securing-operational-technology

Zero Trust Security

Understand the fundamentals, key principles, standards, and best current practices.

Zero Trust Security Standards

What is Zero Trust?

The foundation of Zero Trust Security is switching from a perimeter-based (firewall and VPN) model of access to a user-to-resource model.

It means implementing strong, simple identity for both people and also a system. Decouple the identity from the corporation to make it affinitive to the user—a single identity.

Through it, you can enforce entitlements and authorization in the network.

This micro-segmentation is simpler to use, more accessible, and, more secure. It reduces the lateral traversal, empowers your users, increases your audit capabilities, is more economical, and is more scalable. This is the power of Zero Trust.

Identity

The core of any Zero Trust Architecture is identity. Identity of a person, identity of a resource. Users are commonly identified via OpenID Connect and SAML. Resources are commonly identified by Client Certificates.

The Global Identity Foundation. A single global identity for all humanity.

OpenID Connect. A simple identity layer on top of OAuth 2.0

OAUTH2. The industry standard protocol for authorization. RFC 6749.

Security Assertion Markup Language (SAML). An XML-based framework for communicating user authentication, entitlement, and attribute information.

W3C Web Authentication (WebAuthN). Strong, attested, scoped public key-based credentials for web applications for authenticating users.

Zero Trust Architecture

Zero Trust Architecture has evolved over the years. The constant theme is changing from a perimeter-based (firewall+VPN) security stance to a user+resource stance.

NIST SP 800-207 Zero Trust Architecture. Evolving cybersecurity defense from static network-based perimeters to focus on users, assets, and resources.

Zero Trust Security Architecture: The Open Group.

Jericho Forum. An early users group facilitated by the Open Group who pioneered De-Perimeterization.

Foundational

Zero Trust Security has a set of foundational standards that are shared with other technologies. These relate to cryptography, security, and identity.

JSON Web Token (JWT) (RFC 7519)

The Transport Layer Security (TLS) Protocol Version 1.3

Secure Production Identity Framework for Everyone (SPIFFE)

X.509 Client Certificate

Best Practices

JSON Web Token Best Current Practices (RFC 8725)

OAuth 2.0 Security Best Current Practice

OpenID Security Best Practices