战略十讲_战略十七零信任

战略十讲

The long-held misconception of keeping “the bad guys” out gave us the false sense of security that inside of our business we were safe from the nefarious entities that lurked in the deep, dark corners of the Internet. We spent ridiculous amounts of time and money building our castles, ever focused on the “before” of cybersecurity incidents and how to prevent them without a second thought of what to do during and after one if it, goodness forbid, ever came to be.

长期以来一直误解“坏蛋”的想法给了我们一种错误的安全感，即在我们的业务内部，我们可以躲避潜伏在互联网深处，黑暗角落的邪恶实体。 我们花费了大量的时间和金钱来建造我们的城堡，一直专注于网络安全事件的“发生”之前，以及如何避免发生这种情况，而又无需再想想在此期间和之后的事情，如果真是如此，那么禁止。

We sat like kings and queens on our swivel-chair thrones, smugly believing bad things only happened to other businesses and people; never to us. Our castles were invulnerable to the evil masses that gathered outside. We think that all those shiny boxes and blinking lights protect us and we’ve built a veritable fortress out of our security budget. Well, under your crown of smugness, you’re no longer a king or queen; you’re a joker.

我们像国王和皇后一样坐在转椅宝座上，自满地相信坏事只会发生在其他企业和人民身上。 永远不要给我们。 我们的城堡不受聚集在外面的邪恶群众的侵害。 我们认为所有这些闪亮的盒子和闪烁的灯会保护我们，我们已经在安全预算中建立了一座名副其实的堡垒。 好吧，在自鸣得意的王冠下，您不再是国王或王后。 你是个小丑。

So, Zero Trust, then?

那么，零信任呢？

What Is It?

它是什么？

Developed a decade ago, the Zero Trust framework has recently gained more attention due to the collective castle walls of many organisations crumbling and the owners of information systems and data becoming usurped by malicious entities. There is plenty of proof and anecdotal evidence to assure us that cybersecurity incidents are a matter of “when” and not “if”. When you look at it, threat actors tend to come in three varieties: Malicious Outsiders, Malicious Insiders, and Well-Intended Insiders.

十年前开发的“零信任”框架最近受到了更多关注，因为许多组织的集体城堡墙崩溃了，信息系统和数据的所有者被恶意实体篡夺。 有大量证据和轶事证据向我们保证，网络安全事件是“何时”而非“如果”的问题。 当您查看它时，威胁行为者往往会分为三种：恶意局外人，恶意局内人和意图良好的局内人。

It should be worth noting that these three are not absolutes. For example, if a Malicious Outsider gains access through a compromised perimeter or stolen credentials, they effectively become a Malicious Insider. Even the Well-Intended Insiders can become Malicious Insiders or Malicious Outsiders under the right circumstances.

值得注意的是，这三个不是绝对的。 例如，如果恶意局外人通过受损的边界或凭据被窃取，则他们实际上成为恶意局内人。 在适当情况下，即使是有良好意图的内部人也可以成为恶意内部人或恶意外部人。

The commonality of the three is that they’re all threats but worryingly, two of them are “insiders”. The traditional security model of “inside is good, outside is bad” falls on its face. Depending on what you read and who you talk to, the majority of threats are internal, so why we continue to focus so much on the “before” and keeping the bad guys out is beyond me. Enter the Zero Trust framework.

这三个国家的共同点是它们都是威胁，但令人担忧的是，其中两个国家是“内部人”。 传统的安全模式“内在是好，外在是不好”。 根据您所阅读的内容和与您交谈的对象的不同，大多数威胁都是内部威胁，因此，为什么我们继续如此集中于“之前”，而将坏人拒之门外，则不在我的范围之内。 输入零信任框架。

A false assumption I hear from people when discussing the Zero Trust approach is they liken it to conspiracy theories and basement-dwellers with tinfoil hats. While at the outset, it sounds like Dr. No (just to throw in a James Bond 007 reference), it should be thought of more like “Yes, but.” Instead of universally saying no to everything, it becomes yes ONLY WHEN conditions have been met. Everything gets verified, inside and out. Never trust, always verify is another way to look at it.

在讨论“零信任”方法时，我听到人们的一个错误假设是，他们将其比喻为阴谋论和戴着锡箔帽子的地下室居民。 从一开始，听起来就好像是No博士(只不过是James Bond 007的参考文献)，应该更像是“是的，但是”。 而不是对所有内容都普遍拒绝，而是仅在满足条件时才是。 一切都由内而外得到验证。 从不信任，始终验证是另一种查看方式。

Where Do I Start?

我从哪说起呢？

I would suggest starting with a consultative approach from an agnostic perspective to fully understand why you need Zero Trust and how it can work for you. There are no shortage of products masquerading as “solutions” that can have effects from a negligible impact to “bricking” your entire network. Get the right people involved from the start and ask the right questions. You need to figure out why Zero Trust before you can approach the “how”.

我建议从不可知论的角度开始采用协商方法，以全面了解您为什么需要零信任以及它如何为您服务。 不乏被伪装成“解决方案”的产品，这些产品可能产生的影响可以忽略不计，甚至可以使整个网络“变砖”。 从一开始就让合适的人参与进来，并提出正确的问题。 您需要先弄清楚为什么零信任，然后才能采用“方法”。

You will probably discover that not every aspect of your environment needs a Zero Trust approach, but some surely does. You might have a public Wi-Fi network for internet access only that is segregated from the rest of your systems. On the other hand, the corporate Wi-Fi network should be secured with connected devices and users verified with certificates and multi-factor authentication logons, for example. A good starting point is understanding what are your critical and important systems and data.

您可能会发现并非环境的每个方面都需要“零信任”方法，但某些情况确实需要。 您可能只有一个公共Wi-Fi网络可用于与其他系统隔离，用于互联网访问。 另一方面，公司的Wi-Fi网络应使用连接的设备来保护，并且用户应通过证书和多因素身份验证登录进行验证。 一个好的起点是了解什么是关键和重要的系统和数据。

Your source of truth for authentication and authorisation should be squeaky clean, clearly defined, and well maintained. Perhaps a clean-up of your Active Directory (if you use Microsoft) is a good place to start by reviewing roles and responsibilities before defining what they can actually access. After this, a full inventory of devices and services is helpful to understand what will be accessing the systems and data. Being able to identify authorised devices in addition to authorised users is going to be critical, especially when trying to avoid the threat of spoofing. Oh yeah — PLEASE get rid of generic accounts and ban any type of credential sharing.

身份验证和授权的真实来源应该干净整洁，清晰定义并保持良好状态。 也许对Active Directory进行清理(如果使用Microsoft)是从定义角色和职责实际访问之前检查角色和职责开始的好地方。 此后，完整的设备和服务清单有助于了解将访问系统和数据的内容。 除了授权用户之外，能够识别授权设备也将变得至关重要，尤其是在尝试避免欺骗威胁时。 哦，是的-请删除通用帐户并禁止任何类型的凭证共享。

The approach actually reminds me a bit of Application Whitelisting because in that case, I also recommend getting everything in order and understand exactly what you are trying to do and why before beginning.

这种方法实际上使我想起了“应用程序白名单”，因为在这种情况下，我还建议您按顺序整理所有内容，并在开始之前准确了解您要执行的操作以及执行的原因。

I would also make sure you have complete support across the business, management and executive buy-in (having a champion of this at the C-level is gold), and that there is clear communication to all stakeholders to ensure they know not just WHAT you are doing, but clearly WHY and HOW it will benefit them.

我还要确保您在业务，管理层和高管人员的支持下得到了全面的支持(在C级上获得冠军的是金牌)，并且与所有利益相关者进行了清晰的沟通，以确保他们不仅知道什么您正在做，但显然为什么和如何使他们受益。

How do I make It Work?

我该如何运作？

Rather than a one-size fits all whizbang application or appliance, Zero Trust relies on a more strategic approach using a number of technologies and controls, both technical and administrative. At the core of it, as I mentioned above, you should have your house in order and visibility and control of all objects in the infrastructure, from users to computers and all points in between. Review file shares and permissions. Review Group Policy Objects. Apply the principal of least privilege.

零信任并非采用一种千篇一律的应用程序或设备，而是依靠使用多种技术和控制手段(包括技术和行政手段)的更具战略性的方法。 正如我上面提到的，它的核心是使您的房子井然有序，并对基础结构中的所有对象(从用户到计算机以及介于两者之间的所有点)进行可见性和控制。 查看文件共享和权限。 查看组策略对象。 应用最低特权的主体。

In terms of technology, Multi-Factor Authentication (MFA) is a big one. Applied to important systems and data, it provides a great layer of defence although there may be a little resistance from users if it involves using their personal mobile device. Not everyone wants to install an authenticator app, and SMS only isn’t the most secure, but it will depend on your accepted level of risk.

在技​​术方面，多重身份验证(MFA)是一个大问题。 应用于重要的系统和数据时，它提供了很大的防御层，尽管如果涉及使用他们的个人移动设备，可能会受到用户的一点抵抗。 并非每个人都希望安装身份验证器应用程序，并且SMS并不是最安全的方法，但这取决于您接受的风险级别。

If you’re curious why I suggest getting the house in order, it will help if you decide to look at Identity and Access Management (IAM) solutions that rely heavily on your source of truth. There are plenty of other solutions you can look to like orchestration, analytics (especially behavioural from user and computer actions) and never overlook one of the longest-established controls: encryption. Encrypted data in transit, data in use, and data at rest as well as using certificates for verification is invaluable.

如果您好奇为什么我建议整顿房子，那么如果您决定考虑严重依赖事实真相的身份和访问管理(IAM)解决方案，这将对您有所帮助。 您可以看到许多其他解决方案，例如编排，分析(尤其是来自用户和计算机操作的行为)，并且永远不会忽视历史最悠久的控件之一：加密。 传输中的加密数据，使用中的数据，静态数据以及使用证书进行验证都是非常宝贵的。

The actual execution of implementing zero trust should be done on a case by case basis to ensure that the solution chosen works best for the organisation it’s intended to protect. After reading all this, though, you’re probably thinking, “Oh good grief. Now I have to buy a whole lot of stuff to make this work!” Ah, but probably not!

实施零信任的实际执行应视具体情况而定，以确保所选择的解决方案最适合要保护的组织。 读完所有这些内容之后，您可能会想：“哦，悲哀。 现在，我必须购买很多东西才能使它正常工作！” 啊，但可能不是！

As part of the consulting phase, I recommend understanding what you have via an inventory and you will probably find you already have a lot of the building blocks you need. Remember the big box of Lego we had as kids that had hundreds or thousands of pieces in it and you could build almost everything you wanted? That’s likely your information systems — just don’t go putting Lego wheels on Lego boats — be sure what you have IS, in fact, what you need.

作为咨询阶段的一部分，我建议您通过库存来了解您所拥有的，您可能会发现您已经拥有很多需要的构建基块。 还记得我们小时候拥有的乐高积木盒子，里面有成百上千的零件，您可以建造几乎所有想要的东西吗？ 这很可能是您的信息系统-只是不要将Lego轮子放在Lego船上-确保您拥有的IS，实际上是您所需要的。

If you’re heavily invested in the Microsoft space, for example, you likely have a lot of controls available. MFA, IAM, Microsoft System Centre Orchestrator, Microsoft Analytics, Sentinel, Microsoft Cloud App Security, Advanced Threat Protection, and on and on. It’s also a great way to leverage the Microsoft Ecosystem to implement Just In Time (JIT), and Just Enough Administration (JEA) to knuckle down on that “Never Trust, Always Verify” approach.

例如，如果您在Microsoft领域投入了大量资金，则可能有很多可用的控件。 MFA，IAM，Microsoft System Center Orchestrator，Microsoft Analytics，Sentinel，Microsoft Cloud App Security，高级威胁防护等。 这也是利用Microsoft生态系统实施“及时”(JIT)和“足够的管理”(JEA)来采用“永不信任，始终验证”方法的一种好方法。

Depending on your systems, you may have other vendors and tools, but just be aware you have options and to make sure you get the most out of your existing investments before you spend more money. Ask questions, get answers, and then decide. After all, these are YOUR systems and it is YOUR data.

根据您的系统，您可能会使用其他供应商和工具，但是请注意，您可以选择，并在花费更多钱之前确保从现有投资中获得最大收益。 提出问题，获取答案，然后再决定。 毕竟，这些都是您的系统，是您的数据。

I would also suggest reviewing the governance around your information systems and data to ensure that you have policies and procedures that articulate what a Zero Trust framework is, why you are using it, and how it will be used. A regular review of your documentation to this effect is always a good idea; doubly so when rolling out Zero Trust.

我还建议您检查围绕信息系统和数据的治理，以确保您有政策和程序来阐明什么是零信任框架，为什么要使用它以及如何使用它。 为此，定期检查文档始终是一个好主意； 推出“零信任”时则加倍。

Pitfalls?

陷阱？

One of the bigger pitfalls I have encountered to date with the application of Zero Trust has been the overzealousness of those implementing it to the point where systems availability, performance, and productivity has been hindered. In some cases, almost like a self-imposed Denial Of Service. Your information systems and data may not be available to untrusted entities, but if they’re not available to trusted ones, then it’s not much good at all, is it? Be cautious about the application of controls and mindful that the systems you’re protecting are there to enable your business.

迄今为止，在使用“零信任”的过程中遇到的最大陷阱之一是，实施“零信任”的人们过于热情，以至于阻碍了系统可用性，性能和生产率。 在某些情况下，几乎就像是自我强加的拒绝服务。 您的信息系统和数据可能不适用于不受信任的实体，但是如果它们对不可信任的实体不可用，那么这根本不是一件好事吗？ 对控件的应用保持谨慎，并注意要保护的系统可以帮助您开展业务。

This is why we suggest a consultative approach in implementing Zero Trust to clearly define requirements and objectives and to have a clear vision of desired outcomes and measures of success. It needs to be simple and sustainable or else you’ll find shadow IT popping up as users create work-arounds to just get their work done.

这就是为什么我们建议实施零信任的协商方法，以明确定义需求和目标，并对期望的结果和成功的衡量标准有清晰的认识。 它必须是简单且可持续的，否则当用户创建变通方案以完成工作时，您会发现影子IT弹出。

Technical controls, in this manner, are not the be-all and end-all of a Zero Trust project. Administrative controls, enforced governance, clear policies and procedures, and management buy-in and support are crucial to a successful engagement.

以这种方式，技术控制并不是零信任项目的全部和全部。 行政控制，强制性治理，清晰的政策和程序以及管理层的支持和支持对于成功参与至关重要。

Ghosts in The Machine?

机器中的鬼魂？

No matter how many controls you put in place, there will always be ghosts in the machine in the form of people. Be mindful of those you trust and the level of access they have because being human, we can and do make mistakes and do stupid things, even if we have been fully verified. People can be exploited through manipulation and social engineering, coerced to take malicious action, or become disgruntled and abuse their privilege. I once consulted to an organisation where their main administrator had a domestic situation and ended up abusing his privileged access to key systems to take it to whole new level of ugliness. Sometimes additional checks and balances are needed, and sometimes you can only sort it out after the fact.

无论您放置了多少控件，机器中总会出现人形鬼影。 请记住那些您信任的人以及他们拥有的访问级别，因为即使是经过充分验证，作为人，我们仍然可以并且确实会犯错误并做出愚蠢的事情。 人们可以通过操纵和社会工程手段被利用，被迫采取恶意行动，或者变得不满并滥用特权。 我曾经咨询过一个组织，该组织的主要管理员有家庭问题，但最终滥用了他对关键系统的特权访问，使系统变得更加丑陋。 有时需要额外的制衡，有时您只能在事后进行梳理。

Technology, being technology, is subject to failure and errors, so the mechanisms used to authenticate can fail, rendering the whole system unusable because Zero Trust worked too well. Ensure this is planned for to avoid those “oh no” moments. Sometimes this ghost in the machine is more like a demon. Forget the Ghostbusters; call in the Exorcist!

技术本身就是技术，容易遭受失败和错误的影响，因此用于身份验证的机制可能会失败，因为“零信任”工作得很好，导致整个系统无法使用。 确保计划这样做是为了避免那些“哦不”的时刻。 有时，机器中的这个鬼魂更像是恶魔。 忘了捉鬼敢死队； 召唤驱魔人！

Anything Missing?

缺少什么？

It’s easy to overlook something in the beginning stages of a Zero Trust implementation, but a clear understanding of the objective up front, an inventory of your systems and data, and a review of existing controls you can leverage can fill in a lot of gaps. You should also try to break it down into short-term tactical actions that lead towards long-term strategic objectives so that you gain benefit at every stage of a Zero Trust implementation rather than waiting until the end.

在实施“零信任”的初期阶段，很容易忽略某些事情，但是对目标的透彻理解，系统和数据的清单以及对可以利用的现有控件的审查可以填补很多空白。 您还应尝试将其分解为短期战略行动，以实现长期战略目标，以便在零信任实施的每个阶段都受益，而不必等到最后。

Stay safe out there!

在那里安全！

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock

免责声明：本博客中提出的想法和观点是我自己的，而不是任何相关第三方的想法。 提供的内容仅用于一般信息，教育和娱乐目的，并不构成法律建议或建议； 绝对不能以此为依据。 在实际情况下应寻求适当的法律咨询。 除非另有说明，否则所有图片均通过ShutterStock授权

翻译自: https://medium.com/swlh/the-strategic-seventeen-zero-trust-955cbc3dbf2b

战略十讲