计算机工程与应用 ›› 2022, Vol. 58 ›› Issue (22): 12-29.DOI: 10.3778/j.issn.1002-8331.2206-0025

• 热点与综述 • 上一篇    下一篇

零信任网络综述

诸葛程晨,王群,刘家银,梁广俊   

  1. 江苏警官学院 计算机信息与网络安全系,南京 210031
  • 出版日期:2022-11-15 发布日期:2022-11-15

Survey of Zero Trust Network

ZHUGE Chengchen, WANG Qun, LIU Jiayin, LIANG Guangjun   

  1. Department of Computer Information and Network Security, Jiangsu Police Institute, Nanjing 210031, China
  • Online:2022-11-15 Published:2022-11-15

摘要: 针对目前网络安全形势日益严峻的问题,零信任网络给出了一种能够有效缓解传统网络安全威胁的架构及其设计与实现方法。零信任的核心思想是“永不信任,始终验证”,零信任网络是在传统网络架构中有效融入零信任机制的一种新型网络安全架构,将实现对网络中所有的对象进行验证,并授予其最小访问权限,同时对所有的访问行为进行持续、动态的评估决策。介绍了零信任网络的基本定义,指出了传统网络架构的不足之处,给出了零信任网络架构。重点从身份和访问管理、微分段以及软件定义边界等方面简述了零信任网络的关键技术,评价了各自的技术特点及应用场景。对目前零信任网络在大数据、云计算、5G和物联网等相关领域内的研究进展和成果进行了分析。对零信任网络进行了总结,并对未来的发展进行了展望。

关键词: 零信任网络, 身份和访问管理, 微分段, 软件定义边界

Abstract: Aiming at the current increasingly challenging network security situation, zero trust network provides an architecture and its design and implementation method that can effectively mitigate traditional network security threats. The core idea of zero trust is “never trust, always verify”, zero trust network is a new network security architecture that effectively integrates zero trust mechanism into the traditional network, which will verify all objects of the network and grant them minimum access rights, and make continuous and dynamic evaluation decisions on all access behaviors. Firstly, the basic definition of zero trust network is introduced, the shortcomings of traditional network architecture are pointed out, and the zero trust network architecture is given. Secondly, the key technologies of zero trust network are described, focusing on identity and access management, micro-segmentation and software-defined perimeter, and their technical characteristics and application scenarios are evaluated. In addition, the current research progress and results of zero trust network in related fields such as big data, cloud computing, 5G and IoT, are analyzed. Finally, zero trust network is summarized and future development is prospected.

Key words: zero trust network, identity and access management, micro-segmentation, software defined perimeter