NISTのZero Trust Architecture実装プロジェクトに関する文書

こんにちは、丸山満彦です。

これからの働き方やシステム構成を考えた場合、Zero Trust Architectureは理にかなっているので、かつてクラウドがいつの間にか当たり前になったように、Zero Trust Architectureも当たり前になっていくものと思っています。ただ、クラウドがそうであるように一度に全てのリソースがクラウドに移らないように、全てが一度にZero Trust Architectureに移行するわけではないでしょう。静かに静かに進んでいき、気がつけばいつの間にかそれが当たり前という状況になるのだろうと思っています。

なので、組織でセキュリティの設計を担う人は、今後を見据えて早めにシステム関連部署等と連携してZero Trust Architectureの導入を検討していくことが肝要と思います。

とはいえ、現在のセキュリティ設計の前提から変わる部分も多いので、その実装は実現不可能というほど困難なものではないですが、「では明日から」というほど簡単なものでもありません。Zero Trust Architectureの肝を十分に理解した上で、自組織のシステム環境や今後の計画、使える予算、人材等も十分に踏まえて、計画をたて（しかし技術変化が著しいので適宜見直しながら）進めていくことになると思います。

幸い、最近NISTが Zero Trust Architectureに関する文書である、NIST SP 800-207を公表したことから、Zero Trustに関連する考え方、用語等が統一されてくると思われ、理解もより容易になると思います。そして、この文書に基づいた実装プロジェクトも始まるようですね。。。

 

● NIST - ITL

・2020.10.21 (publication) White Paper [Project Description] Implementing a Zero Trust Architecture

・[PDF]  Project Description

参考

Supplemental Material:  Project homepage (other)

 

実装を想定しているシナリオは6つですね。

1. 従業員による企業リソースへのアクセス
2. 従業員によるインターネットリソースへのアクセス
3. 委託先勤務者による企業リソース・インターネットリソースへのアクセス
4. 企業内のサーバー間通信
5. ビジネスパートナーとの企業間連携
6. 企業リソースを活用した信頼度・信頼度の向上
   

今回のプロジェクトではOTは明確に対象から外していますね。。。

 

SCENARIOS

 

Responses from industry organizations that express interest in taking part in this project will affect the potential scenario-set in terms of the composition and number of scenarios demonstrated. These scenarios encapsulate the notion of providing subjects access to corporate resources hosted on premise or in the cloud. Access requests may come from within the enterprise network or the public internet, in the case of teleworkers. It is assumed the enterprise is implementing a ZTA within an existing typical corporate environment.

 

Scenario 1: Employee Access to Corporate Resources

An employee is looking for easy and secure access to corporate resources, from any work location. This scenario will demonstrate a specific user experience where an employee attempts to access corporate services such as the corporate intranet, a time-and-attendance system, and other human resources systems by using either an enterprise-managed device or a personally owned device. The ZTA solution implemented in this project will enforce the associated access request, dynamically and in near real-time. The employee will be able to perform the following:

• Access on-premise corporate resources while connected from the corporate intranet.
• Access corporate resources in the cloud while connected directly from the corporate intranet.
• Access on-premise corporate resources while connected from a branch office.
• Access corporate resources in the cloud while connected from a branch office.
• Access on-premise corporate resources from the public internet while teleworking.
• Access corporate resources in the cloud from the public internet while teleworking.

 

Scenario 2: Employee Access to Internet Resources

An employee is trying to access the public internet to accomplish some tasks. This scenario will show a specific user experience where an employee attempts to access an enterprisesanctioned, web-based service on the internet by using an enterprise-managed device. Although the web-based service is not owned and managed by the enterprise, the associated access request for that resource will still be enforced, dynamically and in real time, by a ZTA solution implemented in this project. The solution will manage the employee’s access, regardless of location. That is, the employee can access the internet while connected inside the corporate intranet, a branch office, or the public internet by using an enterprise-managed device.

If an employee is allowed by corporate policy to access non-enterprise-managed resources and services in the public internet by using enterprise-managed devices, the ZTA solution will allow the enterprise to determine the extent of this access.

Examples of access restrictions in the above paragraph could include:

• Access to social media sites is not sanctioned.
• Access to an internet search engine is permitted, and the associated access request for this resource does not need to be granted in real time through the corporate network when an employee is working at a branch office or while teleworking (e.g., coffee shop or airport).
• Mission-critical services on the public internet (e.g., GitHub) can be accessed directly by the employee.

 

Scenario 3: Contractor Access to Corporate and Internet Resources

A contractor is trying to access certain corporate resources and the internet. This scenario will show a specific user experience where a contractor attempts to access certain corporate resources and the internet to perform the planned service for the organization. The corporate resources can be on premise or in the cloud, and the contractor will be able to access corporate resources while on premise or from the public internet, using an enterprise-managed device given to the contractor, a contractor-owned and managed device, or a BYOD scenario. The ZTA solution implemented in this project will enforce, dynamically and in near real time, the associated access requests for resources by the contractor.

 

Scenario 4: Inter-server Communication Within the Enterprise

Corporate services often have different servers communicating with each other. For example, a web server communicates with an application server. The application server communicates with a database to retrieve data back to the web server. This scenario will demonstrate examples of inter-server interactions within the enterprise, which will include servers that are on premise, in the cloud, or between servers that are on premise and in the cloud. The ZTA solution implemented in this project will enforce, dynamically and in near real time, the associated network communications among designated servers that interact with one another.

 

Scenario 5: Cross-Enterprise Collaboration with Business Partners

Two enterprises (Enterprise A and Enterprise B) may collaborate on a project where resources are shared. In this scenario, the ZTA solution implemented in this project will enable users from one enterprise to securely access specific resources from the other enterprise, and vice versa.

For example, Enterprise A users will be able to access a specific application from Enterprise B, while Enterprise B users will be able to access a specific database from Enterprise A.

 

Scenario 6: Develop Trust Score/Confidence Level with Corporate Resources

Enterprises have monitoring systems, security information and event management (SIEM) systems, and other resources that can provide data to support security analytics to a policy engine to create a more granular trust score/confidence level for access to corporate resources and promote strict access based on the confidence level. In this scenario, a ZTA solution will integrate these monitoring and SIEM systems with the policy engine to produce more precise calculation of trust scores/confidence levels in near real time.

Note: The scenarios above may be created and demonstrated in different phases throughout the project.