68 lines
1.8 KiB
Markdown
68 lines
1.8 KiB
Markdown
---
|
||
title: "Zero Trust Architecture (ZTA)"
|
||
type: concept
|
||
tags: [security, cloud, compliance]
|
||
date: 2025-03-01
|
||
---
|
||
|
||
## Definition
|
||
|
||
零信任架构(Zero Trust Architecture)是一种安全框架,其核心原则是**"永不信任,始终验证"**(Never Trust, Always Verify)。与传统的边界安全模型不同,ZTA假设网络内部和外部都不可信,每个访问请求都必须经过验证。
|
||
|
||
## Core Principles
|
||
|
||
### 1. Never Trust, Always Verify
|
||
```
|
||
传统模型: 边界内 = 可信
|
||
ZTA模型: 无论位置,均需验证
|
||
```
|
||
|
||
### 2. Least Privilege Access
|
||
- 仅授予完成任务所需的最小权限
|
||
- 细粒度访问控制
|
||
- Just-in-Time (JIT) 访问
|
||
|
||
### 3. Assume Breach
|
||
- 假设系统已被攻破
|
||
- 持续监控和检测
|
||
- 微分段隔离
|
||
|
||
## Implementation Pillars
|
||
|
||
| 支柱 | 描述 | 技术示例 |
|
||
|------|------|---------|
|
||
| 身份认证 | 强身份验证 | MFA, SSO |
|
||
| 设备健康 | 终端安全状态 | MDM, EDR |
|
||
| 网络分段 | 微隔离 | VPC, Service Mesh |
|
||
| 应用控制 | 最小权限 | RBAC, ABAC |
|
||
| 数据加密 | 传输和静态加密 | TLS, KMS |
|
||
|
||
## In ITSM Context
|
||
|
||
在[[ITSM]]中,ZTA是[[Security-and-Compliance]]的核心:
|
||
|
||
```
|
||
Security & Compliance Management (ITSM 8.0)
|
||
├── Zero Trust Architecture (ZTA)
|
||
│ ├── 持续身份验证
|
||
│ ├── 微分段隔离
|
||
│ └── 最小权限原则
|
||
├── AI-based Threat Intelligence
|
||
│ ├── 行为分析
|
||
│ └── 异常检测
|
||
└── Policy-as-Code
|
||
├── 合规自动化
|
||
└── 审计追踪
|
||
```
|
||
|
||
## Related Concepts
|
||
|
||
- [[Policy-as-Code]] — 策略即代码,合规自动化
|
||
- [[Security-and-Compliance]] — 安全与合规管理
|
||
- [[Multi-factor-Authentication]] — 多因素认证
|
||
- [[Cloud Security]] — 云安全
|
||
|
||
## Sources
|
||
|
||
- [[understanding-complete-itsm]] — ZTA在现代ITSM中的应用
|