* Zero trust ：
The concept of zero trust comes from the development of network de boundary . In the previous concept of network construction , Divide the network into intranet and Extranet , It is the consensus of the industry that network attacks come from the outside of the enterprise , Border protection is safe by default . Enterprise security department through firewall ,IDS/IPS,VPN, Technical means and products such as behavior audit , Ensure the normal access and legal operation of employees , Ability to identify and block malicious or unauthorized access .
The protection of zero trust security architecture to business , Mainly through trust evaluation and dynamic access control for all access from inside and outside the enterprise , Requests for all access to enterprise resources , Conduct certification , Authorization and encryption , Certification includes comprehensive verification of users and equipment used , And each access request is not limited to the terminal environment , User operational risk , Network risk , Real time risk assessment of external threats and other factors , Dynamic access control based on evaluation results .
* Network architecture diagram ：
* Application layer zero trust ：
Compared with the host and network, the application level zero trust construction is easier to land and cut into users . Application layer zero trust construction from implementation cycle , Business impact , Compared with host and network in many aspects such as construction effect , The short-term effect will be more direct , Easier to start .
Application layer zero trust construction mainly includes application security gateway system , Two systems of user management system （ Modules in the system can be split , Different products and projects ）.
Application security gateway system includes ： access control , Reverse proxy , load balancing , Unified access , safety protection （ Mainly WAF Related functions ）, Access audit （ audit 4-7 Layer flow ）,HTTPS Support, etc .
User management system ： identity authentication , Dynamic authorization ,SSO, user management , Trust assessment, etc .
Points to be considered in heterogeneous networks ：
At present, the business of enterprises is in the heterogeneous network , During the construction of safety protection system , Heterogeneous elements need to be considered ：
Heterogeneous terminal equipment —— Equipment of different terminal systems connected to services , Such as mobile phone ,PC, The server , Browser, etc ;
Heterogeneous network environment —— Available through 3G,4G,5G Wait for mobile network or fixed network access ;
Heterogeneous security scenarios —— Exploit with loopholes , defense , Network security requirements with boundary as the core and to identify and deal with malicious users , Business security requirements based on malicious operation ;
Heterogeneous regulatory standards —— The security system needs to meet different national standards , Industry standards and codes ;
Heterogeneous users ： Fixed office , Long term employees of mobile office , Outsourcing unit , Short term employees such as security personnel , supplier , Operation and maintenance personnel and other cooperative units and internships , Resigned employees, etc .
Zero trust security architecture has five basic assumptions ：
· The Internet has always been in a dangerous environment , There are external or internal threats throughout the network ;
· The location of the network is not enough to determine the credibility of the network , By default, no one inside or outside the network should be trusted / equipment / system ;
· Reconstruct the trust foundation of business access control based on authentication and authorization ;
· All devices , Users and network traffic should be authenticated , Authorization and encryption ;
· Security policy must be dynamic , And based on the multi-source environment data and access behavior data of devices and users .