Looking back on 2023, 组织很难说,在科技行业停滞不前是网络安全成功的秘诀. Beginning in the first half of the year, 威胁行为者大量利用ChatGPT等生成式人工智能解决方案来构建聪明的社会工程活动, 实现近乎实时地利用零日漏洞,如MOVEit文件传输,并继续窃取被盗的凭证 ravage organizations with ransomware across the globe.
Throughout history and well into recent times, humans have been hesitant toward change. Clinging to normalcy bias or avoidance of the unknown, when standard routines become threatened, innate psychological defense mechanisms kick in, compelling people to pause or simply resist the inevitable change. In a security context, 保护组织的传统方法在某些情况下仍然有效,但需要重新平衡和转移资源, 包括增加人工智能等下一代技术,以有效减轻2024年之前的关键技术风险.
采用零信任架构(ZTA)提供了一种新颖的方法,通过首先灌输“永不信任”的核心原则来处理当今紧迫的网络安全和审计问题, Always Verify” and “Assume Breach,” ushering in a new cybersecurity standard aimed to heavily reduce the chances of a successful cyber incident. Zero trust should be perceived as an upgrade or architecture complement, using most of what already exists in the security technology stack and making gradual improvements through solution additions, service provider expansions, integrations or strategic capability consolidations over time.
这篇博客文章将告诉实践者和组织,在开始零信任技术或流程计划之前,应该通过必要的计划和先决条件考虑开始零信任之旅, 同时还为内部审计部门提供额外的资源,以履行其作为可信赖的业务顾问的角色,以开展零信任工作. The below infographic provides summary details of the core pillars of zero trust, its maturity levels, and some of the primary control areas needed to achieve the standard, including widespread adoption of automation, orchestration, monitoring visibility and data analytics.
Figure 1 – The core pillars of zero trust include Data, Devices, Identities, and Networks, including the underlying Infrastructure, Applications, and their associated workloads. Automation, Orchestration, Visibility, 每个支柱都需要分析功能,以帮助推动跨零信任架构的保护.
What solutions does zero trust provide?
With recent expansions of remote work opportunities, Bring Your Own Device (BYOD), and shifts to cloud resource providers, the traditional “castle and moat” approach to network defense is both incredibly blurry and, at worst, highly ineffective heading into 2024. 这种传统方法将包括尝试保护所有关键的公司资产,这些资产位于少数几个网络边界后面,重点放在安全性上. Then, via username and password authentication or remote VPN access, expansive access is granted to resources. 由于需要更多的管理开销来管理设备,这些情况会使安全和IT团队感到紧张, additional device profiles, rogue applications and unknown external networks.
Zero trust architectures and the prescriptive methods of controlling Data, Identities, Devices, Networks, Infrastructure and Applications are far more fluid and focused. Departing from the “authenticate once at the perimeter, 然后在“零信任”内部授予广泛的资源访问权限,“零信任”要求对试图访问组织资源的用户或设备进行持续和自适应的身份验证. If user or device behavior changes, zero trust dynamic monitoring, 策略编排和安全自动化工具可以根据需要转移安全性,以保持资源安全. 下表有助于说明从传统网络体系结构到优化的零信任体系结构逐步采用零信任控制的过程.
图2 -集中控制活动的子集,它允许组织从传统网络安全体系结构过渡到零信任体系结构.
当这种性质的范式转变出现时,管理层可能开始考虑的最初问题可能包括“第一步是什么??” or “Where should we start exactly?以下是高级管理层在实施零信任架构时应该考虑的五个关键领域, 以及每个领域的一些高级讨论点,这些讨论点应该在内部进行,并在适当的情况下与外部业务伙伴进行.
- Strategy Alignment and Executive Buy-in
- Understanding Business Goals: Align the zero trust framework or its implementation with overall business objectives and long-term strategy.
- Executive Support:让高层管理人员了解零信任的重要性,并在过程的早期获得他们的承诺.
- Communication Plan制定一个全面的沟通策略,以确保组织的所有层次都了解即将到来的变化和他们的角色,以帮助确保持续的成功.
- Technology and Architecture Planning
- Assessment of Current Infrastructure: Review the organization’s existing systems, technologies and security protocols to determine what needs to be upgraded, replaced or expanded upon.
- Integration Requirements确定将在零信任模型中无缝集成的工具和技术,以及是否存在可能破坏过渡的任何差距.
- Scalability Considerations确保所选择的技术堆栈或领先的解决方案提供商可以随着组织的增长而扩展.
- Policy Development and Governance
- Creating Clear Policies: Develop well-defined policies around access control, user authentication, data protection and other aspects of zero trust outlined above.
- Compliance Alignment: Align policies with regulatory requirements such as GDPR, HIPAA or other industry-specific regulations the organization must adhere to.
- Training and Change Management
- User Training: 开发课程,培训员工关于新的安全协议和他们在零信任框架内的操作责任.
- Change Management Strategies: 使用变更管理技术,引导组织平稳而有目的地过渡到零信任.
- Feedback Mechanism: Establish avenues for employees to provide feedback and ask questions during the transition.
- Monitoring, Analysis, and Continuous Improvement
- Real-time Monitoring and Analytics: Implement tools to monitor user device and network activity continuously.
- Incident Response Plan: 集成或开发以零信任为中心的事件响应计划,以及时解决任何违规或问题.
- Ongoing Improvement: Regularly review the zero trust implementation to identify opportunities for refinement and enhancement. Utilize metrics and KPIs to measure success and guide ongoing improvement.
By considering the key areas outlined throughout this blog post, 高级管理人员可以朝着与核心业务目标一致并利用适当技术的高功能零信任体系结构的成功实现而努力, all while ensuring compliance and governance remain intact. 内部审计部门的存在是为了咨询高级管理层,并确保组织始终了解业务面临的核心风险和影响核心目标实现的风险.
ISACA制定了一个零信任审计计划,涵盖近60个核心的零信任控制活动,可以帮助简化从传统网络安全架构的过渡,该架构准备好产生持续的安全挑战,以击退安全威胁,同时充分协助必要的保证工作. Download the audit program here.
