Zero Trust - CompTIA Security+ SY0-701 - 1.2
Understanding Zero Trust Security
The Need for Zero Trust in Network Security
- Many networks have minimal security controls post-firewall, allowing both authorized and unauthorized access to systems.
- Transitioning to a zero trust model requires authentication for every resource access attempt, affecting all devices, processes, and users.
- Zero trust implies that nothing is inherently trusted; all entities must undergo security checks before accessing resources.
Implementing Zero Trust: Control Planes
- To implement zero trust effectively, security devices should be divided into smaller components known as separate functional planes of operation.
- Two primary operational planes are identified: the data plane (handles real-time data processing) and the control plane (manages actions occurring in the data plane).
- The data plane includes functions like packet forwarding and routing, while the control plane involves configuring policies and rules for network traffic management.
Practical Application of Control Planes
- Understanding the separation between data and control planes can be illustrated using physical devices like switches that manage network traffic.
- Configuration changes related to network settings occur within the control plane, ensuring proper management of how data flows through the device.
- This separation also applies to virtual devices and cloud-based security controls, emphasizing its relevance across different environments.
Enhancing Security with Adaptive Identity
- Implementing adaptive identity technology allows for dynamic evaluation of user identities based on various factors beyond self-reported information.
- Factors such as IP address location discrepancies can trigger additional verification steps during authentication processes.
- Evaluating an individual's relationship with the organization (e.g., employee status or connection type) contributes to a more robust authentication process.
Policy-driven Access Control
- Limiting entry points into a network enhances security; access may only be granted from specific locations or through secure connections like VPN.
- A policy-driven access control system integrates multiple data points to determine appropriate authentication methods for users attempting to gain access.
Understanding Security Zones and Policy Enforcement
Overview of Security Zones
- The concept expands from a simple one-to-one user-server relationship to analyzing the entire conversation path, focusing on security zones based on connection origins and destinations.
- Different types of networks (internal, external, trusted, untrusted) can be defined, allowing for more granular control through separate VPN connections or departmental groups.
Access Control Policies
- Rules can be established to deny access when an untrusted zone attempts to communicate with a trusted zone.
- Implicit trust can be created within corporate environments; for instance, users in corporate offices may have automatic trust when accessing internal data centers.
Policy Enforcement Mechanisms
- A Policy Enforcement Point (PEP) is essential for evaluating all communications across the network. It acts as a gatekeeper for traffic management.
- The PEP does not make decisions but gathers information about traffic and forwards it to the Policy Decision Point (PDP).
Decision-Making Process
- The PDP examines authentication requests and determines whether access should be granted based on predefined security policies.
- The Policy Engine compares incoming requests against these policies to decide if access is allowed, denied, or revoked.
Integration into Zero Trust Model
- All components work together in a zero trust model where subjects communicate from untrusted zones through the PEP.