Why Is Zero Trust Important
With the acceleration of digital transformation, enterprise information security is facing unprecedented challenges, since emerging technologies and innovative services break enterprises’ existing security boundaries.
* The diversity and complexity of visitor identities and access terminals break network boundaries. In this case, traditional access control methods are too simple to meet requirements. For example, after initial user authentication, no further checks are performed to confirm the user’s identity throughout the entire access process. Consequently, violations and abnormal behaviors during the access cannot be managed or controlled in real time.
* After services are migrated to the cloud, centralized data deployment breaks data boundaries and magnifies the risks involved in controlling static authorization, leading to increased potential for data abuse. Furthermore, mixing data of high and low security levels leads to permission pollution, passively increases the overall security requirements, and breaks the balance between security and service experience.
* Resource management is shifted from a distributed mode to a cloud-based centralized mode, and resources can be allocated on demand. Currently, security management and control policies are scattered and the collaboration level is low. Once a cloud host is attacked, it is difficult to quickly mitigate the attack in a closed-loop manner or achieve global defense.
Zero trust is an important concept in addressing these challenges. It enables unified identity management, builds identity boundaries, implements real-time risk awareness, and supports dynamic and fine-grained authorization.
Core Zero Trust Rules
Enterprises build their own zero trust networks based on three core principles: continuous authentication, dynamic authorization, and global defense.
Core zero trust rules
* Continuous authentication based on the never-trust rule, helping build the foundation of identity securityThe zero trust security solution implements unified identity management for people, terminals, and applications, and it establishes an identity-centric access control mechanism. Access subjects’ identities, network environments, and terminal status are used as dynamic factors for authentication. The solution continuously monitors violations and abnormal behaviors during access to the network to ensure continuous trustworthiness of users and terminals.
* Dynamic authorization, fine-grained access control, and on-demand permission grantingThe zero trust security solution controls access permissions at the application, function, and data levels, rather than at the network layer. Only minimal permissions are granted to access subjects, significantly reducing the potential attack surface. In addition, the security control policy dynamically determines permissions based on the access subject, target object, and environment attributes (terminal status, network risk, user behavior, and so on), implementing refined dynamic control of applications, functions, and data.
* Global defense, network-security collaboration, and quick threat handlingThe zero trust security solution evaluates terminal risks, abnormal user behaviors, traffic threats, and application authentication and authorization behaviors to create a complete trust chain. Handling policies are generated for users or devices with low trust scores, and interworking with network or security devices is performed to quickly handle threats. As such, the solution helps enterprises build secure networks capable of zero trust and network-security collaboration.
Zero Trust Architecture
Huawei works with regulatory authorities in various industries to develop a standard architecture that integrates the core zero trust rules.
Huawei’s zero trust architecture
Huawei’s zero trust architecture consists of three logical layers: policy enforcement layer, policy control layer, and security management layer. These logical layers interwork to implement continuous authentication, dynamic authorization, and global defense.
* Policy enforcement layerThe security access agent and context-aware agent are deployed at the policy enforcement layer. As a control device for terminal users to access the enterprise intranet, the security access agent interworks with the identity engine working at the policy control layer to implement continuous user authentication. The context-aware agent receives terminal violation information and delivers corresponding control policies to terminals. It also detects and measures the terminal environment status and changes in real time and reports terminal scores to the security management layer.
* Policy control layerThe identity engine and control engine are deployed at the policy control layer. The identity engine performs unified personnel identity management and authentication, involving user management, organization management, user identity verification, user token management, and application token management. The control engine performs dynamic and refined authentication on data service access requests. If a user’s security level changes, the control engine updates the user’s access permissions in a timely manner.
* Security management layerThe HiSec Insight — the security brain — is deployed at the security management layer. It receives and analyzes terminal scores sent by the context-aware agent, authentication logs sent by the identity engine, authentication logs sent by the control engine, and security risk information aggregated from switches. It also performs global security assessment on users, terminals, and networks. Based on the assessment result, the HiSec Insight delivers processing policies to the control engine and security access agent to mitigate security risks globally.
Methods Used to Implement Zero Trust
Zero trust is implemented through an ongoing and incremental effort. Huawei helps enterprises assess how they can deploy the zero trust security solution on the existing network. The following figure shows the typical networking involved in Huawei zero trust security solution. For details, see HUAWEI HiSec Zero-Trust Security Solution Best Practices. With Huawei’s guidance, the enterprises evaluate which applications or resources can be preferentially selected for zero trust implementation, achieving continuous authentication and dynamic authorization. Ultimately, zero trust is fully implemented through a gradual process that can be adapted according to experience
Typical networking of the Huawei zero trust security solution