Federating trust: network orchestration for cross-boundary zero trust

Proceedings of the SIGCOMM '21 Poster and Demo Sessions Pub Date : 2021-08-23 DOI:10.1145/3472716.3472865

K. Olson, Eric Keller

{"title":"Federating trust: network orchestration for cross-boundary zero trust","authors":"K. Olson, Eric Keller","doi":"10.1145/3472716.3472865","DOIUrl":null,"url":null,"abstract":"Zero Trust is an emerging security paradigm that does away with implicit zones of trust commonly employed within static, defense-in-depth, enterprise architectures. One of the core tenets of Zero Trust is that resource access is determined by dynamic policy - an intersection of trust in a user, the supporting application or service, the underlying network, and the devices which hold or process data. Establishing this overall assessment of trust serves well for centralized architectures where an administrator can establish and assess each of these trust enablers, such as in an enterprise network. However, shifting workloads to remote access, bring your own device (BYOD), and cloud hosting of collaborative services, to name a few, all challenge the ability of an administrator to effectively establish a complete Zero Trust architecture due to the inability to fully trust each component. This shift away from centrally managed architectures reveal a significant challenge in achieving complete Zero Trust: security is a function of many interactions, many of which an administer has no control over. Recently the term \"Zero Trust 2.0\" was coined as an evolution to Zero Trust which establishes identity as the new perimeter via an orchestration layer and machine learning capabilities~\\cite{trust}. However, this functionality still remains tied to centrally controlled architectures where an administrator can link together products and solutions to achieve a desired level of security. We argue that this orchestration needs to expand beyond these common enterprise boundaries in a way that trust can be guaranteed across disparate systems, networks, and servicers. Similar to identity federation, where a user can use credentials from one provider to access another competitors platform, federation of trust should serve as a guarantee for security across networks. In the remaining sections we propose what this trust federation mechanism could potentially look like.","PeriodicalId":178725,"journal":{"name":"Proceedings of the SIGCOMM '21 Poster and Demo Sessions","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the SIGCOMM '21 Poster and Demo Sessions","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3472716.3472865","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Zero Trust is an emerging security paradigm that does away with implicit zones of trust commonly employed within static, defense-in-depth, enterprise architectures. One of the core tenets of Zero Trust is that resource access is determined by dynamic policy - an intersection of trust in a user, the supporting application or service, the underlying network, and the devices which hold or process data. Establishing this overall assessment of trust serves well for centralized architectures where an administrator can establish and assess each of these trust enablers, such as in an enterprise network. However, shifting workloads to remote access, bring your own device (BYOD), and cloud hosting of collaborative services, to name a few, all challenge the ability of an administrator to effectively establish a complete Zero Trust architecture due to the inability to fully trust each component. This shift away from centrally managed architectures reveal a significant challenge in achieving complete Zero Trust: security is a function of many interactions, many of which an administer has no control over. Recently the term "Zero Trust 2.0" was coined as an evolution to Zero Trust which establishes identity as the new perimeter via an orchestration layer and machine learning capabilities~\cite{trust}. However, this functionality still remains tied to centrally controlled architectures where an administrator can link together products and solutions to achieve a desired level of security. We argue that this orchestration needs to expand beyond these common enterprise boundaries in a way that trust can be guaranteed across disparate systems, networks, and servicers. Similar to identity federation, where a user can use credentials from one provider to access another competitors platform, federation of trust should serve as a guarantee for security across networks. In the remaining sections we propose what this trust federation mechanism could potentially look like.

查看原文本刊更多论文

联合信任:跨边界零信任的网络编排

零信任是一种新兴的安全范例，它消除了通常在静态、纵深防御的企业架构中使用的隐式信任区域。零信任的核心原则之一是，资源访问由动态策略决定——这是对用户、支持应用程序或服务、底层网络以及保存或处理数据的设备的信任的交集。建立信任的总体评估非常适用于集中式体系结构，管理员可以在其中建立和评估每个信任启用因素，例如在企业网络中。然而，将工作负载转移到远程访问、自带设备(BYOD)和协作服务的云托管等等，都挑战了管理员有效地建立完整的零信任架构的能力，因为无法完全信任每个组件。这种从集中管理架构的转变揭示了实现完全零信任的重大挑战:安全性是许多交互的功能，其中许多交互是管理员无法控制的。最近，“零信任2.0”这个术语被创造出来，作为零信任的进化，它通过编排层和机器学习功能将身份建立为新的边界\cite{trust}。但是，此功能仍然与集中控制的体系结构相关联，管理员可以将产品和解决方案链接在一起，以实现所需的安全级别。我们认为，这种编排需要以一种可以保证跨不同系统、网络和服务的信任的方式扩展到这些共同的企业边界之外。与身份联合(用户可以使用来自一个提供者的凭据访问另一个竞争对手的平台)类似，信任联合应该作为跨网络安全的保证。在其余部分中，我们将提出这种信任联合机制可能是什么样子。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the SIGCOMM '21 Poster and Demo Sessions

自引率

0.00%

发文量