《美国国防部零信任参考架构(英文版)-104正式版.doc》由会员分享,可在线阅读,更多相关《美国国防部零信任参考架构(英文版)-104正式版.doc(104页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Department of Defense (DoD)Zero Trust Reference ArchitectureVersion 2.0July 2022Prepared by the Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering TeamJuly 2022DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.Document P
2、repared ByDateName: Robert FreterJune 2022DISA Zero Trust Program Lead (ID2)iiJuly 2022Table of Contents1 PURPOSE AND STRATEGIC GOALS. 91.1Introduction .91.2Purpose .91.3Scope .101.3.1Stakeholders .101.3.2Organization of the Reference Architecture .101.3.3Timeframe .121.4Vision and Goals (CV-1) .131
3、.4.1Vision and High-Level Goals (CV-1) .141.4.2Zero Trust Strategy .151.5Cybersecurity (Transition) Problem Statement (OV-1) .161.6Overall Target Environment (OV-1) .181.7Assumptions .191.8Constraints .202PILLARS AND PRINCIPLES .202.1Overview .202.2Concept and Tenets of Zero Trust .202.3Pillars .212
4、.4Reference Architecture Principles (OV-6a) .233CAPABILITIES .253.1Capabilities Taxonomy (CV-2) .253.2FFP: Pillars, Resources & Capability Mapping .314USE CASES .354.1Data Centric Security Protections (OV-1) .354.2Data-Centric Security Protections (OV-2) .374.3Data Encryption Protections (OV-2) .394
5、.4Coordinating Policy for Data-Centric Security Protections (OV-2) .41iiiJuly 20224.5Data Analytics & AI (OV-1) .424.6Data Analytics & AI (SV-1) .444.7Centralized Orchestration & Policy Management (OV-1) .454.8Centralized Orchestration & Policy Management (OV-2) .464.9Dynamic, Adaptive Policy Feedba
6、ck Loop (OV-1) .474.10VPN-Less Implementation (OV-1) .484.11East-West Segmentation (OV-1) .494.12Global Uniform Device Hygiene (OV-1) .504.13Global Uniform Device Hygiene (OV-2) .524.14Dynamic, Continuous Authentication (OV-1) .544.15Dynamic, Continuous Authentication (OV-2) .564.16Conditional Autho
7、rization (OV-1) .604.17Conditional Authorization (OV-2) .625TECHNICAL POSITIONS .635.1Emerging Technologies .635.2Standards, Associated Architectures and Guides .645.3Linkages to Other Architectures .655.3.1 DoD Cybersecurity Reference Architecture (CS RA) Integration .655.3.2 DoD ICAM Reference Des
8、ign (RD) .665.3.3 NIST Special Publication 800-207 Zero Trust Architecture .676SECURITY ASSESSMENT .686.1Governance .686.2Data Governance (OV-2) .686.3Securing Supply Chain (OV-2) .707ARCHITECTURE PATTERNS .717.1Architecture Patterns (CV-4) .717.1.1 Domain Policy Enforcement for Resource Access (SV-
9、1) .727.1.2 Software Defined Perimeter (OV-2) .73ivJuly 20227.1.3ZT Broker Integration (SV-1) .747.1.4Micro Segmentation (SV-1) .747.1.5Macro Segmentation (SV-1) .787.2External Services .787.2.1SvcV-1: External Services(SvcV-1) .797.2.2SvcV-2: Enterprise Federated Identity Service (SvcV-2) .808TRANS
10、ITION ARCHITECTURE PLANNING (FFP) .818.1Maturity Model (FFP) .818.2Baseline (OV-1) .828.3Transition (OV-1) .839APPENDIX (AV-2) .849.1Systems .859.2Services .909.3General Terms .929.4DIV-1 .939.5StdV-1-2 References .969.6Capability Table .9710 REFERENCES .104vJuly 2022LIST OF TABLESTable 1 Reference
11、Architecture Principles (OV-6A)24Table 2 Design Pattern Table (CV-4)71viJuly 2022LIST OF FIGURESFigure 1 Legend for Performers12Figure 2 Zero Trust Vision (CV-1)13Figure 3 Cybersecurity Problem Statement (OV-1)16Figure 4 Target Environment (OV-1)18Figure 5 Zero Trust Pillars22Figure 6 Capability to
12、Pillars Mapping (FFP)26Figure 7 Zero Trust Authentication and Authorization Capability Taxonomy (CV-2)27Figure 8 Zero Trust Infrastructure, Workload and Data Capability Taxonomy (CV-2)28Figure 9 Zero Trust Analytics and Orchestration Capabilities Taxonomy (CV-2)29Figure 10 Zero Trust Enabling Capabi
13、lities Taxonomy (CV-2)30Figure 11 FFP: Pillars, Resources & Capability Mapping (CV-7)31Figure 12 Data Centric Security Protections (OV-1)35Figure 13 Data-Centric Security Protections (OV-2)37Figure 14 Data Encryption Protections (OV-2)39Figure 15 Coordinating Policy for Data-Centric Security Protect
14、ions (OV-2)41Figure 16 Big Data Analytics & AI (OV-1)42Figure 17 Data Analytics & AI (SV-1)44Figure 18 Centralized Orchestration & Policy Management (OV-1)45Figure 19 Centralized Orchestration & Policy Management (OV-2)46Figure 20 Dynamic, Adaptive Policy Feedback Loop (OV-1)47Figure 21 VPN-Less Imp
15、lementation (OV-1)48Figure 22 East-West Segmentation (OV-1)49Figure 23 Global Uniform Device Hygiene (OV-1)50Figure 24 Global Uniform Device Hygiene (OV-2)52Figure 25 Dynamic, Continuous Authentication (OV-1)54Figure 26 Dynamic, Continuous Authentication (OV-2)56Figure 27 Performers Requiring Authen
16、tication58Figure 28 Conditional Authorization (OV-1)60Figure 29 Conditional Authorization (OV-2)62Figure 31 Standards Profile for DoD Zero Trust Architectures64Figure 32 Securing the Supply Chain (OV-2)70viiJuly 2022Figure 33 Domain Policy Enforcement for Resource Access (SV-1)72Figure 34 Design Pat
17、tern: Software Defined Perimeter (OV-2)73Figure 35 SoS Design Pattern: Zero Trust Broker Integration (SV-1)74Figure 36 SoS Micro Segmentation (SV-1)75Figure 37 SoS Micro Segmentation (SV-1)76Figure 38 SoS Micro Segmentation (SV-1)77Figure 39 Design Patterns: SoS Macro Segmentation (SV-1)78Figure 40
18、External Services (SvcV-1)79Figure 41 Enterprise Federated Identity Service (SvcV-2)80Figure 42 ICAM Service ( SvcV-2)80Figure 43 Maturity Model (FFP)81Figure 44 Transition Architecture Baseline (OV-1)82Figure 45 Transition Architecture Transition (OV-1)83viiiJuly 20221 PURPOSE AND STRATEGIC GOALS1.
19、1 Introduction“Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or n
20、etwork location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).”1 Zero Trust (ZT) requires designing a consolidated and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth
21、cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.The DoD Cybersecurity Reference Architecture (CS RA) documents the Departments approach to cybersecurity and is being updated to become data cent
22、ric and infuse ZT principles.ZT supports the 2018 DoD Cyber Strategy, the 2019 DoD Digital Modernization Strategy, the 2021 Executive Order on Improving the Nations Cybersecurity, and the DoD Chief Information Officers (CIO) vision for creating “a more secure, coordinated, seamless, transparent, and
23、 cost-effective architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.”2 ZT should be used to re-prioritize and integrate existing DoD capabilities and resources, while maintaining availability and minimizing t
24、emporal delays in authentication mechanisms, to address the DoD CIOs vision.1.2 PurposeAn architecture is built for a defined purpose and should answer a specific set of questions to enabling data-driven, informed decisions. The Reference Architecture (RA) establishes a framework that provides guida
25、nce via architectural Pillars and Principles. It identifies which of the overall strategic needs (goals and objectives) are the focus of the RA. The RA is a conceptual, capability-centric description of the architecture and primarily supports capability planning, portfolio management, and Informatio
26、n Technology (IT) investment decisions. It establishes high-level service and operation concepts, architectural questions of importance, and technology opportunities and constraints that shape the domain of an approach. The RA also includes a synopsis of current industry and DoD approaches and ident
27、ifies key determining standards that together describe constraints and opportunities.1 NIST SP 800-207 Zero Trust Architecture, August 20202 DoD Digital Modernization Strategy, June 2019.9July 20221.3 ScopeThe DoD Zero Trust Engineering Team developed this Zero Trust Reference Architecture (ZT RA) to align with the DoD definition: “Reference Architecture is an authoritative source of information about a specific subject area that guides and constrains the instantiations of multiple archit