Difference between revisions of "Zero Trust Architecture"
From MgmtWiki
(Created page with "===Full Title or Meme== Zero Trust Architecture is a method that starts every interaction with no access and builds up access as the user adds proof of Identity and ...") |
(→Other material) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==Full Title or Meme== | |
[[Zero Trust Architecture]] is a method that starts every interaction with no access and builds up access as the user adds proof of [[Identity]] and [[Authentication]] to meet the [[Authorization]] needs of the [[Resource]] sought by the [[User]]. | [[Zero Trust Architecture]] is a method that starts every interaction with no access and builds up access as the user adds proof of [[Identity]] and [[Authentication]] to meet the [[Authorization]] needs of the [[Resource]] sought by the [[User]]. | ||
| + | |||
| + | ==Context== | ||
| + | * Traditionally user access was granted at the point where the user entered the network with a protocol like [[Kerberos]] which was developed by Project Athena at MIT to sort the various components of a Research University into buckets that could assign trust at the entry point that followed the user wherever they went inside the MIT network. | ||
| + | * In [[Zero Trust Architecture]] the user is given full access to the network and then provides such attributes of [[Identity]] and [[Authentication]] as are needed at each [[Resource]] access point. In other words the Internet. | ||
| + | * The prevailing sense of [[Identity]] experts, like Kim Cameron<ref>Kim Cameron ''Identity Blog'' https://www.identityblog.com/</ref>, is that the lack of an identity layer in the Internet is a defect. | ||
| + | * In other words, all existing methods focus on access to [[Resource]]s rather than on [[User Experience]]. | ||
| + | |||
| + | ==Problems== | ||
| + | * Users have a low level of tolerance for any continued process of Identifying and Authenticating. | ||
| + | * The US NIST has somehow convinced people that a [[Zero Trust Architecture]] is possible with a good [[User Experience]].<ref>NIST and NCCoE ''Zero Trust Architecture'' https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture</ref><blockquote> A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.</blockquote> | ||
| + | |||
| + | ==Solutions== | ||
| + | # Abandon the impossible dream of any trust system that requires no effort by the user and the organization that support that user. Only hard and on-going effort will provide the trusted access that secure resources require. | ||
| + | # Equip the [[User]] with a device that can secure store one or more credentials which identify a [[Subject]] and authenticate the presence of a trusted user that is [[Authorization|Authorized]] to assume that [[Subject]] [[Identifier]]. In this definition the Subject ID might, or might now, be unique to that user. | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===Other material=== | ||
| + | * [https://duo.com Duo zero trust] | ||
[[Category: Glossary]] | [[Category: Glossary]] | ||
Revision as of 07:10, 15 February 2021
Full Title or Meme
Zero Trust Architecture is a method that starts every interaction with no access and builds up access as the user adds proof of Identity and Authentication to meet the Authorization needs of the Resource sought by the User.
Context
- Traditionally user access was granted at the point where the user entered the network with a protocol like Kerberos which was developed by Project Athena at MIT to sort the various components of a Research University into buckets that could assign trust at the entry point that followed the user wherever they went inside the MIT network.
- In Zero Trust Architecture the user is given full access to the network and then provides such attributes of Identity and Authentication as are needed at each Resource access point. In other words the Internet.
- The prevailing sense of Identity experts, like Kim Cameron[1], is that the lack of an identity layer in the Internet is a defect.
- In other words, all existing methods focus on access to Resources rather than on User Experience.
Problems
- Users have a low level of tolerance for any continued process of Identifying and Authenticating.
- The US NIST has somehow convinced people that a Zero Trust Architecture is possible with a good User Experience.[2]
A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.
Solutions
- Abandon the impossible dream of any trust system that requires no effort by the user and the organization that support that user. Only hard and on-going effort will provide the trusted access that secure resources require.
- Equip the User with a device that can secure store one or more credentials which identify a Subject and authenticate the presence of a trusted user that is Authorized to assume that Subject Identifier. In this definition the Subject ID might, or might now, be unique to that user.
References
- ↑ Kim Cameron Identity Blog https://www.identityblog.com/
- ↑ NIST and NCCoE Zero Trust Architecture https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture
