Capgemini-零信任：從渴望到快速實(shí)施 Zero trust From aspiration to rapid implementation 2024

Zerotrust:

Fromaspirationtorapidimplementation

Zerotrusthasbecomean

essentialcybersecurity

philosophyfororganizations.

Thesteadytrickleofzero

trustsecurityawareness

sinceitsprincipleswere

formalizedin2004hasbuilttoaHoodofadoptiontoday.

Thewayweworkhaschangedradically,withremotewoΓkin9commonplaceando代ceoccupancyΓates

intheUSandUKatrecordlows.1Thetraditional

hardshell/softinteriorcybersecuritymodelthathasdominatedfordecadesisvirtuallyobsolete.

BefoΓe2020,whenuseΓsmadeΓequestsfoΓHexibleremoteworking,thecybersecuritytosupportitwasoftenregardedas“toohard”.Theglobalpandemicforcedthepaceofchangeandachangeinmindset.Organizationsnowfacilitateremoteworking,

supportcollaborativeworkingwithpartnersandsuppliers,andmanyhavemovedmuchoftheirIT

tothecloud.IndustryintelligenceproviderGartnerhaspredictedthatITspendingoncloud-related

categorieswillcontinuetogrow,reaching51%by2025.2Thishasimplicationsforthedemandssuchtransformationwillplaceonbusinesses’cybersecurity.

Ascloudadoptioncontinues,cyber-attacksare

simultaneouslyincreasingtothepointwherethe

costofcybercrimeispredictedtoreach$10.5trillionby2025.3Increasedgeopoliticaltensionstoo,have

increasedthenumberofexternalcyberattackers,theirmotivation,andtheresourcesavailable

tothem.

Giventhiscontext,organizationsnowrealize

thattheΓeisnolon9eΓacleaΓ,easilyde?nable

cybersecurityperimeteraroundtheirnetworks,witheverydevicepotentiallyvulnerableCyberdefense

canberampedupbymovingprotectionclosertoassets,anapproachknownasdeperimeterization,whichisunderpinnedbythezero-trustphilosophy.

Thezerotrustphilosophy:Trustnoone

Theaccelerationtowardswidespreadadoption

ofzerotrustbecameundeniablewhen,in2021,

theUSgovernmentmandatedallfederalagencies

toadoptzerotrustprinciplesby2024.4TheUS

federalstandardsagencies,theNationalInstituteofStandardsandTechnology(NIST),andCybersecurityandInfrastructureSecurityAgency(CISA),haveset

upvendor-agnosticframeworkstohelporganizationsmovetowardszerotrustapproaches.Inzerotrust,

thesecuritydefaultisthat“everythingisbroken”,

andanypartofthesystemmaybecompromised,

ratherthanapresumptionthataperson,deviceorsystemcanbetrustedbecausetheyareworkinginatrustedlocation.Foreveryaccessrequest,auserordevicemustbuildupenoughtrustbeforeaccessisgranted,wherevertheyare.

Traditionally,asingleauthenticationand

authorizationdecisionallowedwide-rangingaccesstointernalsystemsanddata,whichwasasecurityriskasauserordevicecouldbecompromisedat

anytime.Withzerotrust,thecoreprincipleistheadaptiveevaluationoftrust.Thisisdynamicandcontext-based,andaimstoestablishinformationabouttheuseranddevicethroughaprocessof

interrogationeverytimeaccessisrequested.Thefollowingquestionsaretypical:

?Couldtheuserbeaccessingfromadevicethatmaybecompromised?

?Aretheyaccessingwithinnormalworkinghours,

ordidtheystartaccessingatmidnightandfromanunusuallocation?

?Whichnetworkaretheyusing?

?Howsensitiveisthesystemordatatowhichtheyarerequestingaccess?

?Didtheuserauthenticateusingasimplepasswordoramoresecuremethod?

?Isthereaknownsecurityvulnerabilityintheservicethattheuserisattemptingtoaccess?

1AkilaQuinio,

“OfficespacevacanciesinUSandLondonreachat

least20-yearhighs

”,TheFinancialTimes,January24,2023

2

“GartnerSaysMoreThanHalfofEnterpriseITSpendinginKeyMarket

SegmentsWillShifttotheCloudby2025

”,Gartner,February9,2022

3

CybersecurityTrends&StatisticsFor2023;What

YouNeedtoKnow,

Forbes,March2023

Movingtozerotrust:Visionandstructure

Thecomplexityandchangeinorganizational

behaviorrequiredwhenmovingtozerotrustisnot

tobeundeΓestimatedandwilla氏ectthebusinessatalllevels.Itisachangeinapproachtocybersecuritygovernancethatfeedsintooperatingmodelsand

principles,architectureanddesign,processes,and,ofcourse,technology.

Buy-infromtheC-suite,suchasthechiefinformationo代ceΓoΓchieftechnolo9yo代ceΓ,andcollaboΓationacrosstowersofthebusinessareessentialfor

success.Increatingavisionfortransformation,

businessleadersshouldapplyafullspectrumapproachtodesigningalong-termprogramforimplementation.

This9ivesacleaΓeΓviewofthe?nalcostofchan9in9organizationalarchitectureandthebestrouteto

zerotrust’sfullsecurityadvantages.BusinessgoalsshoulddeteΓminethe?naltechnolo9y9oals,not

thereverse.

Ifthereisnocommandingvisionoftheultimate

destination,costsarelikelytomount,aseach

technologytower,businessunitorsitemoves

separatelytonewmodelsandbuytheirown

solutions,withastrongpossibilityofcompatibilityissuesandunnecessarycostsduetoduplication.Arigorouslystructuredchangeprogramwilldeliveramoresecuresystemandlowerthetotalcost

ofownershipthroughagreementonacommon,consolidatedtechnologystackandapproach.

2|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|3

Thezerotrust

organizationalstructure-

upheldbypillars

Responsibilityforimplementationofcybersecuritymeasuresisoftendistributedacrossvariousgroupsortowers,forexample,betweenidentity,network,operationaltechnology,andengineeringteams.

TheCISAmodelforzerotrust(figure1)isdividedintofivepillars:identity,devices,networks,applications,workloads(e.g.,virtualmachinesandcontainers),

anddata.Theseareabovethreefoundationallayers:visibilityandanalytics,automationandorchestration,andgovernance.Eachpillarcangeneratethesignalsandmetricsusedtomakesmartaccesscontrol

decisions.Forexample,deviceposturedata,suchasOSandbrowserversion,ordiskencryptionandantivirusstatus,couldindicatethatthedeviceisatincreasedriskofbeingcompromised.

Sincezerotrustcontrolsaredistributedanddelegatedthroughoutallfivepillarsandthe

organization,thismayrepresentachallengefor

thosewhoareusedtotheestablishedstructureandallocationofresponsibilityforsecurity.Thismakeschangemanagementcommunicationapriorityforeffectiveacceptance.

FoundationofZeroTrust

Device

Applications

&Workloads

Networks

Identity

Data

VisibilityandAnalytics

AutomationandOrchestration

Governance

figure1CisaZeroTrustMaturityModel

4|ZeroTrust:Fromaspirationtorapidimplementation

ZeroTrust:Fromaspirationtorapidimplementation|5

Faster,smarter,andsaferdecision

Thedecisioncenterofzerotrustisthepolicyengine.Itisherethattrustisdefined,metricsareset,and

thebarriertoaccessrequestsishenceestablished.Theavailabilityofamplebandwidth,machine

learningandAI,andfastprocessingatrelativelylowcosthavecometogethertomakezerotrustsignalanalysisviableinrealtime.

Thepolicyenginereliesonarangeofdatasourcestogeneratesignalsandfinalizeanaccessdecision.Thesecanincludeinformationon:

?Softwarecomponentsandoperatingsystems;

?Industrycompliance.

?Threatintelligence.

?Softwareflawsorreportedattacks.

?Networkandsystemlogs.

?Dataandsystemaccesspolicies.

?Publickeyinfrastructure.

?Identitymanagement;and

?Securityinformation,suchasauthenticationstatus.

Thepolicyenginefeedsthefullrangeofinputs

toatrustalgorithm,whichleadstoanaccess

decision.Signalsthatcanshowsuspiciousactivityareprocessedattheautomationandorchestrationlayer(aspertheCISAframework).Thearchitecturemakespossiblefullyautomated,dynamic,context-based,least-privilegeaccesstoservicesanddata;

andinteroperabilitywithcontinuousmonitoringandcentralizedvisibility.5

Whilezerotrustisamajorstepforwardin

cybersecurity,itismorethanjustthat.Itisamodelforgovernancethatshapesownershipoftheoverallvision,transformationprogramandoutcomes.It

setsbusiness-alignedsecuritypolicyandallocatesresponsibilitytostakeholders.Italsodeterminesifaparticularimplementationresultsinasuccessfultransformationinoperations.

Intheconversiontozerotrust,thenewenvironment

hastobedesignedwithmetricsinplaceto

demonstratesuccessandeffectivelymanageefficiencyandcosts.

Examplesofhowthesemetricscoulddemonstratevalue:

?Areductionininsurancecosts,whereaninsurer

recognizesreducedriskofcyber-attackbymovingtozerotrust

?Improveduserexperience,provenviaemployeesurveysandmetricsfromZscalerDigital

Experience(ZDX)

?Fewersecurityincidentsbyeliminatingexposedinternetattacksurface,loweringoperating

expenses

?Reducedcostofmigrationtocloudservicesusingaconsistentapproach

?Reducednetworkingcostsbyswappingexpensive

?routinglinks(e.g.,MLPS)forZscalerviainternet

?Reducedtotalcostofownershipforsecuritythroughtoolingconsolidation.

5CybersecurityandInfrastructureSecurityAgency,

“ZeroTrustMaturityModel,Version2.0

”,April2023,p.9

Damagelimitationthroughmicrosegmentation

Amajorvulnerabilityofthehardshell/softinteriormodelhasbeenthefreedomanattackerhashadtodoasmuchdamageastheywantedoncethey

managedtobreakthroughthehardshellaroundanorganization’snetwork.Zerotrust’smicro

segmentationcapabilityreducestheaffectedareaofanattack.

Commonpracticehasbeenthateachapplicationhashadeitheranassociatedcertificate,orusername

withapassword,whichitcanusetoaccessother

applicationsanddata.Credentialscanbefound

onthedarkweb,forexample,throughaleaktoa

GitHubrepository,orinacarelesslysavedtextfile,

orthroughcaptureandreplay.Thisenablesattackers

tomasqueradeasanapplication,orotherworkload.Onceinthesoftcenter,theyoftenhavethefreedomtoattackatwill.

Inthezero-trustmodel,accessmaystillbepossible,butasignalthattheuserisaccessingfroman

unusualplace,orthatanapplicationisaccessing

certainunusualdata,willtriggeranalertandbegin

aninterrogationprocesswithcontextualquestions

toidentifyapotentialcompromise,andsubsequentlyblockit.Wealsoimplementtheprincipleofleast

privilege,bywhichusersandapplicationsareonly

allowedaccesstotheservicesanddatathatthey

needtofulfiltheirfunction.Forexample,ratherthancontrollingwhichserverscantalktootherservers,

wecontrolwhichspecificapplicationsonthoseserverscantalktootherapplications.

6|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|7

Simplificationformergersandacquisitions

Inamergeroracquisitionsituation,organizations

needtoconsolidatetheirnetworksandsecurity

tooling,whichmightdescribeanedgerouter,a

firewall,aVPN—hardwareforInternetconnectivity.Eachpartywillbringtheirownwideareanetwork

(WAN)andrelatednetworksecuritytoolingindatacentersandamerger/acquisitionhasstrictdeadlinestoadheretoforchangeofcontrolrequirements,

requiringintegrationunderpressure.

Duringintegration,acloud-deliveredzerotrust

networkaccessservicesuchasZscaler,aleader

Protectinglegacysystemsinzerotrustsolutions,

allowsuserstoaccessapplicationswithoutrequiringextensivenetworkchangesordeliveringconnectivityviaaremoteaccessservicelikeaVPN.Itconsolidatestechnologysetsfromdifferentbusinessesby

providingthesamesetofcapabilitiesinonepackage.Enterprisescanpublishtheirbusinessapplications

toacentralexchange,fromwhereuserscanrequestaccessregardlessofwhichbusinessentitytheyarefrom.Thisbringsconsiderablesimplificationand

accelerationtomergers.

Protectinglegacysystems

Therehasbeenamonumentalshifttocloud-basedsystems,butagingITinfrastructurepersistsand

requiresprotection.Shiftingtozerotrustbrings

costsavingsthroughsaferetirementoflegacy

securitytechnologybutchangecanbedifficulttoimplementinlegacyenvironments.Withzerotrust,securityisachievedbyring-fencinglegacysystems,puttingcontrolsaroundtheboundary,andblockingaccessunlessarequestforaccesspassesallchecks.Similarly,auserwillnotbeabletoexitthelegacy

environmentwithoutpassingcontext-basedzerotrustchecks.

8|ZeroTrust:Fromaspirationtorapidimplementation

ZeroTrust:Fromaspirationtorapidimplementation|9

Zerotrustforaglobalpharmagroup

Alargepharmaceuticalgroupwithmorethan150locationsgloballyandover20,000usersbrought

Capgeminiintodeliverzerotrustaspartofalargerinfrastructurere-design.

Theinfrastructurewascomplexduetomultiple

systemarchitecturesafteraseriesofmergersandacquisitions.Itwasalsoexpensivetomaintain

withnumerousgatewaydevices,softwareagents,identitysourcesandsecuritypolicies.

Thegoalsfortheprogramwere:

?Improvetheuserexperiencewithcorporate

applicationsandserviceaccessinahybrid

environment,whichwouldalsobringproductivitybenefits

?Reducethevisibleattacksurfaceofcriticalbusinessservicesandapplications

?Initiatea‘leastprivilege’policyforusers,meaninglimitinguseraccesstothespecificdata,resources,andapplicationsneededforatask

?Meetusers’expectationof“anytime,anywhere,anydevice”(ATAWAD).

Theclientsettwostrategicobjectives.Firstly,

toachieveareturnoninvestmentforcapital

expenditure(CAPEX)andoperationalexpenditure(OPEX)whilethezero-trustjourneywasunderway.Secondly,toenablethegrouptoprogressfuture

mergersandacquisitionsregardlessofidentitysourcesandnetworkconstraints.

Capgeminiexecutedacustomertransformation

programtoadaptamoderndigitallandscapetoonewheretheInternetbecamethecorporatenetwork.Thisincludedcreatingacorporatezerotrust

roadmapandidentifyingrelevantfutureusecasestodefinethearchitectureaccordingly.

Usinganend-to-endprocess,theprojectachievedsignificantuserexperienceenhancement.ThiswasachievedwithasinglezerotrustZscalerPrivate

Accesssoftwareagentandstreamlinedglobaltechnicalinfrastructureforinternalapplicationsaccess,simplifyingongoingmanagement.ThetransformationalsoledtoOPEXandCAPEX

optimizationviaadynamiccloud-basedsecurityservicesconsumptionmodel.

Capgemini’send-to-endmethodologyforzerotrustimplementation

Capgemini’sapproachtodeliveringzerotrustforclientsbeginswithanalysisofanorganization’s

culture,goals,andbusinessstrategy.Itisvitalthatsecurityarchitecturesandsolutionsalignwithandsupportthegreaterbusinessgoals.

Wereviewthecurrentsecuritycapabilitiesoftheorganizationwithrespecttozerotrust,in

alignmentwiththeindustrystandardmaturitymodeldevelopedbytheUSsecurityagencyCISA.

Wehelpourclientswithallelementsofzerotrust,fromgovernance,operatingmodels,andprinciples,througharchitectureanddesign,allthewaythroughtoimplementation(technologyandprocess)and

managedservicesonceinoperation.

Ourteamscaneitherworkwithyou,toenable

knowledgesharing;orforyou,totr