA
EIG
ZTA
ZTA /
ZTA
41. CyCraft Proprietary and Confidential Information
DIE ZTA
ZTA AP Infra
à
RSA “Death to CIA! Long live DIE! How the DIE Triad Helps
Us Achieve Resiliency”
Container AP/Resource
D(Distribution) I(Immutable) E(Ephemeral)
ZTA AP/Resource DIE
42. CyCraft Proprietary and Confidential Information
盤點場域內裝置、使⽤者、資源
分析資源存取路徑,使⽤者如何存取到最後的資源
Dynamic Access Control Policy
/
43. CyCraft Proprietary and Confidential Information
Take Action
NIST SP 1800-35 ZTA
PEP
EIG ZTA
ZTA
API
Policy