Review of existing models and basic zero trust principles
DOI:
https://doi.org/10.30837/rt.2024.2.217.03Keywords:
zero trust, models and principles of zero trust, cybersecurity, information securityAbstract
Ensuring the information security of an enterprise is quite a complex task. This is due to the multifaceted nature of IT infrastructure and applications, the breadth and intensity of user access, the excessive openness of most corporate networks, and several other factors. In these conditions, the concept of zero trust is increasingly being considered as the most preferable solution to the problem of ensuring the security of enterprises, organizations, institutions. The basic idea of the concept of zero trust is that there are no areas that are trustworthy. However, despite the popularization of the zero trust concept and the obvious security benefits of its application in enterprises, there are certain difficulties in its implementation. In particular, planning to bring the infrastructure into compliance with the zero-trust principles cannot be accomplished partially or as part of minor modifications to the relevant information systems. It is necessary to reorganize the information infrastructure as a whole, as well as to integrate all aspects that ensure the security of enterprise activities, so that the zero-trust principles show their effectiveness. On the other hand, today there is a problem associated with a certain lack of awareness about the zero-trust approach (about its theoretical and practical potential) for choosing the right solution. This paper is precisely aimed at solving this problem by summarizing existing research and the experience of various international companies that are implementing this approach in practice. It briefly discusses models and key zero-trust principles proposed by renowned international organizations and companies that will help make sense of a fundamental shift in the approach to information security, cybersecurity.
References
Department of Defense. Global Information Grid Architectural Vision. Vision for a Net-Centric, Ser-vice-Oriented DoD Enterprise. Version 1.0 2007. URL: https://acqnotes.com/Attachments/DoD%20GIG%20Architectural%20Vision,%20June%2007.pdf. .
Buck C., Olenberger C., Schweizer A., Völter F., Eymann, T. Never trust, always verify: A multivocal lit-erature review on current knowledge and research gaps of zero-trust // Computers & Security. 2021. 110. 102436.
Dhanarani A., Evans R., Loumi H., Lowenthal R., Lopes P., Mesaros M., Schaeumer B., Wahl P., Williams A., Zaidi N. Oracle Database Security a technical primer. Fifth edition. Version 5.0. 2023. URL: https://download.oracle.com/database/oracle-database-security-primer.pdf.
Kerman A., Borchert O., Rose S., Division E., Tan A. Implementing a zero trust architecture // National Institute of Standards and Technology. 2020. 17 p. URL: https://www.nccoe.nist.gov/sites/default/files/legacy-files/zta-project-description-final.pdf.
National Cybersecurity Center of Excellence (NCCoE). Implementing a Zero Trust Architecture. URL: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture.
Garbis J., Chapman J. W. Zero Trust Security: An Enterprise Guide. Berkeley, CA: Apress, 2021. 300 p.
Rose S., Borchert O., Mitchell S., Connelly S. Zero Trust Architecture. NIST Special Publication 800-207. 2020. https://doi.org/10.6028/NIST.SP.800-207.
Samaniego M., Deters R. Zero-trust hierarchical management in IoT // 2018 IEEE international congress on Internet of Things (ICIOT). IEEE, 2018. P. 88–95.
Ross R., Pillitteri V., Graubart, R., Bodeau D., McQuaid R. Developing Cyber-Resilient Systems: A Sys-tems Security Engineering Approach // NIST Special Publication 800-160. Vol. 2. Revision 1. 2021. 310 p.
Zero Trust Security Market Size, Share & Trends Analysis Report By Deployment (Cloud, On-premises), By Security Type (Network, Endpoint), By Authentication, By Organization Size, By Application, By Region, And Segment Forecasts, 2023-2030. Zero Trust Security Market Size & Trends. URL: https://www.grandviewresearch.com/industry-analysis/zero-trust-security-market-report.
Grand View Research. Zero Trust Security Market Growth & Trends. URL: https://www.grandviewresearch.com/press-release/global-zero-trust-security-market.
Gartner. Press Release. Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026. URL: https://www.gartner.com/en/newsroom/press-releases/2023-01-23-gartner-predicts-10-percent-of-large-enterprises-will-have-a-mature-and-measurable-zero-trust-program-in-place-by-2026.
Fortinet. The State of Zero Trust. Report. 2023. URL: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-state-of-zero-trust.pdf.
Martinez J. Zero Trust Architecture: 2024 Complete Guide. URL: https://www.strongdm.com/zero-trust.
Shore M., Zeadally S., Keshariya A. Zero trust: the what, how, why, and when // Computer. 2021. Vol. 54. № 11. P. 26–35. https://doi.org/10.1109/MC.2021.3090018.
Kindervag J., Balaouras S., Mak K., Blackborow J. No More Chewy Centers: The Zero Trust Model Of Information Security. Forrester Research, Inc. 2016. URL: https://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-information-security.pdf.
Saltzer J. H., Schroeder M. D. The protection of information in computer systems // Proceedings of the IEEE. 1975. 63(9). P. 1278–1308.
Jericho Forum Commandments. Version 1.2. 2007. URL: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf.
Cunningham C., Balaouras S., Barringham B., Dostie P. The Zero Trust eXtended (ZTX) Ecosystem. Ex-tending Zero Trust Security Across Your Digital Business. Forrester Research, Inc. Cambridge, MA. 2018. URL: https://www.cisco.com/c/dam/m/en_sg/solutions/security/pdfs/forrester-ztx.pdf.
Ward R., Beyer B. Beyondcorp: A new approach to enterprise security // login. 2014. 39(6). P. 6–11.
Osborn, B., McWilliams, J., Beyer, B., Saltonstall M. Beyondcorp: Design to deployment at google // login. 2016. 41(1). P. 28–35.
Cittadini L., Spear B., Beyer B., Saltonstall M. Beyondcorp: The access proxy // login. 2016. 41(4). P. 28–35.
Peck J., Beyer B., Beske, C. M., Saltonstall M. Migrating to BeyondCorp: maintaining productivity while improving security // login. 2017. 42(2). P. 49–55.
Escobedo V., Beyer B., Zyzniewski F., Saltonstall, M. BeyondCorp: the user experience // login. 2017. 42(3). P. 38–43.
King H., Janosko M., Beyer B., Saltonstall M. Beyondcorp 6: Building a healthy fleet // login. 2018. 43(3). P. 24–30.
Gonçalves G., O'Malley K., Beyer, B., Saltonstall M. BeyondCorp and the long tail of Zero Trust // login. 2023. 52423. URL: https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust.
Continuous Adaptive Risk and Trust Assessment (CARTA). URL: https://www.ssh.com/academy/iam/carta.
Sarkar S., Choudhary G., Shandilya S. K., Hussain A., Kim H. Security of Zero Trust Networks in Cloud Computing: A Comparative Review // Sustainability. 2022. 14. 11213. https://doi.org/10.3390/su141811213.
Bayuk J. L. Stepping Through the InfoSec Program. ISACA. 2007. 238 p.
Erl T. Service-oriented architecture: concepts, technology, and design. Pearson Education India, 2005. 760 p.
Singhal A., Winograd T., Scarfone K. Guide to Secure Web Services. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-95. 2007. 128 p.
Cybersecurity and Infrastructure Security Agency. Zero Trust Maturity Model. Version 2.0. 2023. URL: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf.
Єсін В. І., Вілігура В. В., Сватовський І. І. Забезпечення безпеки у розподілених інформаційних си-стемах: основні аспекти // Радіотехніка. 2023. Вип. 214. С. 32–63. https://doi.org/10.30837/rt.2023.3.214.04.
Boyens J., Bartol N., Boyens J., Moorthy R., Paulsen C., Shankles S. A. Notional supply chain risk man-agement practices for federal information systems // US Department of Commerce, National Institute of Standards and Technology. NISTIR 7622. 2012. 99 p.
Committee on National Security Systems (CNSS) Glossary. CNSSI No. 4009. 2022. URL: https://www.niap-ccevs.org/Ref/CNSSI_4009.pdf.
Temoshok D., Abruzzi C. Developing trust frameworks to support identity federations. US Department of Commerce, National Institute of Standards and Technology. NISTIR 8149. 2018. 34 p.
Holmes D., Burn J., Mellen A., Pollard J., Cerrato P., Cser A. OMB’s Zero Trust Strategy: Government Gets Good. URL: https://www.forrester.com/blogs/ombs-zero-trust-strategy-government-gets-good/.
van der Meulen R. Build adaptive security architecture into your organization. 2017. URL: https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization.
Syed N. F., Shah S. W., Shaghaghi A., Anwar A., Baig Z., Doss R. Zero Trust Architecture (ZTA): A Com-prehensive Survey // IEEE Access. 2022. Vol. 10. P. 57143-57179. doi: 10.1109/ACCESS.2022.3174679.
The National Cyber Security Centre. Zero trust architecture design principles. Guidance. Version 1.0. 2021. URL: https://www.ncsc.gov.uk/collection/zero-trust-architecture.
Toal P., Gopalan K. Approaching Zero Trust Security with Oracle Cloud Infrastructure. Version 1.2. Whitepaper. Oracle and/or its affiliates. 2022. URL: https://www.oracle.com/a/ocom/docs/whitepaper-zero-trust-security-oci.pdf.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
