基于精益信任的风险信任体系构建研究

doi:10.3969/j.issn.1671-1122.2019.10.005

信息网络安全 ›› 2019, Vol. 19 ›› Issue (10): 32-41.doi: 10.3969/j.issn.1671-1122.2019.10.005

基于精益信任的风险信任体系构建研究

訾然^1,²(), 刘嘉¹

1.中国科学院深圳先进技术研究院,广东深圳 518055
2.深信服科技股份有限公司,广东深圳 518055

收稿日期:2019-08-15 出版日期:2019-10-10 发布日期:2020-05-11
通讯作者: 訾然 E-mail:ziran@sangfor.com.cn
作者简介:
作者简介：訾然（1988—）,男,云南,博士,主要研究方向为网络安全;刘嘉（1979—）,男,重庆,研究员,博士,主要研究方向为信号处理。
基金资助:
国家自然科学基金[81661168015]

Research on Construction of Risk and Trust Architecture Based on Lean Trust

Ran ZI^1,²(), Jia LIU¹

1. Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen Guangdong 518055, China
2. Sangfor Technologies, Shenzhen Guangdong 518055, China

Received:2019-08-15 Online:2019-10-10 Published:2020-05-11
Contact: Ran ZI E-mail:ziran@sangfor.com.cn

摘要/Abstract

摘要：

随着云计算、大数据、移动互联等技术的快速落地,以及数据泄露、高级持续攻击等内部系统安全威胁的升级,零信任架构在网络安全领域出现,并引起了巨大地关注,国内外网络安全企业对零信任架构进行了设计与实现。但是零信任架构在研究和落地过程中出现了一系列的问题,如零信任架构如何与业务系统、已有安全手段兼容,零信任如何低成本落地等。且依据对现有的零信任架构加以分析,零信任被等同于安全建设中不需要任何信任,能够完全取代现有安全建设。上述问题和误解阻碍了零信任架构的落地,为此,文章利用精益信任的理念,构建了精益信任安全访问架构。精益信任安全访问架构相比零信任架构,明确了风险/信任在网络安全建设中的定位,通过对风险/信任的持续评估和精益控制,实现新的网络、安全环境下的安全可靠访问。该架构能与现有网络安全架构实现良好融合,且兼容已有的安全控制手段和业务应用,具有良好的可落地和可扩展性。

关键词: 精益信任, 风险管理, 信任评估, 网络安全

Abstract:

With the rapid deployment of new technologies like cloud computing, big data and mobile communication, as well as the IT systems’ growing internalsecurity threat such as data breach and advanced persistent threats, Zero Trust concept has been put forward and drawn considerable attention recently. Domestic and foreign cybersecurity companies implemented several new security projects based on the Zero Trustconcept. However, several obstacles occurred during the research and implementation of Zero Trust. For example, it is difficult to involve the existing applications systems and security devices into the Zero Trust architecture without efforts of modification, which is of high cost. Meanwhile, based on the literal understanding of Zero Trust, Zero Trust equals to no trust in the network security architecture. Moreover, traditional security concepts are deemed to be replaced by Zero Trust. These defects and misunderstandings impeded the implementations and promotion of Zero Trust. In this paper, a Lean Trust secure access architecture is proposed based on the Lean Trust concept. Comparing with Zero Trust, Lean Trust architecture clearly identifies the role of risk and trust in network security architecture. Based on the continuous evaluation and precise manipulation of risk and trust, the Lean Trust secure access architecture promotes the security of the access process to the application and service resources. Moreover, the compatibility with existing security devices and application systems makes the proposed architecture more practical.

Key words: lean trust, risk management, trust evaluation, network security

中图分类号:

TP309

訾然, 刘嘉. 基于精益信任的风险信任体系构建研究[J]. 信息网络安全, 2019, 19(10): 32-41.

Ran ZI, Jia LIU. Research on Construction of Risk and Trust Architecture Based on Lean Trust[J]. Netinfo Security, 2019, 19(10): 32-41.

图/表 4

参考文献 25

[1]	MORGANS.2017 Cybercrime Report[EB/OL].
[2]	Ponemon Institute.2017 Cost of Data Breach Study[EB/OL].
[3]	MOORE S. Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017[EB/OL]. , 2017-8-16.
[4]	KINDERVAG J. Build Security into Your Network’s Dna: The Zero Trust Network Architecture[EB/OL]. , 2010-11-5.
[5]	BILGERB, et al. Software Defined Perimeter[EB/OL]. , 2013-11-15.
[6]	GARBIS J, THAPLIYAL P, et al. Software Defined Perimeter for Infrastructure as a Service[EB/OL]. .2016-9-30.
[7]	WARD R, BETSY B.Beyondcorp: A New Approach to Enterprise Security[J]. Login, 2014, 39(6): 6-11.
[8]	OSBORN B, MCWILLIAMSJ , et al. BeyondCorp: Design to Deployment at Google[J]. Login, 2016, 41(1): 28-34.
[9]	CUNNINGHAMC. The Forrester Wave™: Zero Trust eXtended(ZTX) Ecosystem Providers, Q4 2018[EB/OL]. , 2018-11-8.
[10]	GARBISJ.BeyondCorp, Zero Trust, SDP & a Grand Unified Theory of Network Security[EB/OL]. , 2017-11-9.
[11]	Duo Security. Duo Beyond Overview[EB/OL]. 2019-4-3.
[12]	GREALISHG, Digging Deeper into Zero Trust[EB/OL]. .2019-1-8.
[13]	WRIGHT E. When Zero Trust is a Good Thing: VMware NSX Security[EB/OL]. , 2014-1-12.
[14]	MACDONALD N. Zero Trust Is an Initial Step on the Roadmap to CARTA[EB/OL]. , 2018-11-10.
[15]	Security Primer. Why Zero Trust Trumps Traditional Security[EB/OL]. , 2019-4-10.
[16]	STEVENS R.TCP/IP Illustrated vol. I: The Protocols[M]. Boston: Addison-Wesley Professional, 2011.
[17]	BELLOVIN M.Security Problems in the TCP/IP Protocol Suite[J]. ACM SIGCOMM Computer Communication Review, 2002, 19(2): 32-48.
[18]	HUNT R.Internet/Intranet Firewall Security—Policy, Architecture and Transaction Services[J]. Computer Communications, 1998, 21(13): 1107-1123.
[19]	STALLINGS W, BROWNL , BAUER M D, el al. Computer Security: Principles and Practice[M]. London: Pearson Education, 2007.
[20]	FU Z, et al.IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution[C]//Springer. International Workshop on Policies for Distributed Systems and Networks. January 29-31, 2001, Bristol, United Kingdom. Berlin: Springer, 2001: 39-56.
[21]	HAMEDH, AL-SHEAR E, et al. Modeling and Verification of IPSec and VPN Security Policies[C]//IEEE. 13th IEEE International Conference on Network Protocols(ICNP’05). November 5-9, 2005, Boston, MA, USA. NewYork: IEEE, 2005: 259-278.
[22]	HUNYADY J, et al. Routing VoIP Calls through Multiple Security Zones. U.S. Patent No. 8,200,827[P].2012-6-12.
[23]	CHERIAN A. Why Conditional Access Is Essential to Zero Trust Security[EB/OL]. , 2019-6-19.
[24]	TISHBI L, GOELP, MCWILLIAMS J. How Google Adopted BeyondCorp[EB/OL]. , 2019-6-27.
[25]	ROY J, PARADIS S, et al. Threat Evaluation for Impact Assessment in Situation Analysis Systems[EB/OL]. , 2002-7-15.

基于精益信任的风险信任体系构建研究

Research on Construction of Risk and Trust Architecture Based on Lean Trust

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 25

相关文章 15

编辑推荐

Metrics

本文评价

[1]	刘建伟, 韩祎然, 刘斌, 余北缘. 5G网络切片安全模型研究[J]. 信息网络安全, 2020, 20(4): 1-11.
[2]	赵志岩, 纪小默. 智能化网络安全威胁感知融合模型研究[J]. 信息网络安全, 2020, 20(4): 87-93.
[3]	黎水林, 祝国邦, 范春玲, 陈广勇. 一种新的等级测评综合得分算法研究[J]. 信息网络安全, 2020, 20(2): 1-6.
[4]	荆涛, 万巍. 面向属性迁移状态的P2P网络行为分析方法研究[J]. 信息网络安全, 2020, 20(1): 16-25.
[5]	裘玥. 大型体育赛事网络安全风险分析与评估[J]. 信息网络安全, 2019, 19(9): 61-65.
[6]	高孟茹, 谢方军, 董红琴, 林祥. 面向关键信息基础设施的网络安全评价体系研究[J]. 信息网络安全, 2019, 19(9): 111-114.
[7]	陈良臣, 刘宝旭, 高曙. 网络攻击检测中流量数据抽样技术研究[J]. 信息网络安全, 2019, 19(8): 22-28.
[8]	尚文利, 尹隆, 刘贤达, 赵剑明. 工业控制系统安全可信环境构建技术及应用[J]. 信息网络安全, 2019, 19(6): 1-10.
[9]	张可, 汪有杰, 程绍银, 王理冬. DDoS攻击中的IP源地址伪造协同处置方法[J]. 信息网络安全, 2019, 19(5): 22-29.
[10]	倪一涛, 陈咏佳, 林柏钢. 基于自动解混淆的恶意网页检测方法[J]. 信息网络安全, 2019, 19(4): 37-46.
[11]	陈良臣, 高曙, 刘宝旭, 卢志刚. 网络加密流量识别研究进展及发展趋势[J]. 信息网络安全, 2019, 19(3): 19-25.
[12]	傅建明, 黎琳, 郑锐, 苏日古嘎. 基于GAN的网络攻击检测研究综述[J]. 信息网络安全, 2019, 19(2): 1-9.
[13]	韦力, 段沁, 刘志伟. 互联网时代医院网络安全管理综述[J]. 信息网络安全, 2019, 19(12): 88-92.
[14]	张振峰, 张志文, 王睿超. 网络安全等级保护2.0云计算安全合规能力模型[J]. 信息网络安全, 2019, 19(11): 1-7.
[15]	张健, 陈博翰, 宫良一, 顾兆军. 基于图像分析的恶意软件检测技术研究[J]. 信息网络安全, 2019, 19(10): 24-31.