Zero Trust: Access security is just a good start

100 Years of Cybersecurity

In the borderlands, the two armies are at war.

The main generals of one party advocate the essence of zero trust and coordinate the entire army. One side will be conservative and see the border wall as a safe border. The confrontation between the two sides was deadlocked, and suddenly a small hacker country trying to take advantage of the fisherman tried to attack…

The small country of hackers is slowly drawing:

Conservative camp, strict outside and loose inside. The border defense line is heavily garrisoned, and the deployment of wolf smoke and police posts (firewalls, intrusion detection systems) varies. Strong attacks are easy to cause alarms, and confrontation is not easy. Of course, if you lure him with bribes, the insurgents will be used by themselves (the hacker country), and close-source attacks and inner ghost operations are all promising. Or sneak in or fish around the sideline to steal the general token (employee account information), replace the impersonation, and go deeper and steal the secret of the general.

On the other hand, the zero-trust camp is unclear. You can send a small team of hackers to attack at night, or sneak in to spy, and try to cooperate with each other. However, stepping into the line of defense, triggering alarms, limited espionage operations, and access to all places are subject to identity questioning and verification. They tried to counteract with coercion and enticement. They did not want zero trust to be integrated into the infrastructure. “Least privilege granting, identity-based access control” has become an unshakable military order, and terminal verification can be seen everywhere. Seemingly scattered, but solid.

In this way, the flag of zero trust can be held high in the offensive and defensive confrontation.

In 2010, John Kindervag put forward the concept of zero trust, pointing out the fact that “default trust is the Achilles heel of security”, but after several years and multiple cybersecurity crises, it was gradually understood and recognized by enterprises. At present, the perimeter security Model is still the main network security model, and it is only a matter of time before the new security infrastructure is applied, driven by opportunities and innovations.

In 2020, the demand for telecommuting caused by the epidemic blew the wind of zero trust, and then, the demand for data security compliance has also become the main driving force for the development of zero trust in China.

In the application practice of zero trust in China, the founding team of Shuipeng Technology, established in 2018, is the first batch of people to eat crabs.

According to the memory of Yang Yifei, CTO of Shuteng Technology, this founding team has accumulated and accumulated in related fields as early as 10 years ago. From the research and development of the security module of Tencent’s cloud computing platform infrastructure to the security construction of Baidu’s company-wide underlying infrastructure, they clearly realized that data-driven business and open infrastructure will be the next generation of industrial applications and industrial development. , and security is one of the key issues that must be addressed.

Under the ruins of trust, the first demand comes from “solving problems”

With the change of enterprise IT architecture and the collapse of “default trust”, when the market is hottest, everything can be trusted with zero trust.

According to the observation of the Chinese market in recent years, Wang Boda, the technical vice president of Shuteng Technology, found that some companies still have cognitive biases, stereotypes or rigid definitions for zero trust.

On the one hand, more and more manufacturers are “zero trust”. Whether it is the transformation of traditional manufacturers or the joining of startups, the domestic zero trust market has become more diversified and active; on the other hand, many companies have zero trust The understanding is not deep, and there is a tendency to “follow the trend”. It is inevitable that there is a cognitive bias that equates zero trust with a certain type of technology, such as SDP, IAM, etc. In addition, the “dynamic authorization” and “continuous verification” capabilities, which are very important in the zero trust model, do not yet have a relatively unified evaluation mechanism and standard in the market. This also allows companies to evaluate a wide range of indicators when choosing zero trust products.

Wang Boda is convinced that although the concept of zero trust is good, it must be implemented around the actual business scenarios of Party A, and solving problems is more important than “gimmicks”.

In Wang Boda’s view, the traditional infrastructure of enterprises is based on the boundary trust model, and security capabilities are often deployed within the boundaries of the enterprise network. And “security as infrastructure” means deploying “software-defined” security capabilities on traditional infrastructure, and security capabilities will be covered wherever access and application are. “Software-defined” also means that it is more friendly to enterprises in terms of cost control and business coverage.

Due to the rapid development of the domestic Internet, most traditional enterprises were squeezed into the Internet wave when the informatization was not perfect. Therefore, the IT environments of these enterprises are mostly intricate and overlapping complexes, which are simply a hybrid IT architecture with both outdated infrastructure and cutting-edge technologies. For emerging small and medium-sized enterprises and Internet companies, although the “historical burden” is relatively light, and they operate in an open Internet environment, there are also various risks due to their strong business orientation.

Therefore, all enterprises still need to adopt flexible zero-trust implementation methods according to different stages of internal IT and security construction. An enterprise’s zero-trust security strategy should be formulated based on business needs, organizational construction, technology selection, corporate culture and way of thinking.

For example, in the system reconstruction or the start-up stage of the company, a brand-new zero-trust overall architecture design can be adopted; if there is an existing system but you want to reduce risks through zero-trust, you can choose ZTNA or gateway products; when the overall transformation is difficult or you are worried about risks, you can Choose to conduct a zero trust pilot in a certain business or a certain department or a small number of employees… A step-by-step approach, starting from solving specific problems, is a safe way for zero trust to enter the enterprise.

It is precisely because the situation and needs of enterprises are different, so when choosing a zero-trust product, the configurability, efficient operation, and system connection capabilities of the product should be considered. For example, different product forms (VPN, application gateway or data security sandbox based on the zero trust concept) can be configured according to different personnel and business types; dynamic permissions can be efficiently managed and controlled through an adaptive policy engine; software-defined and open API realizes business and the docking of existing infrastructure.

Of course, there are only two directions for the deployment of zero trust at home and abroad: “network and security are carried out simultaneously”, or it is emphasized that “zero trust first, network reconstruction can lag slightly”, in Yang Yifei’s view, zero trust security The order of products and the overall network architecture is nothing more than a spiraling development trend based on the actual environment. Either way, it ultimately points to the overall zero-trust application result.

Access security is the beginning of zero trust, and data security is the future

All applications start with access, and focusing on access security is a good start. But we must also admit that access is only the beginning.

When zero-trust access security is widely used in the market, new security issues arise – the convenience of accessing internal data resources of an enterprise at any time and place means that data distribution is more dispersed, and data faces new security issues on the edge or in the cloud risk.

Solitary yin does not last long, and solitary yang does not grow. The end point of zero trust must not only solve the access security problem, but a more complete solution implemented in IT and OT. The cognitive concept of zero trust is also expanding from a single point (access security) to a larger scope.

A few years ago, the number of tents has been ready. Since its inception, when it was named DataCloak, they thought about wrapping data with a “flexible” cloak based on the concept of zero trust, that is, allowing data to generate value under a high degree of interaction and flow, while ensuring Mobile data is available unobtainably secure. In Yang Yifei’s view, data security is the key direction for the further development of zero trust.

In the past, numerous security products have been derived based on data security, ranging from encryption, desensitization, data leakage prevention to database security. With the dispersion and high-frequency flow of data, data security solutions based on the concept of zero trust are more based on sensitive data. Access control developed.

In the foreseeable future, digital transformation will allow enterprise business to run on a virtualized platform that integrates computing, storage, and transmission capabilities; from devices, networks, to applications, and data, to achieve peer-to-peer security. This will become the landing trend of zero trust products.

Zero Trust, SASE and ZTE

Zero Trust, SASE, ZTE (Zero Trust Edge)… During the market hype cycle, a large number of terms collide and intersect in the current cybersecurity environment, causing some enterprises to have questions and confusion. In fact, Forrester first proposed the concept of zero trust, then Gartner proposed SASE, and recently, Forrester proposed ZTE.

Through the dissection of these concepts, it can be found that the core is identity-based access control to achieve application and data security. It is only because the concepts are put forward in different IT environment backgrounds, so the descriptions are different. For example, in the earliest IT environment, since a large number of applications and data are concentrated in the data center, the concept of zero trust is also based on the access control of the data center. As applications are widely distributed, data flows to terminals and the cloud, and secure access to applications and data from the edge has become mainstream, which has also spawned the popularity of the concepts of SASE and ZTE.

In contrast, SASE emphasizes the tight coupling of network and security, requiring a single provider to provide a full set of SASE products, while ZTE emphasizes the decoupling of network and security, which can be integrated by multiple suppliers. But in Wang Boda’s words, “the same goal is achieved by different paths”, and realizing edge data security will be the landing direction of related products.

Interestingly, although SD-WAN is often discussed in SASE or zero-trust solutions, judging from the products launched by domestic manufacturers such as Shuteng Technology, it is better for security manufacturers to provide security capabilities, and network operators to provide security capabilities. Business to provide network capabilities and play to their strengths. With the advancement of enterprise-level SaaS application process, the market of SASE will be further opened.

In China, everyone is more in the stage of discussion and exploration of SASE. As a SASE solution that provides cross-cloud and cross-region IT infrastructure platform and security services, DACS AnyCloud?

Yang Yifei believes that the main demand for SASE comes from the demand for network optimization and security assurance capabilities in end-to-cloud access. When an enterprise has multiple (cross-regional) branches, and has multiple self-built clouds and leased clouds, the high requirements for network and security are obvious to achieve multi-cloud, multi-service, and multi-location mutual access. On this basis, Shuteng Technology solves the problems of multi-terminal to multi-cloud and cross-cloud interconnection through the superposition of its own security capabilities and third-party (GDS) backbone network capabilities. High-quality network interconnection from server to server and application and data security protection. SASE is a part of Shuteng Technology’s zero trust strategic plan, and it is also the starting point for Shuteng Technology to move towards the cloud.

“Security is infrastructure is equivalent to virtualizing security, abstracting the security features of different underlying physical infrastructures in a software-defined way.” Yang Yifei mentioned, “More and more security experts have been working on zero trust and data Research and discussion on the road to the integration of security and edge security.”

Last year, Shuteng Technology released an enhanced zero-trust security framework called HyperCloak™ (Lingjie) – the first zero-trust security framework in China. The infrastructure determines the complexity of security issues, and this way of deeply integrating the zero-trust security framework with the infrastructure provides a leapfrog supplement to the previous IT infrastructure.

Over the course of a year, a large number of enterprises have accessed HyperCloak® through the SDK, integrating this security framework with some of their internal work platforms. The practice of the framework is fed back to the framework of version 2.0, forming a positive optimization.

Today, the road to zero trust is becoming clearer. The next-generation enterprise security will be based on a zero-trust architecture, defined by software, and integrated with AI technology, forming an enterprise security space that traverses enterprise office, cloud computing, and edge computing scenarios.

Looking at the output of more and more practical zero-trust practices, the development of platformization and ecologicalization has formed a trend of horns under the collective efforts. Even if the car is in the wrong hub and short-circuited, there should be no fear.

The Links:   SP14Q002-A1 LQ070Y3DG05 MIG200J6CMB1W