I believe in the no. 0 model point of zero trust

Is it true that zero trust is just to indulge in a silky office experience?

Just like practicing martial arts, the so-called "external training of muscles and bones, internal training of a breath", others see that you are physically strong, only you can feel it, the physique has become better, the resistance has improved, and the body is doubly good.

In the final analysis, Zero Trust "pays attention to safety and takes into account the experience", and through a simpler and more effective "combination fist", it helps enterprises to "strengthen their health" while meeting the ultimate needs of "safety".

How to prove it? It is useless to say more, and I am convinced that I take myself as the No. 0 model point, land zero trust, and use actions to make the best annotations.

I believe in the no. 0 model point of zero trust

It took less than a month from design to implementation

The story begins with the assumption of one link at a time.

1. Assuming that the service has developed to more than 10,000 employees and 20,000-30,000 terminal access nodes, how to do such a large amount of real-time security control?

2. Assuming that every employee can access the intranet core server, once an endpoint is compromised, how to avoid the loss of the whole network?

3, assuming the traditional scheme of regional isolation and control, as a technology company, there are many internal technical personnel, it is inevitable to put forward requirements that exceed the security baseline, such as the server built in Shenzhen to be accessed by the team in Beijing, the mutual visit between regions breaks the original sub-regional isolation, how to balance business needs and security bottom line?

In addition to these assumptions, at that time, we also saw that with the development of business and the growth of personnel, the organizational structure was constantly optimized and adjusted, the permissions for roles were frequently changed, access policies were difficult to control, and ACLs were gradually "corrupted". This process also constantly tests the efficiency of security operation and maintenance management.

Pushing oneself and others, I am convinced that this is also the essential problem encountered by many organizational units in the construction and operation of safety:

1. Services, users, and resources are constantly changing, and user behaviors are diverse, resource vulnerabilities are difficult to avoid, and the access relationship between users and resources and resources continues to change, while regional boundaries are discrete and relatively static;

2. On a small number of fixed isolation boundaries, with coarse-grained and relatively static security policies, identify a variety of user behaviors, endless technical vulnerabilities in protection, and maintain rapidly changing access relationships, and inevitably encounter the contradiction of "large scale of problems and small investment of resources".

Anxious about what the user is anxious about, think what the user thinks. If we want to provide a Zero Trust security solution to tens of thousands of users, we need to be the first hands-on practitioner.

In the context of the actual case of rare zero trust in China, I believe that the service has started an "experiment" with itself, and it took less than 1 month from design to implementation, and there is a determination to do it, and there are also techniques that are steady and steady.

Combination punch one: smooth access, focusing on access control and identity authentication

In the past, there were many internal business systems and chaotic authority management, which buried many security risks, and the daily maintenance workload of permission changes was large, which also brought a huge burden to O&M personnel.

Many old employees may have personally experienced that after the first day of employment, they need to find different people to open system permissions, and job changes must also apply for open new permissions, which makes people physically and mentally exhausted.

In view of these problems, in order to smooth access to Zero Trust, the first step is to focus on access control and unified identity authentication.

Realize the docking of personnel and system permissions: access to the zero-trust access control system SDP

To converge and sort out the permissions of personnel, we must first solve the problem of what identity has access to the intranet through access control.

In the past, as long as the mobile terminal was connected to Wi-Fi in the office of the service, it did not need to verify the identity of internal employees, and it could directly access the business system, and the risks could be imagined.

By deploying the Zero Trust access control system SDP, anyone using a mobile terminal to connect to office Wi-Fi must go through identity authentication, ensuring that only internal employees can access business systems. At the same time, we have also strengthened the baseline inspection of terminals, and non-compliant terminals cannot log in.

In the actual landing, because ssl VPN releases resources on the full port of IP/IP segments, the access rights are amplified, and after SDP replaces SSL VPN access, resources that should not be accessed are opened, even high-risk ports. In view of the specific analysis of specific problems, we have gradually converged the resource permissions to avoid the recurrence of this situation.

In order to ensure the smooth office experience of employees, at this stage, I believe that service will give priority to transforming the access of mobile terminals, simultaneously strengthen the promotion of the zero trust concept for employees, and reverse the use habits of employees.

Reduced ACL complexity: IDTrust Unified Identity Single Sign-On Transformation

To solve the problem of intranet access rights, to completely eradicate the confusion of personnel permission management, the next step is to achieve the convergence of application access rights through unified identity authentication.

Through the transformation of back-end applications through IDTrust, the unified authentication platform of Deepin Service, Deepin Service has realized single sign-on and dual-factor authentication for more than 200 business systems. Employees no longer need to remember multiple system account passwords and circumvent the security issues of using weak passwords. In addition, the application docking of IDTrust can realize the same position and the same authority, that is, according to the position, the permissions of employees to access different systems are sorted out, and the permissions are automatically changed according to the position of the employee, which greatly improves the efficiency of operation and maintenance management.

Now, new employees only need HR to register an account for the new employee in the system, and SDP and IDTrust automatically inherit permissions according to the organizational structure and roles. Employees can use the SDP account to obtain application access, and idTrust can directly access the system applications required by the position. SDP and IDTrust can also automatically turn off related application and system permissions when employees leave.

Combination punch two: horizontal expansion of SDP, to achieve dual-source dual-factor authentication

In 2021, A defensive drill was carried out internally. The Blues used pocket assistants to post phishing information, and many employees "took the bait." But faced with a zero-trust system deployed, the Blues put half of their efforts into trying to attack, but did not make a breakthrough. This incident has taught us a long lesson, employee safety awareness is the weakest link in the entire security construction, but also warns us that it is urgent to continue to converge intranet permissions.

From SDP and SSL VPN in parallel to full deployment of SDP

Previously, all regions and headquarters of Convinced Service deployed SD-WAN, opened an encrypted tunnel, and employees could directly access the headquarters business system. Once an attacker connects to the branch network, he can also directly access the headquarters resources, which poses a certain security risk.

After the SDP client of the Zero Trust Access Control System is installed by all employees, whether it is the headquarters or regional employees, as well as the access requests of outsourced employees, the original multiple exposed services can be directly converged into one entrance, and the IP, port and other information of the business system are hidden.

By shrinking the business exposure, in this case, even if the employee is successfully phished, because the resources accessed are limited, it is difficult for the attacker to directly enter the business system, and the intranet protection capability is greatly improved.

From IAM single sign-on to dual-source two-factor authentication

When employees access the business, redirect to the IDU unified authentication platform IDTrust pop-up scanning code interface, the new user authentication will pop up SDP secondary enhanced authentication after authentication, and then pop up whether to bind the credit terminal; after completing the first scan code, the old user login only needs to complete the identity verification through the IDTrust scan code + SDP hardware signature.

However, due to the continuous convergence of intranet permissions and overcorrection, we still stepped on many small pits in the actual landing:

For example, in terms of deployment, all employees install tens of thousands of access control clients, face a variety of complex terminal environments, encountered a lot of compatibility problems, fortunately we have a strong technical service team support;

Another example is the employee experience, the permission research of employees is not sufficient, and there are oversights in combing the dependencies between the system and the application, resulting in some employees opening the system page with applications that cannot be displayed, and they are internally complained about...

Through the feedback of the product experience of employees, we learn lessons and take small steps to optimize the functions of the product, such as the administrator can configure the authentication session validity period, the permission can be self-service application, a variety of authentication methods to choose from, the client comes with its own diagnostic tools, etc., so as to help more users effectively avoid various obstacles in the landing process.

Combination of fist three: refine the strategy to achieve safe remote development

After completing the second stage of zero trust landing, the remote office experience of non-R&D personnel has been very silky, but there is a more refined test: the zero-trust transformation of R&D isolation networks. The problem is that although the R&D network is isolated, there are many risk factors, such as a lot of internal security personnel to do attack and defense, do virus sample analysis, and need to transmit data from the outside, which is extremely difficult to control. At the same time, as the service business continues to grow and develop, it is also necessary to consider the authority control of offshore research and development (ODC).

Isolation Network Transformation: Shrinking access to R&D/offshore personnel applications

In order to meet the remote work needs of R&D and offshore personnel, we have previously tried to map cloud desktop VDI to the public network for R&D access, but this method has delays and insufficient performance. In order to balance the dual needs of security and experience, Convinced Service began to transform the R&D server, shrink the application access rights of R&D personnel, and realize more secure remote development with the nested scheme of SDP+VDI+SDP.

R&D personnel and offshore personnel to enter the core R&D system, need to go through three certifications:

1. In the Internet office environment, enter the office intranet through SDP certification;

2. Log in to SDP in the office network environment and obtain VDI access;

3. According to the role and authority of different positions, pass the SDP identity authentication, and then enter the more confidential R & D application.

Under the premise of ensuring that the data does not land, entering the research and development laboratory is equivalent to moving their company's computer desktop to any corner of the world. Among them, the conflict between the concept of "R&D data not out of the network" and "zero trust" is the most difficult to balance. But Convinced Service has explored a new path - based on zero-trust dynamic policies to detect the computer's environment, location and other attributes, to decide whether employees have access to resources, permissions open or restricted, everything is under control.

3 pictures show how "fragrant" it is to believe that the full landing of zero trust

As a doer who landed Zero Trust, I believe that The service can confidently prove to more users that "Zero Trust is true": security benefits

Business benefits

O&M benefits

I believe that the service brings construction inspiration to users with hands-on practice

1. Unified planning and step-by-step implementation

The difficulty of zero trust landing is a clichéd problem, and the fundamental reason is that the steps are too big and the urgent desire to take one step in place. Combined with the actual needs of remote work in the current domestic epidemic and the practical experience of deep service, organizational units can give priority to starting from remote office scenarios and gradually switch to zero trust construction in scenarios such as intranets and data centers.

2. Choose the right technical route

Zero trust concept can be landed through a variety of technical paths, convinced that the service according to its own transformation difficulty, choose to switch SDP technology from SSL VPN, after practice in remote office, mixed office scenarios have a very mature experience, the organizational unit can choose the most suitable technical route according to their own needs.

3. Strong service and endpoint capability support

Practice has proved that zero trust landing is a long-term and continuous process, this process must require the assistance of professional personnel, organizational units should find a strong service capabilities and endpoint capabilities to support the vendor.

I am convinced that the service is fully implemented with zero trust, based on "prevention", exerting efforts on "early", and settling in "real".

So far, the zero trust construction of deep faith service has been on the road, and thousands of users have walked side by side with us and chosen zero trust in deep faith service. At present, The service has gradually extended the battlefield to the intranet office, data center and other scenarios. In the next step, in order to continue to effectively land and make Zero Trust the choice of more users, what moves will be made by Convinced Service? And listen to the next breakdown.

Leifeng Network

I believe in the no. 0 model point of zero trust

Read on

Keep your privacy safe at all times at OriginOS Ocean

Nandu actual measurement application was authorized: refused ten times to pop up the window, read and positioned more than 2,000 times in five minutes

App over-frequency access permissions are serious, and only 10% promise to provide personal information transfer services

Standing in the future of the big model before 2022, what do big coffees like Zhou Zhihua, Tang Jie, and Yang Hongxia think?

Anti-fraud masters are around! Honor 60 Series: The vanguard of protecting personal privacy

Why are these applications that are usually used frequently also named by the Ministry of Industry and Information Technology?

Talk about what push what? Who "monitored" your phone?

Glory of the King: The setting of "privacy" is very important, once used well, it is no longer afraid of being reported by relatives

"Bitter" waited for 11 years, and finally waited for these functions of WeChat

Online job hunting, watching videos are monitored by the unit? The "magic system" attracted heated discussion, and the company behind it responded

The official website of The Company of Faith service removes the "Monitoring the Tendency of Departing Employees" product introduction page

This monitoring system makes the workers tremble: the tendency to leave the job and the fish can be monitored

Secretly monitoring employees' tendency to leave, this domestic system has an accident

Liang Jianzhang is only one step away from greatness

Employee job-hopping trends were leaked and caused controversy, the annual revenue of monitoring products exceeded 500 million, and the vortex of deep conviction did not respond

"Employee monitoring" business economy: software installation once 350 yuan, can monitor the screen in real time

The "Internet Behavior Management Software" that is hotly discussed on the Internet: a management tool or a tool for snooping?

People in the workplace, three feet up there is monitoring

Volkswagen wants to buy Huawei's self-driving department; Musk is caught in a monkey storm; flash memory is going to increase the price of丨 time machine

"Internet Behavior Management Software": a management tool or a tool for snooping?

Excessive request for authority The APP of the payment institution under the chain home was named by the Ministry of Industry and Information Technology

After chatting with the old brother who monitored the R&D staff, I realized how outrageous the manufacturers were.

Three researchers were named to Microsoft's Q4 2021 Q4 Global Security Researchers List

Submit your resume at the company? You may have been spotted

Children's smart watches are dangerous app theft information can not be ignored

The auto-reset permissions feature of Google Android 11 has been delegated to legacy systems

Note that these 2 types of applications on mobile phones should not be installed as much as possible! It's only going to get stuck

Principals, also "exams"

Remote control solution without network and intranet, sunflower control unboxing experience

Telecommuting at home must beware of the "invisible black hand", how to avoid network security risks?