「零信任」是什麼?
快速瞭解「零信任」
「零信任」是一套安全模型,在這套模型中,不能直接信任任何裝置、使用者或網路區段,而是應將其視為潛在威脅。
「零信任」如何運作?
現代企業的使用者與裝置都在遠端,威脅能夠繞過傳統邊界防護,因此若要加強現代企業的安全,一定要有嚴密的安全模型,不斷執行檢查。所有裝置和使用者在存取網路之前,應經過識別和驗證,並給予所需之最低存取權限,然後對其持續監控
「零信任」需要以下關鍵組件:
- 全方位掌握能力 – 主動和被動探索功能可以全面掌握網路上所有使用者與裝置,協助您實作控制項。
- 最少存取微分割與控制項 – 存取控制原則為裝置或使用者授予絕對必要之資源的存取權限,並與不必要的其他資源分割。
- 持續監控和執行 – 持續監控網路上的使用者與裝置,能夠大大降低威脅和惡意軟體相關風險。
採用「零信任」最佳做法的 Aruba ESP 提供全方位的功能組合,包括掌握情況、控制和執行的能力,藉此因應去中心化、IoT 驅動網路基礎架構的需求。
為什麼選擇「零信任」?
由於行動力、IoT 和遠距工作環境的關係,導致網路安全越來越難維護。「零信任」可讓您加強掌握、控制和執行的能力,以因應去中心化、IoT 驅動網路基礎架構的安全需求。
「零信任」的好處
「零信任」可確保現今行動力、IoT 和家庭環境的網路安全。
- 避免接觸到易受攻擊的 IoT 裝置,杜絕安全性風險。
- 減少繞過傳統邊界安全控制的進階威脅所帶來的風險。
- 減少攻擊者和受感染裝置因橫向移動所造成的損壞。
- 不分連線人員、裝置或位置,都能採用更全面的方法來維護安全。
- 採用微分段等最佳做法,實施「最少存取權限」政策。
Aruba Zero Trust Architecture
Where do I start with Zero Trust?
Zero Trust network architectures focus on authentication, authorization, and continual risk management. Here’s how to get started:
- Eliminate network blind spots by discovering and profiling all devices connected to the network.
- Verify identity before allowing access using 802.1X-based authentication techniques, as well as emerging solutions for IoT devices.
- Compare endpoint configuration to compliance baselines and remediate as needed.
- Establish least-privilege access to IT resources by segmenting traffic based on identity-based policies.
- Continuously monitor the security state of the user and device, and bi-directionally communicate with other elements in the security ecosystem. Establish policies to revoke a user or device’s access rights in cases of compromise or attack.
How do I build a Zero Trust architecture?
Requirement | Zero Trust Architecture | Aruba ESP Solution |
---|---|---|
1. Know what’s on the network | An organization protects resources by defining what resources it has |
|
2. Authenticate all users and devices | Create, store, and manage enterprise user accounts and identity records |
|
3. Ensure configuration and compliance guidelines are followed | Gather information about the enterprise asset’s current state and apply updates to configuration and software components | |
4. Assign and enforce access policies in the network | All resource authentication and authorization are dynamic and strictly enforced before access is allowed via coordination between a policy engine and a policy enforcement point | Dynamic Segmentation enabled by:
|
5. Communicate bi-directionally with the security ecosystem and respond to attacks | Provide real-time (or near real-time) feedback on the security posture of enterprise information systems; integrate with security information and event management systems |
|