Zero trust architecture: challenges and recommendations for successful implementation
DOI:
https://doi.org/10.30837/rt.2024.3.218.01Keywords:
zero trust, zero trust architecture, zero trust architecture deployment models, information security, cybersecurityAbstract
To protect the modern digital enterprise, a new approach is needed today to ensure secure access to your own corporate resources anytime, anywhere, and their efficient operation regardless of where they are located. The traditional perimeter-based network protection model is unable to adapt to the development of modern technologies. Therefore, enterprises have begun to rethink the traditional network security perimeter, leaning toward a new concept and architecture of protection. Such a concept is currently the security paradigm called "zero trust". The zero trust concept attracts special attention of researchers and practitioners, as it is able to meet new requirements for information security and cybersecurity. One of the factors contributing to the demand for zero trust architecture is the increased complexity and heterogeneity of modern IT systems. However, despite the popularization of this concept and the obvious security benefits from its use, there are certain difficulties in its implementation in enterprises. Deploying a zero trust architecture is quite complex from both a technical and organizational point of view. At the same time, interested representatives of enterprises are not yet fully aware of the advantages and disadvantages of the zero trust concept, which significantly hinders its application, which is still in the process of development. The main serious factors hindering the implementation of the zero trust concept are the lack of information for choosing a zero trust solution and the insufficient number of qualified specialists in this area. That is, today there is a problem associated with a certain lack of awareness about the concept and zero trust architecture (about their theoretical and practical significance) for choosing the right solution when building a security system for a corporate information system in modern conditions. This paper aims to solve this problem by summarizing existing research and the experience of various international companies that are implementing this approach in practice. The purpose of this paper is to assist IT enterprise information security professionals in the selection and application of enterprise-relevant, forward-looking zero trust architectures to increase the cybersecurity of the enterprise information system. This paper briefly discusses the conceptual zero trust architecture, its main logical components, deployment models, threats associated with zero trust architecture, and some recommendations for successful implementation of zero trust architecture in the IT enterprise.
References
Buck C., Olenberger C., Schweizer A., Völter F., Eymann, T. Never trust, always verify: A multivocal litera-ture review on current knowledge and research gaps of zero-trust // Computers & Security. 2021. 110. 102436.
Trend Micro Incorporated. What Is Zero Trust? URL: https://www.trendmicro.com/en_us/what-is/what-is-zero-trust.html. (дата звернення: 10.07.2024).
Kerman A., Borchert O., Rose S., Division E., Tan A. Implementing a zero trust architecture // National Insti-tute of Standards and Technology, 2020. 17 p. URL: https://www.nccoe.nist.gov/sites/default/files/legacy-files/zta-project-description-final.pdf. (дата звернення: 10.07.2024).
National Cybersecurity Center of Excellence (NCCoE). Implementing a Zero Trust Architecture. URL: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture. (дата звернення: 10.07.2024).
Єсін В. І., Вілігура В. В., Узлов Д. Ю. Огляд існуючих моделей та основних принципів нульової дові-ри // Радіотехніка. 2024. Вип. 217. С. 39–54.
Fernandez E. B., Brazhuk A. A critical analysis of Zero Trust Architecture (ZTA) // Computer Standards & Interfaces. 2024. Vol. 89. 103832. https://doi.org/10.1016/j.csi.2024.103832.
Garbis J., Chapman J. W. Zero Trust Security: An Enterprise Guide. Berkeley, CA: Apress, 2021. 300 p.
Rose S., Borchert O., Mitchell S., Connelly S. Zero Trust Architecture. NIST Special Publication 800-207. 2020. https://doi.org/10.6028/NIST.SP.800-207.
Saltzer J. H., Schroeder M. D. The protection of information in computer systems // Proceedings of the IEEE. 1975. 63(9). P. 1278–1308.
Shapiro J. S., Hardy N. EROS: A principle-driven operating system from the ground up // IEEE software. 2002. 19(1). P. 26–33.
Bishop M. Introduction to computer security. Addison-Wesley Professional. 2004. 747 p.
Samaniego M., Deters R. Zero-trust hierarchical management in IoT // 2018 IEEE international congress on Internet of Things (ICIOT). IEEE, 2018. P. 88–95.
Teerakanok S., Uehara T., Inomata A. Migrating to zero trust architecture: Reviews and challenges // Security and Communication Networks. 2021. 2021(1). 9947347. https://doi.org/10.1155/2021/9947347.
Adahman Z., Malik A. W., Anwar Z. An analysis of zero-trust architecture and its cost-effectiveness for or-ganizational security // Computers & Security. 2022. Vol. 122. 102911. https://doi.org/10.1016/j.cose.2022.102911
Fortinet. The State of Zero Trust. Report. 2023. URL: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-state-of-zero-trust.pdf. (дата звернення: 10.07.2024).
Martinez J. Zero Trust Architecture: 2024 Complete Guide. URL: https://www.strongdm.com/zero-trust. (да-та звернення: 10.07.2024).
Shore M., Zeadally S., Keshariya A. Zero trust: the what, how, why, and when // Computer. 2021. 54(11). P. 26–35. https://doi.org/10.1109/MC.2021.3090018.
Bertino E. Zero Trust Architecture: Does It Help? // IEEE Security & Privacy. 19(05). P. 95-96, 2021. https://doi.org/10.1109/MSEC.2021.3091195.
Shackelford S. Zero-trust security: Assume that everyone and everything on the internet is out to get you – and maybe already has. The Conversation. URL: https://theconversation.com/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get-you-and-maybe-already-has-160969. (дата звернення: 10.07.2024).
The National Cyber Security Centre. Zero trust architecture design principles. Guidance. Version 1.0. 2021. URL: https://www.ncsc.gov.uk/collection/zero-trust-architecture. (дата звернення: 10.07.2024).
NIST Special publication 1800-35B. Implementing a Zero Trust Architecture. Vol. B: Approach, Architec-ture, and Security Characteristics. 2023. 264 p. URL: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture. (дата звернення: 10.07.2024).
Rais R., Morillo C., Gilman E., Barth D. Zero Trust Networks. Building Secure Systems in Untrusted Net-works. 2nd ed. O'Reilly Media, 2024. 332 p.
Syed N. F., Shah S. W., Shaghaghi A., Anwar A., Baig Z., Doss R. Zero Trust Architecture (ZTA): A Com-prehensive Survey // IEEE Access. 2022. Vol. 10. P. 57143–57179. https://doi.org/10.1109/ACCESS.2022.3174679.
SDP Specification 1.0. Cloud Security Alliance (CSA). 2014. URL: https://cloudsecurityalliance.org/artifacts/sdp-specification-v1-0. (дата звернення: 10.07.2024).
Software-Defined Perimeter (SDP) Specification v2.0. Cloud Security Alliance (CSA). 2022. URL: https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust-specification-v2. (дата звернення: 10.07.2024).
Nadeau T. D., Gray K. SDN: Software Defined Networks: An authoritative review of network programmabil-ity technologies. O'Reilly Media, Inc., 2013. 382 p.
Cohen R., Barabash K., Rochwerger B., Schour L., Crisan D., Birke R., ... & Jain V. An intent-based ap-proach for network virtualization // Proc. 2013 IFIP/IEEE International Symposium on Integrated Network Manage-ment (IM 2013). IEEE. 2013. P. 42–50.
Bilger B., Boehme A., Flores B., Guterman Z., Hoover M., Iorga M., Islam J., Kolenko M., Koilpilla J., Len-gyel G., Ludlow G., Schroeder T., Schweitzer J. Software defined perimeter working group. SDP specification 1.0. Cloud Security Alliance, Tech. Rep. 2014. URL: https://cloudsecurityalliance.org/artifacts/sdp-specification-v1-0/. (да-та звернення: 10.07.2024).
Koilpillai J., Garbis J., Islam J., Flores B., Bailey D., Chen B., Bremler E., Roza M., Mahmud S. Software-Defined Perimeter (SDP) Specification 2.0. Cloud Security Alliance, Tech. Rep. 2022. URL: https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust-specification-v2. (дата звернення: 10.07.2024).
Ross R., Pillitteri V., Graubart, R., Bodeau D., McQuaid R. Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. NIST Special Publication 800–160. Vol. 2. Revision 1. 2021. 310 p.
Antonakakis M., April T., Bailey M., Bernhard M., Bursztein E., Cochran J., ... & Zhou Y. Understanding the Mirai Botnet // 26th USENIX security symposium (USENIX Security 17). 2017. P. 1093–1110.
Mirai Botnet. URL: https://web.archive.org/web/20161212084605/https://www.cyber.nj.gov/threat-profiles/botnet-variants/mirai-botnet. (дата звернення: 10.07.2024).
Bursztein E. Inside the infamous Mirai IoT Botnet: A Retrospective Analysis. URL: https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/. (дата звернення: 10.07.2024).
Anderson B., McGrew D. Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity // Proceedings of the 23rd ACM SIGKDD International Conference on knowledge discovery and data mining. 2017. P. 1723–1732. https://doi.org/10.1145/3097983.3098163.
American Council for Technology and Industry Advisory Council (ACT-IAC). Zero Trust Cybersecurity Cur-rent Trends. 2019. 29 p. URL: https://www.actiac.org/documents/zero-trust-cybersecurity-current-trends. (дата звер-нення: 10.07.2024).
Cunningham C., Holmes D., Pollard J. The eight business and security benefits of zero trust. Forrester Re-search, Inc., 2019 URL: https://www.forrester.com/report/the-eight-business-and-security-benefits-of-zero-trust/RES134863. (дата звернення: 10.07.2024).
What is Cloud Native? URL: https://aws.amazon.com/what-is/cloud-native/?nc1=h_ls. (дата звернення: 10.07.2024).
Chandramouli R., Butcher Z. NIST Special Publication 800-207A. A Zero Trust Architecture Model for Ac-cess Control in Cloud-Native Applications in Multi-Location Environments. 2023. https://doi.org/10.6028/NIST.SP.800-207A.
NIST Special Publication 800-37 Revision 2. Risk Management Framework for Information Systems and Organizations. A System Life Cycle Approach for Security and Privacy. https://doi.org/10.6028/NIST.SP.800-37r2.
Mullen-Schultz G. Blue/Green Deployment with Azure Front Door. URL: https://techcommunity.microsoft.com/t5/azure-architecture-blog/blue-green-deployment-with-azure-front-door/ba-p/1609178. (дата звернення: 10.07.2024).
He Y., Huang D., Chen L., Ni Y., Ma X. A survey on zero trust architecture: Challenges and future trends // Wireless Communications and Mobile Computing. 2022. 2022(1). 6476274. https://doi.org/10.1155/2022/6476274.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
