零信任网络综述

doi:10.3778/j.issn.1002-8331.2206-0025

摘要/Abstract

摘要： 针对目前网络安全形势日益严峻的问题，零信任网络给出了一种能够有效缓解传统网络安全威胁的架构及其设计与实现方法。零信任的核心思想是“永不信任，始终验证”，零信任网络是在传统网络架构中有效融入零信任机制的一种新型网络安全架构，将实现对网络中所有的对象进行验证，并授予其最小访问权限，同时对所有的访问行为进行持续、动态的评估决策。介绍了零信任网络的基本定义，指出了传统网络架构的不足之处，给出了零信任网络架构。重点从身份和访问管理、微分段以及软件定义边界等方面简述了零信任网络的关键技术，评价了各自的技术特点及应用场景。对目前零信任网络在大数据、云计算、5G和物联网等相关领域内的研究进展和成果进行了分析。对零信任网络进行了总结，并对未来的发展进行了展望。

关键词: 零信任网络, 身份和访问管理, 微分段, 软件定义边界

Abstract: Aiming at the current increasingly challenging network security situation, zero trust network provides an architecture and its design and implementation method that can effectively mitigate traditional network security threats. The core idea of zero trust is “never trust, always verify”, zero trust network is a new network security architecture that effectively integrates zero trust mechanism into the traditional network, which will verify all objects of the network and grant them minimum access rights, and make continuous and dynamic evaluation decisions on all access behaviors. Firstly, the basic definition of zero trust network is introduced, the shortcomings of traditional network architecture are pointed out, and the zero trust network architecture is given. Secondly, the key technologies of zero trust network are described, focusing on identity and access management, micro-segmentation and software-defined perimeter, and their technical characteristics and application scenarios are evaluated. In addition, the current research progress and results of zero trust network in related fields such as big data, cloud computing, 5G and IoT, are analyzed. Finally, zero trust network is summarized and future development is prospected.

Key words: zero trust network, identity and access management, micro-segmentation, software defined perimeter

诸葛程晨, 王群, 刘家银, 梁广俊. 零信任网络综述[J]. 计算机工程与应用, 2022, 58(22): 12-29.

ZHUGE Chengchen, WANG Qun, LIU Jiayin, LIANG Guangjun. Survey of Zero Trust Network[J]. Computer Engineering and Applications, 2022, 58(22): 12-29.

参考文献

[1] ROSE S，BORCHERT O，MITCHELL S，et al.Zero trust architecture[R].National Institute of Standards and Technology，2020.
[2] Ponemon Institute.Cost of insider threats：global report 2020[R/OL].（2020）[2021-09-22].https：//www.ibm.com/downloads/cas/LQZ4RONE.
[3] GRIMES J G.Strategy for a net-centric，service oriented DoD enterprise[R].Department of Defense Washington DC Chief Information Officer，2007.
[4] WARD R，BEYER B.BeyondCorp：a new approach to enterprise security[J].Login，2014，39（6）：6-11.
[5] CITTADINI L，SPEAR B，BEYER B，et al.BeyondCorp：the access proxy[J].Login，2016，41（4）：28-33.
[6] OSBORN B，MCWILLIAMS J，BEYER B，et al.BeyondCorp：design to deployment at Google[J].Login，2016，41（1）：28-34.
[7] ESCOBEDO V，BEYER B，SALTONSTALL M，et al.BeyondCorp：the user experience[J].Login，2017，42（3）：38-43.
[8] PECK J，BEYER B，BESKER C，et al.Migrating to BeyondCorp：maintaining productivity while improving security[J].Login，2017，42（2）：49-55.
[9] KING H，JANOSKO M，BEYER B，et al.BeyondCorp：building a healthy fleet[J].Login，2018，43（3）：24-30.
[10] KINDERVAG J.No more chewy centers：the zero trust model of information security[R].Forrester Research，Inc，2016.
[11] MACDONALD N.Zero trust networking as an initial step on the roadmap to CARTA[EB/OL].（2018-06-17）[2022-05-03].https：//pdfcoffee.com/gartner-zero-trust-networking-as-an-initial-step-pdf-free.html.
[12] GILMAN E，BARTH D.Zero trust networks[M].[S.l.]：Sebastopol：O’Reilly Media，Inc，2017.
[13] EIDLE D，NI S Y，DECUSATIS C，et al.Autonomic security for zero trust networks[C]//2017 IEEE 8th Annual Ubiquitous Computing，Electronics and Mobile Communication Conference，2017：288-293.
[14] TEERAKANOK S，UEHARA T，INOMATA A.Migrating to zero trust architecture：reviews and challenges[J].Security and Communication Networks，2021.DOI：10.1155/2021/9947347.
[15] SHEIKH N，PAWAR M，LAWRENCE V.Zero trust using network micro segmentation[C]//2021 IEEE Conference on Computer Communications Workshops，2021：1-6.
[16] FERRETTI L，MAGNANINI F，ANDREOLINI M，et al.Survivable zero trust for cloud computing environments[J].Computers & Security，2021，110：102419.
[17] UTTECHT K K.Zero trust （ZT） concepts for federal government architectures[R].Massachusetts Institute of Technology Lexington，2020.
[18] NAIK N，Jenkins P.A secure mobile cloud identity：criteria for effective identity and access management standards[C]//2016 IEEE International Conference on Mobile Cloud Computing，2016：89-90.
[19] SCOTT B.How a zero trust approach can help to secure your AWS environment[J].Network Security，2018（3）：5-8.
[20] D'SILVA D，AMBAWADE D D.Building a zero trust architecture using Kubernetes[C]//2021 6th International Conference for Convergence in Technology，2021：1-8.
[21] LYASTANI S G，SCHILLING M，NEUMAYR M，et al.Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication[C]//2020 IEEE Symposium on Security and Privacy，2020：268-285.
[22] NAIK N，JENKINS P.Securing digital identities in the cloud by selecting an apposite federated identity management from SAML，OAuth and OpenID connect[C]//2017 11th International Conference on Research Challenges in Information Science，2017：163-174.
[23] GARBIS J，CHAPMAN J W.Zero trust security：an enterprise guide[M].Berkeley：Apress，2021：80.
[24] DECUSATIS C，LIENGTRIAPHAN P，SAGER A，et al.Implementing zero trust cloud networks with transport access control and first packet authentication[C]//2016 IEEE International Conference on Smart Cloud，2016：5-10.
[25] 陈霞.基于RBAC的权限管理系统应用研究[D].苏州：苏州大学，2016.
CHEN X.Research on the application of rights management system based on RBAC[D].Suzhou：Soochow University，2016.
[26] WU R Y，ZHANG X W，AHN G J，et al.ACaaS：access control as a service for IaaS cloud[C]//2013 International Conference on Social Computing，2013：423-428.
[27] SONI K，KUMAR S.Comparison of RBAC and ABAC security models for private cloud[C]//2019 International Conference on Machine Learning，Big Data，Cloud and Parallel Computing，2019：584-587.
[28] SABHARWAL N，PANDEY P.GKE security[M].Berkeley：Apress，2020：167.
[29] GUPTA D，BHATT S，GUPTA M，et al.Access control model for Google cloud IoT[C]//2020 IEEE 6th International Conference on Big Data Security on Cloud，IEEE International Conference on High Performance and Smart Computing，and IEEE International Conference on Intelligent Data and Security，2020：198-208.
[30] 牛德华，马建峰，马卓，等.基于属性的安全增强云存储访问控制方案[J].通信学报，2013，34（Z1）：276-284.
NIU D H，MA J F，MA Z，et al.Enhanced cloud storage access control scheme based on attribute[J].Journal on Communications，2013，34（Z1）：276-284.
[31] 李晓峰，冯登国，陈朝武，等.基于属性的访问控制模型[J].通信学报，2008，29（4）：90-98.
LI X F，FENG G D，CHEN C W，et al.Model for attribute based access control[J].Journal on Communications，2008，29（4）：90-98.
[32] BHATT S，PATWA F，SANDHU R.Access control model for AWS Internet of things[C]//2017 International Conference on Network and System Security，2017：721-736.
[33] XU D X，ZHANG Y P.Specification and analysis of attribute-based access control policies：an overview[C]//2014 IEEE 8th International Conference on Software Security and Reliability-Companion，2014：41-49.
[34] SINGHAL A，WINOGRAD T，SCARFONE K.Guide to secure web services[J].NIST Special Publication，2007，800（95）：4.
[35] FALL D，BLANC G，OKUDA T，et al.Toward quantified risk-adaptive access control for multi-tenant cloud computing[C]//6th Joint Workshop on Information Security，2011：1-14.
[36] STEPIEN B，MATWIN S，FELTY A.Advantages of a non-technical XACML notation in role-based models[C]//2011 9th Annual International Conference on Privacy，Security and Trust，2011：193-200.
[37] International Telecommunication Union.Access control models for incident exchange networks[EB/OL].（2017-03-30）[2021-09-22].https：//www.itu.int/rec/T-REC-X.1550-201703-I.
[38] MCGRAW R.Risk-adaptable access control（RADAC）[C]//Privilege （Access） Management Workshop，National Institute of Standards and Technology-Information Technology Laboratory，2009，25：55-58.
[39] KANDALA S，SANDHU R，BHAMIDIPATI V.An attribute based framework for risk-adaptive access control models[C]//2011 6th International Conference on Availability，Reliability and Security，2011：236-241.
[40] LEE B，VANICKIS R，ROGELIO F，et al.Situational awareness based risk-adaptable access control in enterprise networks[C]//2nd International Conference on Internet of things，Data and Cloud Computing，2017.
[41] VANICKIS R，JACOB P，DEHGHANZADEH S，et al.Access control policy enforcement for zero-trust-networking[C]//2018 29th Irish Signals and Systems Conference，2018：1-6.
[42] CISCO.Cisco global cloud index：forecast and methodology，2016-2021[EB/OL].（2020-09-25）[2021-09-22].http：//www.sdia.se/download/cisco-global-cloud-index-forecast-and-methodology-2016-2021-cisco-2018/.
[43] KINDERVAG J.Build security into your network’s DNA：the zero trust network architecture[R].Forrester Research Inc，2010：1-26.
[44] DHAR S，BOSE I.Securing IoT devices using zero trust and blockchain[J].Journal of Organizational Computing and Electronic Commerce，2021，31（1）：18-34.
[45] 中国信通院，奇安信.网络安全先进技术与应用发展系列报告——零信任技术[R/OL].（2020-08-12）[2021-09-23].http：//www.caict.ac.cn/kxyj/qwfb/ztbg/202008/P020200812
382865122881.pdf.2020.
CAICT，QI A X.Series of reports on network security advanced technology and application development—zero trust technology[R/OL].（2020-08-12）[2021-09-23].http：//www.caict.ac.cn/kxyj/qwfb/ztbg/202008/P02020081238286
5122881.pdf.
[46] OLTSIK J.The case for host-based micro-segmentation[EB/OL].（2018-05）[2021-09-23].https：//www.illumio.com/sites/default/files/Illumio_White_Paper_ESG_Case_Host_Based_
Micro_Segmentation_2018_05.pdf.
[47] HANDA S，HILS A，KAUR R，et al.Three styles of identity-based segmentation[EB/OL].（2021-01-04）[2021-09-23].https：//www.gartner.com/en/documents/3995093/three-styles-of-identity-based-segmentation.
[48] GUPTA M.Evaluating architectural approaches to micro-segmentation[EB/OL].（2017-10-12）[2021-09-23].https：//onug.net/blog/evaluating-architectural-approaches-micro-segmentation/.
[49] VINCENTIS M D.Microsegmentation for dummies 2nd Vmware special edition[M].Hoboken：John Wiley & Sons，2015.
[50] ILLUMIO.Mapping Illumio to NIST SP 800-207 zero trust architecture[EB/OL].（2020-08）[2021-09-23].https：//www.illumio.com/resource-center/solution-brief/nist-zero-trust-architecture.
[51] 陈本峰，李雨航，高巍.零信任网络安全——软件定义边界SDP技术架构指南[M].北京：电子工业出版社，2021.
CHEN B F，LI Y H，GAO W.Zero trust network security—the complete guide to software defined perimeter（SDP）[M].Beijing：Publishing House of Electronics Industry，2021.
[52] KUMAR P，MOUBAYED A，REFAEY A，et al.Performance analysis of SDP for secure internal enterprises[C]//2019 IEEE Wireless Communications and Networking Conference，2019：1-6.
[53] CSA大中华区SDP工作组.软件定义边界（SDP）安全架构技术指南[EB/OL].（2020-07-06）[2021-09-23].https：//c-csa.cn/u_file/photo/20200706/190e1ed22f.pdf.
CSA.Technical guide for software defined perimeter（SDP） security architecture[EB/OL].（2020-07-06）[2021-09-23].https：//c-csa.cn/u_file/photo/20200706/190e1ed22f.pdf.
[54] SINTARO A T，KOMOLAFE Y E.SDP and VPN for remote access：a comparative study and performance evaluation[DB/OL].（2021-06-02）[2021-09-23].https：//www.diva-portal.org/smash/record.jsf?pid=diva2%3A1559488&dswid=1430.
[55] CSA.SDP architecture guide v2[EB/OL].（2019-05-07）[2021-09-23].https：//cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2/.
[56] CSA.SDP hackathon whitepaper[EB/OL].（2014-04-17）[2021-09-23].https：//cloudsecurityalliance.org/artifacts/sdp-hackathon-whitepaper/.
[57] SALLAM A，REFAEY A，SHAMI A.On the security of SDN：a completed secure and scalable framework using the software-defined perimeter[J].IEEE Access，2019，7：146577-146587.
[58] MOUBAYED A，REFAEY A，SHAMI A.Software-defined perimeter（SDP）：state of the art secure solution for modern networks[J].IEEE Network，2019，33（5）：226-233.
[59] SINGH J，REFAEY A，KOILPILLAI J.Adoption of the software-defined perimeter（SDP） architecture for infrastructure as a service[J].Canadian Journal of Electrical and Computer Engineering，2020，43（4）：357-363.
[60] SINGH J，RAFAEY A，SHAMI A.Multilevel security framework for NFV based on software defined perimeter[J].IEEE Network，2020，34（5）：114-119.
[61] RIAZ S，KHAN A H，HAROON M，et al.Big data security and privacy：current challenges and future research perspective in cloud environment[C]//2020 International Conference on Information Management and Technology，2020：977-982.
[62] YANG T，ZHU L，PENG R X.Fine-grained big data security method based on zero trust model[C]//2018 IEEE 24th International Conference on Parallel and Distributed Systems，2018：1040-1045.
[63] AHMED I，NAHAR T，URMI S S，et al.Protection of sensitive data in zero trust model[C]//2020 International Conference on Computing Advancements，2020：1-5.
[64] MELL P，GRANCE T.The NIST definition of cloud computing[J].Communications of the ACM，2011，53（6）：50.
[65] 江雪，何晓霞.云计算时代等级保护面临的挑战[J].计算机应用与软件，2014，31（3）：292-294.
JIANG X，HE X X.Cloud computing brings challenges to classified protection policy[J].Computer Applications and Software，2014，31（3）：292-294.
[66] DECUSATIS C，LOEMGTIRAPHAN P，SAGER A.Zero trust cloud networks using transport access control and high availability optical bypass switching[J].Advances in Science Technology and Engineering Systems Journal，2017，2（3）：30-35.
[67] MEHRAJ S，BANDAY M T.Establishing a zero trust stra-
tegy in cloud computing environment[C]//2020 International Conference on Computer Communication and Informatics，2020：1-6.
[68] ALBUALI A，MENGISTU T M，CHE D.ZTIMM：a zero-trust-based identity management model for volunteer cloud computing[C]//13th International Conference on Cloud Computing.Cham：Springer，2020：287-294.
[69] AHMED M.A zero-trust federated identity and access management framework for cloud and cloud-based computing environments[C]//2020 Workshop on Information Security and Privacy，2020.
[70] 张玉清，周威，彭安妮.物联网安全综述[J].计算机研究与发展，2017，54（10）：2130-2143.
ZHANG Y Q，ZHOU W，PENG A N.Survey of Internet of things security[J].Journal of Computer Research and Development，2017，54（10）：2130-2143.
[71] OSMAN A，WASICEK A，KOPSELL S，et al.Transparent microsegmentation in smart home IoT networks[C]//3rd USENIX Workshop on Hot Topics in Edge Computing，2020.
[72] SHAH S W，NAEEMF S，ARASH S，et al.LCDA：lightweight continuous device-to-device authentication for a zero trust architecture（ZTA）[J].Computers & Security，2021，108：102351.
[73] DIMITRAKOS T，DILSHENER T，KRAVTSOVE A，et al.Trust aware continuous authorization for zero trust in consumer Internet of things[C]//2020 IEEE 19th International Conference on Trust，Security and Privacy in Computing and Communications，2020：1801-1812.
[74] TANIMOTO S，SATO Y，CHERTCHOM P，et al.Proposal of a perimeter line management method for fog and edge computing with SDP concept[C]//2020 International Conference on Network-Based Information Systems，2020：290-302.
[75] SINGH J，BELLO Y，HUSSEIN A R，et al.Hierarchical security paradigm for iot multiaccess edge computing[J].IEEE Internet of Things Journal，2020，8（7）：5794-5805.
[76] 冯登国，徐静，兰晓.5G移动通信网络安全研究[J].软件学报，2018，29（6）：303-315.
FENG D G，XU J，LAN X.Study on 5G mobile communication network security[J].Journal of Software，2018，29（6）：303-315.
[77] 张平，陶运铮，张治.5G若干关键技术评述[J].通信学报，2016，37（7）：15-29.
ZHANG P，TAO Y Z，ZHANG Z.Survey of several key technologies for 5G[J].Journal on Communications，2016，37（7）：15-29.
[78] MAMMELA O，HILTUNEN J，SUOMALAINEN J，et al.Towards micro-segmentation in 5G network security[C]//2016 European Conference on Networks and Communications Workshop on Network Management，Quality of Service and Security for 5G Networks，2016.
[79] CHEN B Z，QIAO S Y，ZHAO J，et al.A security awareness and protection system for 5G smart healthcare based on zero-trust architecture[J].IEEE Internet of Things Journal，2020，8（13）：10248-10263.
[80] RAMEZANPOUR K，JAGANNATH J.Intelligent zero trust architecture for 5G/6G tactical networks：principles，challenges，and the role of machine learning[EB/OL].（2021-05-04）[2021-09-24].https：//arxiv.org/pdf/2105.01478.pdf.
[81] 曾诗钦，霍如，黄韬，等.区块链技术研究综述：原理、进展与应用[J].通信学报，2020，41（1）：134-151.
ZENG S Q，HUO R，HUANG T，et al.Survey of blockchain：principle，progress and application[J].Journal on Communications，2020，41（1）：134-151.
[82] SAMANIEGO M，DETERS R.Zero-trust hierarchical management in IoT[C]//2018 IEEE International Congress on Internet of Things，2018：88-95.
[83] SULTANA M，HOSSAIN A，LAILA F，et al.Towards deve-
loping a secure medical image sharing system based on zero trust principles and blockchain technology[J].BMC Medical Informatics and Decision Making，2020，20（1）：1-10.
[84] PATIL A P，KARKAL G，WADHWA J，et al.Design and implementation of a consensus algorithm to build zero trust model[C]//2020 IEEE 17th India Council International Conference，2020：1-5.
[85] ALEVIZOS L，TA V T，EIZA M H.Augmenting zero trust architecture to endpoints using blockchain：a systematic review[EB/OL].（2021-04-12）[2021-09-24].https：//arxiv.org/ftp/arxiv/papers/2104/2104.00460.pdf.
[86] KONG C W，LIU J，XIAN M，et al.A small LAN zero trust network model based on elastic stack[C]//2020 5th International Conference on Mechanical，Control and Computer Engineering，2020：1075-1078.
[87] HATAKEYAMA K，KOTANI D，OKABE Y.Zero trust federation：sharing context under user control towards zero trust in identity federation[C]//2021 IEEE International Conference on Pervasive Computing and Communications Workshops and Other Affiliated Events，2021：514-519.
[88] YAO Q G，WANG Q，ZHANG X Z，et al.Dynamic access control and authorization system based on zero-trust architecture[C]//2020 International Conference on Control，Robotics and Intelligent System，2020：123-127.
[89] MUJIB M，SARI R F.Performance evaluation of data center network with network micro-segmentation[C]//2020 12th International Conference on Information Technology and Electrical Engineering，2020：27-32.
[90] RODIGARI S，O’SHEA D，MCCARTHY P，et al.Performance analysis of zero-trust multi-cloud[EB/OL].（2021-05-05）[2021-09-24].https：//arxiv.org/pdf/2105.02334.pdf.
[91] LUKASEDER T，HALTER M，KARGL F.Context-based access control and trust scores in zero trust campus networks[J].Sicherheit，2020：53-66