零信任:灵丹妙药还是魔鬼代言人?

European Conference on Cyber Warfare and Security Pub Date : 2023-06-19 DOI:10.34190/eccws.22.1.1263

Helvi Salminen

{"title":"零信任:灵丹妙药还是魔鬼代言人?","authors":"Helvi Salminen","doi":"10.34190/eccws.22.1.1263","DOIUrl":null,"url":null,"abstract":"The concept of Zero trust was first introduced in mid 1990’s, and has gradually attracted increasing attention. This approach to building organizations’ information system infrastructures has been developed as response to increasing interaction and interconnection of information systems. Along with organizational boundaries have become less clear with the new business models where a business process exceeds the organizational boundaries, also the boundaries of information systems are no longer clear. In this interconnected world the purely perimeter-based security model defining zones of trusted entities inside the perimeter and the untrusted external world outside the perimeter no longer serves the needs of new business models. And the combination of complex technology and sophisticated attack methods it is no longer possible to be sure that all system components and actors inside the perimeter can be trusted. The Zero trust approach brings the sophisticated controls from the perimeter to the entire system. The core idea can be expressed with the four words “never trust, always verify”. No system component is by default trusted , and one-time verification is not sufficient – access to a resource must be verified at each connection attempt. Mutual authentication of the communicating parties is in the core of the approach. But does the zero trust approach have unwanted side-effects? The complexity of the system increases when new control layers are built, and system complexity can increase the possibility of configuration errors. Can there be other side-effects as well? The need for trust does not disappear even when the systems are built on the zero trust principles. When studying the zero trust approach the author started thinking what would happen in human interaction and organizational co-operation if they are based on or partly apply the zero trust approach. And the scenarios were quite gloomy. But is this only a nightmare or already at least partly present in our reality? This article describes the zero trust approach and its applicability to technical environments. The second part present scenarios of the impacts which application of zero trust principles could have – or maybe already has - in human communication and organizational relationships.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"75 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Zero Trust: The Magic Bullet or Devil’s Advocate?\",\"authors\":\"Helvi Salminen\",\"doi\":\"10.34190/eccws.22.1.1263\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The concept of Zero trust was first introduced in mid 1990’s, and has gradually attracted increasing attention. This approach to building organizations’ information system infrastructures has been developed as response to increasing interaction and interconnection of information systems. Along with organizational boundaries have become less clear with the new business models where a business process exceeds the organizational boundaries, also the boundaries of information systems are no longer clear. In this interconnected world the purely perimeter-based security model defining zones of trusted entities inside the perimeter and the untrusted external world outside the perimeter no longer serves the needs of new business models. And the combination of complex technology and sophisticated attack methods it is no longer possible to be sure that all system components and actors inside the perimeter can be trusted. The Zero trust approach brings the sophisticated controls from the perimeter to the entire system. The core idea can be expressed with the four words “never trust, always verify”. No system component is by default trusted , and one-time verification is not sufficient – access to a resource must be verified at each connection attempt. Mutual authentication of the communicating parties is in the core of the approach. But does the zero trust approach have unwanted side-effects? The complexity of the system increases when new control layers are built, and system complexity can increase the possibility of configuration errors. Can there be other side-effects as well? The need for trust does not disappear even when the systems are built on the zero trust principles. When studying the zero trust approach the author started thinking what would happen in human interaction and organizational co-operation if they are based on or partly apply the zero trust approach. And the scenarios were quite gloomy. But is this only a nightmare or already at least partly present in our reality? This article describes the zero trust approach and its applicability to technical environments. The second part present scenarios of the impacts which application of zero trust principles could have – or maybe already has - in human communication and organizational relationships.\",\"PeriodicalId\":258360,\"journal\":{\"name\":\"European Conference on Cyber Warfare and Security\",\"volume\":\"75 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-06-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"European Conference on Cyber Warfare and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.34190/eccws.22.1.1263\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Conference on Cyber Warfare and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.34190/eccws.22.1.1263","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

零信任的概念最早出现于20世纪90年代中期，并逐渐受到人们的关注。这种建立组织信息系统基础设施的方法是为了响应信息系统之间日益增加的相互作用和相互联系而发展起来的。随着业务流程超出组织边界的新业务模型使组织边界变得不那么清晰，信息系统的边界也不再清晰。在这个相互连接的世界中，纯粹基于边界的安全模型定义了边界内可信实体和边界外不可信外部世界的区域，不再满足新业务模型的需求。复杂的技术和复杂的攻击方法相结合，不再可能确保所有系统组件和外围参与者都是可信的。零信任方法将复杂的控制从外围带到整个系统。核心思想可以用四个字来表达:“永不信任，永远验证”。默认情况下，没有系统组件是受信任的，并且一次性验证是不够的——必须在每次连接尝试时验证对资源的访问。通信双方的相互认证是该方法的核心。但是，零信任方法是否有不必要的副作用呢?当建立新的控制层时，系统的复杂性会增加，并且系统复杂性会增加配置错误的可能性。还有其他副作用吗?即使系统建立在零信任原则之上，对信任的需求也不会消失。在研究零信任方法时，作者开始思考如果基于或部分应用零信任方法，人类互动和组织合作将会发生什么。而且前景相当黯淡。但这只是一场噩梦，还是已经部分存在于我们的现实中?本文描述了零信任方法及其在技术环境中的适用性。第二部分介绍了应用零信任原则在人际沟通和组织关系中可能产生或可能已经产生的影响的场景。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Zero Trust: The Magic Bullet or Devil’s Advocate?

The concept of Zero trust was first introduced in mid 1990’s, and has gradually attracted increasing attention. This approach to building organizations’ information system infrastructures has been developed as response to increasing interaction and interconnection of information systems. Along with organizational boundaries have become less clear with the new business models where a business process exceeds the organizational boundaries, also the boundaries of information systems are no longer clear. In this interconnected world the purely perimeter-based security model defining zones of trusted entities inside the perimeter and the untrusted external world outside the perimeter no longer serves the needs of new business models. And the combination of complex technology and sophisticated attack methods it is no longer possible to be sure that all system components and actors inside the perimeter can be trusted. The Zero trust approach brings the sophisticated controls from the perimeter to the entire system. The core idea can be expressed with the four words “never trust, always verify”. No system component is by default trusted , and one-time verification is not sufficient – access to a resource must be verified at each connection attempt. Mutual authentication of the communicating parties is in the core of the approach. But does the zero trust approach have unwanted side-effects? The complexity of the system increases when new control layers are built, and system complexity can increase the possibility of configuration errors. Can there be other side-effects as well? The need for trust does not disappear even when the systems are built on the zero trust principles. When studying the zero trust approach the author started thinking what would happen in human interaction and organizational co-operation if they are based on or partly apply the zero trust approach. And the scenarios were quite gloomy. But is this only a nightmare or already at least partly present in our reality? This article describes the zero trust approach and its applicability to technical environments. The second part present scenarios of the impacts which application of zero trust principles could have – or maybe already has - in human communication and organizational relationships.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

European Conference on Cyber Warfare and Security

自引率

0.00%

发文量