In-depth Analysis of Zero-Trust Technology in China and Worldwide

Foreword:

The emergence of zero trust shifts the scope of cyber defense from network boundary to individual or group resources. At the same time, it also represents a new generation of cyber security protection concepts, breaking the default "trust" and adhering to the principle of "continuous verification, never trust". That is, by default, anyone, devices, systems, inside or outside, are not trusted. Based on identity authentication and authorization, the foundation for access control is rebuilt to ensure trustable identity, trustable device, trustable application, and trustable link. This article aims to help you have a more comprehensive understanding of the security concept of zero trust technology through the development in China and worldwide.

What are the similarities and differences of zero trust technology between China and worldwide? Let's take a look at this in-depth analysis.

We all know that the concept of "zero trust" was first proposed in the United States. Why was it first in the United States? This is closely related to the vigorous development of cloud computing and big data technologies in the United States.

With the improvement of the zero-trust technology and the ever-increasing cloud application/WEB application, enterprises are becoming more acceptable of dynamic authentication and minimized authority management in beforehand security defense concepts.

The zero-trust practice of Internet giants like Google has strengthened the investment of capital and suppliers. Today, the largest security company in the United States is not a traditional firewall company, but a zero-trust company.

On the other hand, Chinese mobile Internet services are booming. The development of online payment services is moving forward with the mobile services. The security of online payment is the primary consideration of Internet giants such as Alibaba and Tencent. The security concept of zero trust is also the first to be promoted in the field of Chinese Internet mobile payment.

With the spread of the concept of zero trust in China, this security concept has gradually been recognized by more enterprises.

For example, the mobile office model has been widely used during the pandemic, and there have been many security incidents in the single VPN access. How to improve the security of remote office, remote access and business applications, so that more enterprises and business customers choose the concept of zero-trust security. Related suppliers have sprung up for a while.

This article aims to help you have a more comprehensive understanding of the security concept of zero trust through the development in China and worldwide.

Worldwide Zero Trust SaaS Development

The Zero Trust SaaS in United States is developing rapidly. Over 30% of customers has been implemented, and 44% of customers are preparing to adopt it.

Zero-trust SaaS assumes that everyone is untrustworthy, first verify the identity and then authorize access to resources; take identity as the center, only after "pre-verification" and "pre-authorization" can get a one-time channel to access the system; the principle of least privilege gives users the minimum access authority to complete the work; dynamic access control, each access channel is one-time.

According to the Forrester report, zero-trust SaaS system vendors must have a deep understanding of zero-trust, strong microsegmentation capabilities, extensive integration and API capabilities, and the ability to identify and monitor any identities that may bring risks (not only IAM).

For example, zero-trust giant OKTA adopts the SaaS subscription model. Zero-trust SaaS penetrates into enterprise business processes and personnel, and the renewal rate is 120%. Zero-trust SaaS requires companies to master technologies such as microsegmentation and data security. Leading companies usually have a deep understanding of network management, firewalls, and cloud security.

With the rapid development of the zero-trust market, more companies in the United States have joined the zero-trust business activities. We divide the zero-trust business companies in the United States into three categories:

1. Shift from self-use to commercialization, like Google, Akamai, Microsoft

2. Acquisition of energy-building, like Cisco, Symantec, Palo Alto Network, Unisys, Proofpoint

3. Technology Initiation, like Zscaler, Okta, Cloudflare, Illumio, Cyxtera

Many organizations have placed high expectations in US market. According to a survey by Cybersecurity Insider, 15% of the IT teams have implemented zero-trust SaaS, and 44% said they are ready to deploy.

According to Gartner estimates, by 2022, 80% of new digital business applications open to ecosystem partners will be accessed through the Zero Trust Network (ZTNA). By 2023, 60% of enterprises will eliminate most remote access virtual private networks and switch to zero-trust SaaS.

Technical Practices of Chinese Internet Company

With the rapid development of Chinese Internet and the continuous improvement of digitization and mobility of Internet companies, the "internal business system" of the enterprise has gradually become the core asset. And it has become more and more common to handle the internal business system of the enterprise anytime and anywhere.

However, multiple branches and subsidiaries or offices distributed across the country/the world may not have dedicated lines to the intranet of the group. They are often connected through public network VPN, which has problems such as insufficient security and low access efficiency. At the same time, it is difficult to keep the network security management mechanism of merged companies and cooperative companies consistent with the group companies. When they access the group's intranet resources, there are problems such as personnel identity verification and equipment security and credibility.

Based on this requirement, Tencent has independently designed, developed and implemented a set of zero-trust security management system-Tencent ioA since 2015, which has achieved trustable identity, trustable device, trustable application process, and link protection and acceleration. With multiple functions such as borderless office/operation and maintenance, hybrid cloud services, branch secure access, application data secure invocation, unified identity and business centralized management and control, and accelerated access to global links, in six scenarios. Provide a one-stop zero-trust security solution for enterprises to achieve borderless minimum-privileged security access control and security management upgrade.

Alibaba Cloud launched a zero-trust office solution, similar to a simplified version of Google BeyondCorp. Through Agent terminal management and control, SPG (Service Provide Gateway) application access and IDaaS identity authentication, which can provide flexible combinations to meet the requirements of enterprises.

The program can be summarized as two keywords, "trustable" and "dynamic", and includes two core modules and components. The first module is remote terminal security management, which is to perform credible authentication and identity management on remote terminals in real time. The second module is the dynamic decision-making management and control in the cloud. A unified high-strength security authentication to all user identities but can dynamically allocate user permissions in combination with various security factors.

Chinese Security Vendor Development

The hype of Chinese zero-trust technology has gradually spread in various industry markets since 2015. As zero-trust security technology has been gradually passed in from foreign cloud vendors and consulting agencies, Chinese security vendors have started from their advantages and promoted related solutions. It has showed reference cases since 2019.

Chinese information security market is different from global. At present, China network security market demand is mainly concentrated in government ministries and large industries (such as finance, carrier, energy, etc.). These customers currently have private or hybrid clouds. The top customers are more accepting of the advanced security concept of zero trust based on their own business.

The successful foreign business models and the actual needs of top customers have jointly driven domestic capital and security venders to increase investment in zero trust. At present, there are three technical routes of Chinese venders, zero-trust SDP (Software-Defined Perimeter) technology, zero-trust IAM(Identity Access Management) technology, and BeyondCorp.

● Zero Trust Software-Defined Perimeter

Cloud Security Alliance released the "SDP Specification 1.0" in 2014. Gartner defines SDP as a zero-trust best practice. Together with the release of the SDP standard, more Chinese vendors have a clearer direction in SDP solutions. Each manufacturer has formed SDP solution based on its own technology accumulation with different advantages.

As a leading company in the China network security, Venustech Group has formed the most complete product chain in the industry, with its years of active and stable security ecological layout, laying a solid foundation for the development of its SDP.

Venustech eTrust SDP is identity-centric, building a zero-trust security architecture with network stealth, trustable access, dynamic access control, and easy-to-use. It has eTrust client, eTrust gateway, eTrust controller, ASCG and other components, providing users with an integrated zero-trust security solution in remote access, application access, data protection.

● Zero Trust Identity and Access Management

IAM (Identity and Access Management) define and manage user roles and access permissions, that is, determine who can access, how to access, and what operations can be performed.

IAM solution also includes account, authentication, authorization, and auditing. These features are all available in zero-trust technology, as key features which lead IAM manufacturers to migrate to zero-trust security architecture at a lower cost and more efficient.

IAM mainly solves the problems of user application access and permission control. Therefore, this type of zero-trust technical solution focuses more on application and data access and does not have a high technical coverage for network access and remote access scenarios.

Venustech Group relies on the best practices of IAM in the telecom carriers for more than ten years to provide users with highly reliable products. It contains following capabilities:

1.Support multi-dimensional identity management and flexible expansion of attributes

Create unique identity for the access subject including internal and external users, third-party systems, equipment, providing a unified full life cycle management of identity, like establishing, modifying, freezing, deleting, and supporting the custom extension of identity attributes to meet the attribute requirements of different stages.

2.Support multiple identity authentication methods and authentication protocols

After defining the subject's identity, it is also necessary to provide an identity verification mechanism, which can support static passwords, dynamic passwords, biometrics, digital certificates to enhance the security of the subject's identity. IAM can also forward authentication request to an external authentication server according to actual needs.

IAM can realize unified authentication and single sign-on by supporting standard authentication protocols, such as Radius, Tacacs, LDAP, CAS, SAML, OAuth2, OIDC, etc.

3.Support fine-grained access control

When a legal identity accesses resources, it supports entity-level and role-level authorization for the subject. Entity-level authorization is achieved through one-to-one and one-to-many binding of the subject and the object (resource account). It defines which objects the subject can access. Role-level authorization is to add fine-grained authority control for subjects to access objects on entity-level authorization, such as operation command policy, database dynamic masking, application page access control, webpage real-time masking to ensure the least privilege principal.

Permission control is the core content of IAM. In the zero-trust construction, due to the introduction of risk calculation, the continuous risk assessment of the access subject, it can perform fine-grained access and dynamic authorization control based on the assessment results, greatly improve access timeliness of authority adjustment and access security.

● BeyondCorp

Google BeyongCorp is an earlier zero-trust project. The core of BeyondCorp implementation is to introduce or extend network components, such as single sign-on, access proxy, access control engine, user list, device list, security policy and trust store. These components work together to maintain three guiding principles:

1) The specific network connection must not determine which services the user can access.

2) Grant access to the service based on the understanding of users and equipment.

3) All access to the service must be authenticated, authorized and encrypted.

By comparing the technical routes of zero trust in China and worldwide, we can find different characteristics and styles.

At present, under the development trend of digital upgrade and cloud adoption, traditional enterprise protection boundaries are gradually being disintegrated, and the zero-trust security of identity-centric access control has been recognized and affirmed by more and more customers. There is no doubt that zero trust will become the future trend of the development of the network security.