信息网络安全 ›› 2019, Vol. 19 ›› Issue (10): 32-41.doi: 10.3969/j.issn.1671-1122.2019.10.005

• 技术研究 • 上一篇    下一篇

基于精益信任的风险信任体系构建研究

訾然1,2(), 刘嘉1   

  1. 1.中国科学院深圳先进技术研究院,广东深圳 518055
    2.深信服科技股份有限公司,广东深圳 518055
  • 收稿日期:2019-08-15 出版日期:2019-10-10 发布日期:2020-05-11
  • 通讯作者: 訾然 E-mail:ziran@sangfor.com.cn
  • 作者简介:

    作者简介:訾然(1988—),男,云南,博士,主要研究方向为网络安全;刘嘉(1979—),男,重庆,研究员,博士,主要研究方向为信号处理。

  • 基金资助:
    国家自然科学基金[81661168015]

Research on Construction of Risk and Trust Architecture Based on Lean Trust

Ran ZI1,2(), Jia LIU1   

  1. 1. Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen Guangdong 518055, China
    2. Sangfor Technologies, Shenzhen Guangdong 518055, China
  • Received:2019-08-15 Online:2019-10-10 Published:2020-05-11
  • Contact: Ran ZI E-mail:ziran@sangfor.com.cn

摘要:

随着云计算、大数据、移动互联等技术的快速落地,以及数据泄露、高级持续攻击等内部系统安全威胁的升级,零信任架构在网络安全领域出现,并引起了巨大地关注,国内外网络安全企业对零信任架构进行了设计与实现。但是零信任架构在研究和落地过程中出现了一系列的问题,如零信任架构如何与业务系统、已有安全手段兼容,零信任如何低成本落地等。且依据对现有的零信任架构加以分析,零信任被等同于安全建设中不需要任何信任,能够完全取代现有安全建设。上述问题和误解阻碍了零信任架构的落地,为此,文章利用精益信任的理念,构建了精益信任安全访问架构。精益信任安全访问架构相比零信任架构,明确了风险/信任在网络安全建设中的定位,通过对风险/信任的持续评估和精益控制,实现新的网络、安全环境下的安全可靠访问。该架构能与现有网络安全架构实现良好融合,且兼容已有的安全控制手段和业务应用,具有良好的可落地和可扩展性。

关键词: 精益信任, 风险管理, 信任评估, 网络安全

Abstract:

With the rapid deployment of new technologies like cloud computing, big data and mobile communication, as well as the IT systems’ growing internalsecurity threat such as data breach and advanced persistent threats, Zero Trust concept has been put forward and drawn considerable attention recently. Domestic and foreign cybersecurity companies implemented several new security projects based on the Zero Trustconcept. However, several obstacles occurred during the research and implementation of Zero Trust. For example, it is difficult to involve the existing applications systems and security devices into the Zero Trust architecture without efforts of modification, which is of high cost. Meanwhile, based on the literal understanding of Zero Trust, Zero Trust equals to no trust in the network security architecture. Moreover, traditional security concepts are deemed to be replaced by Zero Trust. These defects and misunderstandings impeded the implementations and promotion of Zero Trust. In this paper, a Lean Trust secure access architecture is proposed based on the Lean Trust concept. Comparing with Zero Trust, Lean Trust architecture clearly identifies the role of risk and trust in network security architecture. Based on the continuous evaluation and precise manipulation of risk and trust, the Lean Trust secure access architecture promotes the security of the access process to the application and service resources. Moreover, the compatibility with existing security devices and application systems makes the proposed architecture more practical.

Key words: lean trust, risk management, trust evaluation, network security

中图分类号: