Capgemini-零信任:從渴望到快速實施 Zero trust From aspiration to rapid implementation 2024_第1頁
Capgemini-零信任:從渴望到快速實施 Zero trust From aspiration to rapid implementation 2024_第2頁
Capgemini-零信任:從渴望到快速實施 Zero trust From aspiration to rapid implementation 2024_第3頁
Capgemini-零信任:從渴望到快速實施 Zero trust From aspiration to rapid implementation 2024_第4頁
Capgemini-零信任:從渴望到快速實施 Zero trust From aspiration to rapid implementation 2024_第5頁
已閱讀5頁,還剩11頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

Zerotrust:

Fromaspirationtorapidimplementation

Zerotrusthasbecomean

essentialcybersecurity

philosophyfororganizations.

Thesteadytrickleofzero

trustsecurityawareness

sinceitsprincipleswere

formalizedin2004hasbuilttoaHoodofadoptiontoday.

Thewayweworkhaschangedradically,withremotewoΓkin9commonplaceando代ceoccupancyΓates

intheUSandUKatrecordlows.1Thetraditional

hardshell/softinteriorcybersecuritymodelthathasdominatedfordecadesisvirtuallyobsolete.

BefoΓe2020,whenuseΓsmadeΓequestsfoΓHexibleremoteworking,thecybersecuritytosupportitwasoftenregardedas“toohard”.Theglobalpandemicforcedthepaceofchangeandachangeinmindset.Organizationsnowfacilitateremoteworking,

supportcollaborativeworkingwithpartnersandsuppliers,andmanyhavemovedmuchoftheirIT

tothecloud.IndustryintelligenceproviderGartnerhaspredictedthatITspendingoncloud-related

categorieswillcontinuetogrow,reaching51%by2025.2Thishasimplicationsforthedemandssuchtransformationwillplaceonbusinesses’cybersecurity.

Ascloudadoptioncontinues,cyber-attacksare

simultaneouslyincreasingtothepointwherethe

costofcybercrimeispredictedtoreach$10.5trillionby2025.3Increasedgeopoliticaltensionstoo,have

increasedthenumberofexternalcyberattackers,theirmotivation,andtheresourcesavailable

tothem.

Giventhiscontext,organizationsnowrealize

thattheΓeisnolon9eΓacleaΓ,easilyde?nable

cybersecurityperimeteraroundtheirnetworks,witheverydevicepotentiallyvulnerableCyberdefense

canberampedupbymovingprotectionclosertoassets,anapproachknownasdeperimeterization,whichisunderpinnedbythezero-trustphilosophy.

Thezerotrustphilosophy:Trustnoone

Theaccelerationtowardswidespreadadoption

ofzerotrustbecameundeniablewhen,in2021,

theUSgovernmentmandatedallfederalagencies

toadoptzerotrustprinciplesby2024.4TheUS

federalstandardsagencies,theNationalInstituteofStandardsandTechnology(NIST),andCybersecurityandInfrastructureSecurityAgency(CISA),haveset

upvendor-agnosticframeworkstohelporganizationsmovetowardszerotrustapproaches.Inzerotrust,

thesecuritydefaultisthat“everythingisbroken”,

andanypartofthesystemmaybecompromised,

ratherthanapresumptionthataperson,deviceorsystemcanbetrustedbecausetheyareworkinginatrustedlocation.Foreveryaccessrequest,auserordevicemustbuildupenoughtrustbeforeaccessisgranted,wherevertheyare.

Traditionally,asingleauthenticationand

authorizationdecisionallowedwide-rangingaccesstointernalsystemsanddata,whichwasasecurityriskasauserordevicecouldbecompromisedat

anytime.Withzerotrust,thecoreprincipleistheadaptiveevaluationoftrust.Thisisdynamicandcontext-based,andaimstoestablishinformationabouttheuseranddevicethroughaprocessof

interrogationeverytimeaccessisrequested.Thefollowingquestionsaretypical:

?Couldtheuserbeaccessingfromadevicethatmaybecompromised?

?Aretheyaccessingwithinnormalworkinghours,

ordidtheystartaccessingatmidnightandfromanunusuallocation?

?Whichnetworkaretheyusing?

?Howsensitiveisthesystemordatatowhichtheyarerequestingaccess?

?Didtheuserauthenticateusingasimplepasswordoramoresecuremethod?

?Isthereaknownsecurityvulnerabilityintheservicethattheuserisattemptingtoaccess?

1AkilaQuinio,

“OfficespacevacanciesinUSandLondonreachat

least20-yearhighs

”,TheFinancialTimes,January24,2023

2

“GartnerSaysMoreThanHalfofEnterpriseITSpendinginKeyMarket

SegmentsWillShifttotheCloudby2025

”,Gartner,February9,2022

3

CybersecurityTrends&StatisticsFor2023;What

YouNeedtoKnow,

Forbes,March2023

Movingtozerotrust:Visionandstructure

Thecomplexityandchangeinorganizational

behaviorrequiredwhenmovingtozerotrustisnot

tobeundeΓestimatedandwilla氏ectthebusinessatalllevels.Itisachangeinapproachtocybersecuritygovernancethatfeedsintooperatingmodelsand

principles,architectureanddesign,processes,and,ofcourse,technology.

Buy-infromtheC-suite,suchasthechiefinformationo代ceΓoΓchieftechnolo9yo代ceΓ,andcollaboΓationacrosstowersofthebusinessareessentialfor

success.Increatingavisionfortransformation,

businessleadersshouldapplyafullspectrumapproachtodesigningalong-termprogramforimplementation.

This9ivesacleaΓeΓviewofthe?nalcostofchan9in9organizationalarchitectureandthebestrouteto

zerotrust’sfullsecurityadvantages.BusinessgoalsshoulddeteΓminethe?naltechnolo9y9oals,not

thereverse.

Ifthereisnocommandingvisionoftheultimate

destination,costsarelikelytomount,aseach

technologytower,businessunitorsitemoves

separatelytonewmodelsandbuytheirown

solutions,withastrongpossibilityofcompatibilityissuesandunnecessarycostsduetoduplication.Arigorouslystructuredchangeprogramwilldeliveramoresecuresystemandlowerthetotalcost

ofownershipthroughagreementonacommon,consolidatedtechnologystackandapproach.

2|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|3

Thezerotrust

organizationalstructure-

upheldbypillars

Responsibilityforimplementationofcybersecuritymeasuresisoftendistributedacrossvariousgroupsortowers,forexample,betweenidentity,network,operationaltechnology,andengineeringteams.

TheCISAmodelforzerotrust(figure1)isdividedintofivepillars:identity,devices,networks,applications,workloads(e.g.,virtualmachinesandcontainers),

anddata.Theseareabovethreefoundationallayers:visibilityandanalytics,automationandorchestration,andgovernance.Eachpillarcangeneratethesignalsandmetricsusedtomakesmartaccesscontrol

decisions.Forexample,deviceposturedata,suchasOSandbrowserversion,ordiskencryptionandantivirusstatus,couldindicatethatthedeviceisatincreasedriskofbeingcompromised.

Sincezerotrustcontrolsaredistributedanddelegatedthroughoutallfivepillarsandthe

organization,thismayrepresentachallengefor

thosewhoareusedtotheestablishedstructureandallocationofresponsibilityforsecurity.Thismakeschangemanagementcommunicationapriorityforeffectiveacceptance.

FoundationofZeroTrust

Device

Applications

&Workloads

Networks

Identity

Data

VisibilityandAnalytics

AutomationandOrchestration

Governance

figure1CisaZeroTrustMaturityModel

4|ZeroTrust:Fromaspirationtorapidimplementation

ZeroTrust:Fromaspirationtorapidimplementation|5

Faster,smarter,andsaferdecision

Thedecisioncenterofzerotrustisthepolicyengine.Itisherethattrustisdefined,metricsareset,and

thebarriertoaccessrequestsishenceestablished.Theavailabilityofamplebandwidth,machine

learningandAI,andfastprocessingatrelativelylowcosthavecometogethertomakezerotrustsignalanalysisviableinrealtime.

Thepolicyenginereliesonarangeofdatasourcestogeneratesignalsandfinalizeanaccessdecision.Thesecanincludeinformationon:

?Softwarecomponentsandoperatingsystems;

?Industrycompliance.

?Threatintelligence.

?Softwareflawsorreportedattacks.

?Networkandsystemlogs.

?Dataandsystemaccesspolicies.

?Publickeyinfrastructure.

?Identitymanagement;and

?Securityinformation,suchasauthenticationstatus.

Thepolicyenginefeedsthefullrangeofinputs

toatrustalgorithm,whichleadstoanaccess

decision.Signalsthatcanshowsuspiciousactivityareprocessedattheautomationandorchestrationlayer(aspertheCISAframework).Thearchitecturemakespossiblefullyautomated,dynamic,context-based,least-privilegeaccesstoservicesanddata;

andinteroperabilitywithcontinuousmonitoringandcentralizedvisibility.5

Whilezerotrustisamajorstepforwardin

cybersecurity,itismorethanjustthat.Itisamodelforgovernancethatshapesownershipoftheoverallvision,transformationprogramandoutcomes.It

setsbusiness-alignedsecuritypolicyandallocatesresponsibilitytostakeholders.Italsodeterminesifaparticularimplementationresultsinasuccessfultransformationinoperations.

Intheconversiontozerotrust,thenewenvironment

hastobedesignedwithmetricsinplaceto

demonstratesuccessandeffectivelymanageefficiencyandcosts.

Examplesofhowthesemetricscoulddemonstratevalue:

?Areductionininsurancecosts,whereaninsurer

recognizesreducedriskofcyber-attackbymovingtozerotrust

?Improveduserexperience,provenviaemployeesurveysandmetricsfromZscalerDigital

Experience(ZDX)

?Fewersecurityincidentsbyeliminatingexposedinternetattacksurface,loweringoperating

expenses

?Reducedcostofmigrationtocloudservicesusingaconsistentapproach

?Reducednetworkingcostsbyswappingexpensive

?routinglinks(e.g.,MLPS)forZscalerviainternet

?Reducedtotalcostofownershipforsecuritythroughtoolingconsolidation.

5CybersecurityandInfrastructureSecurityAgency,

“ZeroTrustMaturityModel,Version2.0

”,April2023,p.9

Damagelimitationthroughmicrosegmentation

Amajorvulnerabilityofthehardshell/softinteriormodelhasbeenthefreedomanattackerhashadtodoasmuchdamageastheywantedoncethey

managedtobreakthroughthehardshellaroundanorganization’snetwork.Zerotrust’smicro

segmentationcapabilityreducestheaffectedareaofanattack.

Commonpracticehasbeenthateachapplicationhashadeitheranassociatedcertificate,orusername

withapassword,whichitcanusetoaccessother

applicationsanddata.Credentialscanbefound

onthedarkweb,forexample,throughaleaktoa

GitHubrepository,orinacarelesslysavedtextfile,

orthroughcaptureandreplay.Thisenablesattackers

tomasqueradeasanapplication,orotherworkload.Onceinthesoftcenter,theyoftenhavethefreedomtoattackatwill.

Inthezero-trustmodel,accessmaystillbepossible,butasignalthattheuserisaccessingfroman

unusualplace,orthatanapplicationisaccessing

certainunusualdata,willtriggeranalertandbegin

aninterrogationprocesswithcontextualquestions

toidentifyapotentialcompromise,andsubsequentlyblockit.Wealsoimplementtheprincipleofleast

privilege,bywhichusersandapplicationsareonly

allowedaccesstotheservicesanddatathatthey

needtofulfiltheirfunction.Forexample,ratherthancontrollingwhichserverscantalktootherservers,

wecontrolwhichspecificapplicationsonthoseserverscantalktootherapplications.

6|ZeroTrust:FromaspirationtorapidimplementationZeroTrust:Fromaspirationtorapidimplementation|7

Simplificationformergersandacquisitions

Inamergeroracquisitionsituation,organizations

needtoconsolidatetheirnetworksandsecurity

tooling,whichmightdescribeanedgerouter,a

firewall,aVPN—hardwareforInternetconnectivity.Eachpartywillbringtheirownwideareanetwork

(WAN)andrelatednetworksecuritytoolingindatacentersandamerger/acquisitionhasstrictdeadlinestoadheretoforchangeofcontrolrequirements,

requiringintegrationunderpressure.

Duringintegration,acloud-deliveredzerotrust

networkaccessservicesuchasZscaler,aleader

Protectinglegacysystemsinzerotrustsolutions,

allowsuserstoaccessapplicationswithoutrequiringextensivenetworkchangesordeliveringconnectivityviaaremoteaccessservicelikeaVPN.Itconsolidatestechnologysetsfromdifferentbusinessesby

providingthesamesetofcapabilitiesinonepackage.Enterprisescanpublishtheirbusinessapplications

toacentralexchange,fromwhereuserscanrequestaccessregardlessofwhichbusinessentitytheyarefrom.Thisbringsconsiderablesimplificationand

accelerationtomergers.

Protectinglegacysystems

Therehasbeenamonumentalshifttocloud-basedsystems,butagingITinfrastructurepersistsand

requiresprotection.Shiftingtozerotrustbrings

costsavingsthroughsaferetirementoflegacy

securitytechnologybutchangecanbedifficulttoimplementinlegacyenvironments.Withzerotrust,securityisachievedbyring-fencinglegacysystems,puttingcontrolsaroundtheboundary,andblockingaccessunlessarequestforaccesspassesallchecks.Similarly,auserwillnotbeabletoexitthelegacy

environmentwithoutpassingcontext-basedzerotrustchecks.

8|ZeroTrust:Fromaspirationtorapidimplementation

ZeroTrust:Fromaspirationtorapidimplementation|9

Zerotrustforaglobalpharmagroup

Alargepharmaceuticalgroupwithmorethan150locationsgloballyandover20,000usersbrought

Capgeminiintodeliverzerotrustaspartofalargerinfrastructurere-design.

Theinfrastructurewascomplexduetomultiple

systemarchitecturesafteraseriesofmergersandacquisitions.Itwasalsoexpensivetomaintain

withnumerousgatewaydevices,softwareagents,identitysourcesandsecuritypolicies.

Thegoalsfortheprogramwere:

?Improvetheuserexperiencewithcorporate

applicationsandserviceaccessinahybrid

environment,whichwouldalsobringproductivitybenefits

?Reducethevisibleattacksurfaceofcriticalbusinessservicesandapplications

?Initiatea‘leastprivilege’policyforusers,meaninglimitinguseraccesstothespecificdata,resources,andapplicationsneededforatask

?Meetusers’expectationof“anytime,anywhere,anydevice”(ATAWAD).

Theclientsettwostrategicobjectives.Firstly,

toachieveareturnoninvestmentforcapital

expenditure(CAPEX)andoperationalexpenditure(OPEX)whilethezero-trustjourneywasunderway.Secondly,toenablethegrouptoprogressfuture

mergersandacquisitionsregardlessofidentitysourcesandnetworkconstraints.

Capgeminiexecutedacustomertransformation

programtoadaptamoderndigitallandscapetoonewheretheInternetbecamethecorporatenetwork.Thisincludedcreatingacorporatezerotrust

roadmapandidentifyingrelevantfutureusecasestodefinethearchitectureaccordingly.

Usinganend-to-endprocess,theprojectachievedsignificantuserexperienceenhancement.ThiswasachievedwithasinglezerotrustZscalerPrivate

Accesssoftwareagentandstreamlinedglobaltechnicalinfrastructureforinternalapplicationsaccess,simplifyingongoingmanagement.ThetransformationalsoledtoOPEXandCAPEX

optimizationviaadynamiccloud-basedsecurityservicesconsumptionmodel.

Capgemini’send-to-endmethodologyforzerotrustimplementation

Capgemini’sapproachtodeliveringzerotrustforclientsbeginswithanalysisofanorganization’s

culture,goals,andbusinessstrategy.Itisvitalthatsecurityarchitecturesandsolutionsalignwithandsupportthegreaterbusinessgoals.

Wereviewthecurrentsecuritycapabilitiesoftheorganizationwithrespecttozerotrust,in

alignmentwiththeindustrystandardmaturitymodeldevelopedbytheUSsecurityagencyCISA.

Wehelpourclientswithallelementsofzerotrust,fromgovernance,operatingmodels,andprinciples,througharchitectureanddesign,allthewaythroughtoimplementation(technologyandprocess)and

managedservicesonceinoperation.

Ourteamscaneitherworkwithyou,toenable

knowledgesharing;orforyou,totr

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論