专栏首页technewsworld翻译专栏网络安全评估和零信任模型

网络安全评估和零信任模型

在过去的几年里,“零信任”体系结构的概念经历了许多演进阶段。它已经从一个炙手可热的新时尚,变成了陈腐的东西(很大程度上是由于那些想在这个趋势上赚钱的人的大量营销活动),现在它最终已经进入了一个可能一直以来都应该有的东西:一个坚实的,熟练的安全选项,带离散的,可见的优点和缺点可以合并到我们组织的安全方法中。 顾名思义,零信任是一种安全模型,其中所有资产-甚至是您配置的托管端点和由您配置的本地网络-被认为是敌对的,不可信任的,并且可能已被攻击者破坏。零信任代替了将“受信任”内部与不受信任外部内部区分开的传统安全模型,而是假定所有网络和主机同样不可信。 一旦对假设进行了根本性的改变,就可以开始对信任的内容,对象和时间做出不同的决定,并允许采用可接受的验证方法来确认请求或交易。 作为安全思想,这具有优点和缺点。 优点之一是,您可以从战略上将安全资源应用到最需要的地方。并增加了对攻击者横向移动的抵抗力(因为每种资源在建立滩头堡后都需要重新破碎)。 也有缺点。例如,在每个系统和应用程序上都需要执行策略,并且使用不同安全性假设构建的较旧的旧组件可能不太适合,例如内部网络值得信赖。 最潜在的问题缺点之一是与安全状况的验证有关,即在安全模型需要由较旧且更注重遗留性的组织进行审查的情况下。动态是不幸的:那些可能会发现最引人注目的模型的组织就是那些采用该模型的组织,他们很可能为应对挑战做好了准备。

原文:Over the past few years, the concept of "zero trust" architecture has gone through a number of evolutionary phases. It's gone from being the hot new fad, to being trite (in large part due to a deluge of marketing from those looking to cash in on the trend), to passé, and now has ultimately settled into what it probably should have always been all along: a solid, workmanlike security option with discrete, observable advantages and disadvantages that can be folded into our organization's security approach.

Zero trust, as the name implies, is a security model where all assets -- even managed endpoints that you provision and on-premise networks configured by you -- are considered hostile, untrustworthy and potentially already compromised by attackers. Instead of legacy security models that differentiate a "trusted" interior from an untrusted external one, zero trust instead assumes that all networks and hosts are equally untrustworthy.

Once you make this fundamental shift in assumptions, you start to make different decisions about what, who, and when to trust, and acceptable validation methods to confirm a request or transaction is allowed.

As a security mindset, this has advantages and disadvantages.

One advantage is that it lets you strategically apply security resources where you need them most; and it increases resistance to attacker lateral movement (since each resource needs to be broken anew should they establish a beachhead).

There are disadvantages too. For example, policy enforcement is required on every system and application, and older legacy components built with different security assumptions may not fit in well, e.g. that the internal network is trustworthy.

One of the most potentially problematic downsides has to do with validation of the security posture, i.e. in situations where the security model requires review by older, more legacy-focused organizations. The dynamic is unfortunate: those same organizations that are likely to find the model most compelling are those same organizations that, in adopting it, are likely to set themselves up for vetting challenges.

原文链接:https://www.technewsworld.com/story/86865.html

原文作者:Ed Moyle

我来说两句

0 条评论
登录 后参与评论

相关文章

  • DevSecOps:解决附加软件安全难题

    随着安全团队与开发人员的对抗,DevOps社区中缺乏标准的实践正在引起越来越大的摩擦。这种内部摩擦使他们开发的软件和使用该应用程序的组织容易受到攻击和破坏。 开...

    YH
  • 随着消费者欺诈行为的增加,网上商业欺诈行为减少

    TransUnion周二发布的一份报告显示,在线匪徒正在减少针对企业的计划,但针对消费者的COVID-19骗局却在增加。 总部位于芝加哥的全球在线欺诈趋势季度报...

    YH
  • 通过深度生成模型进行正则化:一种分析观点

    本文提出了一种通过深度生成神经网络对成像中反问题进行正则化的新方法(例如,去模糊或修复)。 与端到端模型相比,这种方法似乎特别有趣,因为只要生成模型适合数据,就...

    YH
  • IBM的人工智能的优势

    最初的目标是医疗保健部门,专注于做出困难的诊断,我仍然记得他们的第一个公共验证测试。他们解决了一个困扰医生多年的问题,那就是一个有奇怪症状和未被诊断的痛苦疾病的...

    用户8054111
  • tensorflow 语义分割系列DeepLabV3/V4实践

    语义分割是图像高级别像素理解的主要任务之一,也是无人驾驶的重要技术基础。前面已经对该方面进行过复现实验,见:空洞卷积与DeeplabV2实现图像语...

    sparkexpert
  • QQ & SF 首度联名创作

    ? 腾讯ISUX isux.tencent.com 社交用户体验设计 ? ? ? 01  概述  |  Overview Superfiction是韩国一家...

    腾讯ISUX
  • 关于开发板用tftp下载失败分析

    一、想实现开发板和PC ping通: (1)windows和linux桥接 (2)用路由器将开发板和PC连接起来 (3)将windows和linux以及开发板的...

    Daotin
  • Improving Deep Neural Networks学习笔记(一)

    1. Setting up your Machine Learning Application 1.1 Train/Dev/Test sets Make sur...

    Tyan
  • python 非阻塞式定时器 apscheduler

    AI之禅
  • 开刷cs20之Tensorflow第一弹

    本节学习来源斯坦福大学cs20课程,有关自学与组队学习笔记,将会放于github仓库与本公众号发布,欢迎大家star与转发,收藏!

    公众号guangcity

扫码关注云+社区

领取腾讯云代金券