Zero Trust Architecture

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Zero Trust Architecture is a method that starts every interaction with no access and builds up access as the user adds proof of Identity and Authentication to meet the Authorization needs of the Resource sought by the User.

Context

  • Traditionally user access was granted at the point where the user entered the network with a protocol like Kerberos which was developed by Project Athena at MIT to sort the various components of a Research University into buckets that could assign trust at the entry point that followed the user wherever they went inside the MIT network.
  • In Zero Trust Architecture the user is given full access to the network and then provides such attributes of Identity and Authentication as are needed at each Resource access point. In other words the Internet.
  • The prevailing sense of Identity experts, like Kim Cameron[1], is that the lack of an identity layer in the Internet is a defect.
  • In other words, all existing methods focus on access to Resources rather than on User Experience.

Problems

  • Users have a low level of tolerance for any continued process of Identifying and Authenticating.
  • The US NIST has somehow convinced people that a Zero Trust Architecture is possible with a good User Experience.[2]
    A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.

Solutions

  1. Abandon the impossible dream of any trust system that requires no effort by the user and the organization that support that user. Only hard and on-going effort will provide the trusted access that secure resources require.
  2. Equip the User with a device that can secure store one or more credentials which identify a Subject and authenticate the presence of a trusted user that is Authorized to assume that Subject Identifier. In this definition the Subject ID might, or might now, be unique to that user.

References

  1. Kim Cameron Identity Blog https://www.identityblog.com/
  2. NIST and NCCoE Zero Trust Architecture https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture

Other material