什么是零信任?

零信任快速概览

零信任是一种安全模型,其中任何设备、用户或网段本质上都是不可信的,应将其视为潜在的威胁。

零信任的工作原理是什么?

为了提高用户和设备位于远程位置且威胁会绕过传统外围防御机制的现代企业的安全性,建立严格的安全模型,持续进行检查至关重要。在接入网络之前,应对所有设备和用户进行识别和身份验证,并为其提供最少的所需接入量,然后对其进行连续监控

零信任需要以下关键组成部分:

  • 全面的可见性——主动和被动发现可提供网络上所有用户和设备的完全可见性,可以帮助您实施管理方法。
  • 最少的接入微网络隔离和管理——访问控制策略授予对设备或用户绝对必要的资源的访问权限,并将其与不需要的其他资源进行隔离。
  • 持续监控和策略实施——对网络上的用户和设备的持续监控可极大地降低威胁和恶意软件相关风险。

Aruba ESP 支持零信任最佳实践,以提供包含可见性、控制和强制的全套功能,可以满足物联网驱动的分散型网络基础设施的需求。

为何采用零信任?

由于移动网络、IoT 和远程办公环境,网络安全正变得越来越具有挑战性。零信任可让您提高可视性,管理水平和实施能力,以满足分散的,IoT 驱动的网络基础设施的安全要求。

零信任的优势

零信任有助于确保如今移动网络、IoT 和家庭环境中的网络安全。

  • 减少与易受攻击的 IoT 设备相关的安全风险的暴露。
  • 帮助减少可以绕过传统外围安全控制措施的高级威胁的风险。
  • 减少与攻击者和受感染设备的横向移动有关的损坏。
  • 无论是谁或什么设备正在连接,也无论从何处进行连接,都可采用更全面的安全方案。
  • 可将微网络隔离等最佳实践用作“最少接入”方案。

Aruba Zero Trust Architecture

Zero Trust Architecture

Where do I start with Zero Trust?

Zero Trust network architectures focus on authentication, authorization, and continual risk management. Here’s how to get started:

  1. Eliminate network blind spots by discovering and profiling all devices connected to the network.
  2. Verify identity before allowing access using 802.1X-based authentication techniques, as well as emerging solutions for IoT devices.
  3. Compare endpoint configuration to compliance baselines and remediate as needed.
  4. Establish least-privilege access to IT resources by segmenting traffic based on identity-based policies.
  5. Continuously monitor the security state of the user and device, and bi-directionally communicate with other elements in the security ecosystem. Establish policies to revoke a user or device’s access rights in cases of compromise or attack.

How do I build a Zero Trust architecture?

RequirementZero Trust ArchitectureAruba ESP Solution
1. Know what’s on the networkAn organization protects resources by defining what resources it has
2. Authenticate all users and devicesCreate, store, and manage enterprise user accounts and identity records
3. Ensure configuration and compliance guidelines are followedGather information about the enterprise asset’s current state and apply updates to configuration and software components
4. Assign and enforce access policies in the networkAll resource authentication and authorization are dynamic and strictly enforced before access is allowed via coordination between a policy engine and a policy enforcement pointDynamic Segmentation enabled by:

  • ClearPass, PEF with Aruba access points and gateways
  • Central NetConductor, policy manager, and inline enforcement via Aruba switches and gateways
5. Communicate bi-directionally with the security ecosystem and respond to attacksProvide real-time (or near real-time) feedback on the security posture of enterprise information systems; integrate with security information and event management systems

准备好开始了吗?