「零信任」是什麼?

快速瞭解「零信任」

「零信任」是一套安全模型,在這套模型中,不能直接信任任何裝置、使用者或網路區段,而是應將其視為潛在威脅。

「零信任」如何運作?

現代企業的使用者與裝置都在遠端,威脅能夠繞過傳統邊界防護,因此若要加強現代企業的安全,一定要有嚴密的安全模型,不斷執行檢查。所有裝置和使用者在存取網路之前,應經過識別和驗證,並給予所需之最低存取權限,然後對其持續監控

「零信任」需要以下關鍵組件:

  • 全方位掌握能力 – 主動和被動探索功能可以全面掌握網路上所有使用者與裝置,協助您實作控制項。
  • 最少存取微分割與控制項 – 存取控制原則為裝置或使用者授予絕對必要之資源的存取權限,並與不必要的其他資源分割。
  • 持續監控和執行 – 持續監控網路上的使用者與裝置,能夠大大降低威脅和惡意軟體相關風險。

採用「零信任」最佳做法的 Aruba ESP 提供全方位的功能組合,包括掌握情況、控制和執行的能力,藉此因應去中心化、IoT 驅動網路基礎架構的需求。

為什麼選擇「零信任」?

由於行動力、IoT 和遠距工作環境的關係,導致網路安全越來越難維護。「零信任」可讓您加強掌握、控制和執行的能力,以因應去中心化、IoT 驅動網路基礎架構的安全需求。

「零信任」的好處

「零信任」可確保現今行動力、IoT 和家庭環境的網路安全。

  • 避免接觸到易受攻擊的 IoT 裝置,杜絕安全性風險。
  • 減少繞過傳統邊界安全控制的進階威脅所帶來的風險。
  • 減少攻擊者和受感染裝置因橫向移動所造成的損壞。
  • 不分連線人員、裝置或位置,都能採用更全面的方法來維護安全。
  • 採用微分段等最佳做法,實施「最少存取權限」政策。

Aruba Zero Trust Architecture

Zero Trust Architecture

Where do I start with Zero Trust?

Zero Trust network architectures focus on authentication, authorization, and continual risk management. Here’s how to get started:

  1. Eliminate network blind spots by discovering and profiling all devices connected to the network.
  2. Verify identity before allowing access using 802.1X-based authentication techniques, as well as emerging solutions for IoT devices.
  3. Compare endpoint configuration to compliance baselines and remediate as needed.
  4. Establish least-privilege access to IT resources by segmenting traffic based on identity-based policies.
  5. Continuously monitor the security state of the user and device, and bi-directionally communicate with other elements in the security ecosystem. Establish policies to revoke a user or device’s access rights in cases of compromise or attack.

How do I build a Zero Trust architecture?

RequirementZero Trust ArchitectureAruba ESP Solution
1. Know what’s on the networkAn organization protects resources by defining what resources it has
2. Authenticate all users and devicesCreate, store, and manage enterprise user accounts and identity records
3. Ensure configuration and compliance guidelines are followedGather information about the enterprise asset’s current state and apply updates to configuration and software components
4. Assign and enforce access policies in the networkAll resource authentication and authorization are dynamic and strictly enforced before access is allowed via coordination between a policy engine and a policy enforcement pointDynamic Segmentation enabled by:

  • ClearPass, PEF with Aruba access points and gateways
  • Central NetConductor, policy manager, and inline enforcement via Aruba switches and gateways
5. Communicate bi-directionally with the security ecosystem and respond to attacksProvide real-time (or near real-time) feedback on the security posture of enterprise information systems; integrate with security information and event management systems

準備好開始了嗎?