Skip to content

Zero Trust Security
Concept, Principles, Standards
Best Current Practices

Overview

Zero-Trust security. Swtich from a perimeter-based (firewall and VPN) model of access to a user to resource model.

https://www.youtube.com/watch?v=D7-WVWbqjZk

Implement strong, simple identity. Identity for both a person, but also a system. Decouple the identity from the corporation: make it affinitive to the user, a single identity.

Enforce entitlements and authorisation in the network.

This micro-segmentation is simpler to use, more accessible, and, more secure. It reduces the lateral-traversal, it empowers the users, it increases the audit capability. And, its more economical, more scalable. Everybody wins.

Standards

Identity

The core of any Zero Trust Architecture is identity. Identity of a person, identity of a resource. Users are commonly identified via OpenID Connect and SAML. Resources are commonly identified by Client Certificates.

The Global Identity Foundation. A single global identity for all humanity.
OpenID Connect. A simple identity layer on top of OAuth 2.0
OAUTH2. The industry standard protocol for authorisation. RFC 6749.
Security Assertion Markup Language (SAML). An XML-based framework for communicating user authentication, entitlement, attribute information.
W3C Web Authentication (WebAuthN). Strong, attested, scoped public key-based credentials for web applications for authenticating users.

Zero Trust Architecture

Zero Trust Architecture has evolved over the years. The constant theme is changing from a perimeter-based (firewall+VPN) security stance to a user+resource stance.

NIST SP 800-207 Zero Trust Architecture. Evolving cybersecurity defense from static network-based perimeters to focus on users, assets, resoures.
Zero Trust Security Architecture: The Open Group.
Jericho Forum. An early users group facilitated by the Open Group who pioneered De-Perimeterisation

Foundational

Zero Trust Security has a set of foundational standards that are shared with other technologies. These relate to cryptography, security, identity.

JSON Web Token (JWT) (RFC 7519)
The Transport Layer Security (TLS) Protocol Version 1.3
Secure Production Identity Framework for Everyone (SPIFFE)
X.509 Client Certificate

Best Practices

Complex technologies can be difficult to configure. Learn from the accumulated best practices of others.

JSON Web Token Best Current Practices (RFC 8725)
OAuth 2.0 Security Best Current Practice
OpenID Security Best Practices

Articles