Under the traditional border protection security system, the security system is mostly constructed by partitioning the intranet and the extranet, and most intranet users have higher network permissions by default, and the extranet users access the intranet by using a solution such as VPN. During the epidemic in the past year, the remote working model has gradually become the norm. With the development of different network technologies, such as IOT, cloud computing, etc., the chances to attack the company’s network environment has increased, and more risks need to be controlled. Therefore, the zero-trust architecture module has regained attention in recent years to reduce the complexity of the traditional protection system and improve safety. 

The Zero Trust Architecture module was originally proposed by John Kindervag of Forrester in 2010 and was applied in Google's BeyondCorp project. The main concept of this module is identity-centric access control. By default, people, equipment, and processes inside and outside the entire network are not trusted before verification, and authorization is provided through consistent verification. 

Compared with the traditional protection system that divides trust by zone, the zero-trust architecture is based on trusted identities, and the three elements of trusted equipment and trusted applications to provide access rights. Every visit requires user authentication, device security status check and encryption of the entire data transmission distance. In the design, the following ideas are generally proposed:

The trusted identity verifies the user's identity, and the identity requires unified control and supervision to ensure the release of the least authority. For trusted devices, unified standards are required for new access devices, such as company unified control, security reinforcement, and regular vulnerability detection. At the same time, verify hardware information and certificates to ensure identity when visiting. The process needs to be detected for loopholes or viruses. The encryption of the transmission distance uses the key to encrypt and decrypt each visit, and verify the user, device, and application information. Compared with the traditional VPN, it can reduce the SSL connection and routing configuration process. 

In fact, most of the security measures proposed are quite common, and there are also many solutions in the market that can achieve the relevant control. The two relatively novel points are to ban VPNs using TCP access for communication authentication, and to integrate various information, such as equipment, applications, time, and static account permission configuration, to achieve dynamic permission allocation while being compatible with connection stability and speed. In a network environment where new technologies such as cloud computing and IOT are popularized, network attacks will emerge in an endless stream, and security mechanisms will become more and more complex. The article briefly introduces the content of the zero-trust architecture discussed at present. It is expected that more streamlined designs and applications will appear in the future, which can meet convenience and security at the same time and can be executed in various environments to strengthen network security and protect enterprises and institutions’ important information assets.

Xaviera Lam

Ringus Solution Enterprise Limited 

A：Unit 4602, 46/F, COSCO Tower, 183 Queen's Road Central, HK

E：info@ringus-solution.com

T：(852) 2907 6011

W：www.ringus-solution.com