Opis

The perimeter defenses guarding your network perhaps are not as secure as you think. Hosts behind the firewall have no defenses of their own, so when a host in the „trusted” zone is breached, access to your data center is not far behind. That…s an all-too-familiar scenario today. With this practical book, you…ll learn the principles behind zero trust architecture, along with details necessary to implement it.The Zero Trust Model treats all hosts as if they…re internet-facing, and considers the entire network to be compromised and hostile. By taking this approach, you…ll focus on building strong authentication, authorization, and encryption throughout, while providing compartmentalized access and better operational agility.Understand how perimeter-based defenses have evolved to become the broken model we use todayExplore two case studies of zero trust in production networks on the client side (Google) and on the server side (PagerDuty)Get example configuration for open source tools that you can use to build a zero trust networkLearn how to migrate from a perimeter-based network to a zero trust network in production Spis treści:PrefaceWho Should Read This BookWhy We Wrote This BookZero Trust Networks TodayNavigating This BookConventions Used in This BookOReilly SafariHow to Contact UsAcknowledgments1. Zero Trust FundamentalsWhat Is a Zero Trust Network?Introducing the Zero Trust Control PlaneEvolution of the Perimeter ModelManaging the Global IP Address SpaceBirth of Private IP Address SpacePrivate Networks Connect to Public NetworksBirth of NATThe Contemporary Perimeter ModelEvolution of the Threat LandscapePerimeter ShortcomingsWhere the Trust LiesAutomation as an EnablerPerimeter Versus Zero TrustApplied in the CloudSummary2. Managing TrustThreat ModelsCommon Threat ModelsZero Trusts Threat ModelStrong AuthenticationAuthenticating TrustWhat Is a Certificate Authority?Importance of PKI in Zero TrustPrivate Versus Public PKIPublic PKI Strictly Better Than NoneLeast PrivilegeVariable TrustControl Plane Versus Data PlaneSummary3. Network AgentsWhat Is an Agent?Agent VolatilityWhats in an Agent?How Is an Agent Used?Not for AuthenticationHow to Expose an Agent?No Standard ExistsRigidity and Fluidity, at the Same TimeStandardization DesirableIn the Meantime?Summary4. Making Authorization DecisionsAuthorization ArchitectureEnforcementPolicy EnginePolicy StorageWhat Makes Good Policy?Who Defines Policy?Trust EngineWhat Entities Are Scored?Exposing Scores Considered RiskyData StoresSummary5. Trusting DevicesBootstrapping TrustGenerating and Securing IdentityIdentity Security in Static and Dynamic SystemsAuthenticating Devices with the Control PlaneX.509Certificate chains and certification authoritiesDevice identity and X.509Public and private componentsPrivate key storageX.509 for device authenticationTPMsEncrypting data using a TPMIntermediary keys and passphrasesPlatform configuration registersRemote attestationTPMs for device authenticationHardware-Based Zero Trust Supplicant?Inventory ManagementKnowing What to ExpectSecure IntroductionWhat Makes a Good Secure Introduction System?Renewing Device TrustLocal MeasurementRemote MeasurementSoftware Configuration ManagementCM-Based InventorySearchable inventorySecure Source of TruthUsing Device Data for User AuthorizationTrust SignalsTime Since ImageHistorical AccessLocationNetwork Communication PatternsSummary6. Trusting UsersIdentity AuthorityBootstrapping Identity in a Private SystemGovernment-Issued IdentificationNothing Beats MeatspaceExpectations and StarsStoring IdentityUser DirectoriesDirectory MaintenanceWhen to Authenticate IdentityAuthenticating for TrustTrust as the Authentication DriverThe Use of Multiple ChannelsCaching Identity and TrustHow to Authenticate IdentitySomething You Know: PasswordsSomething You Have: TOTPSomething You Have: CertificatesSomething You Have: Security TokensSomething You Are: BiometricsOut-of-Band AuthenticationSingle Sign OnMoving Toward a Local Auth SolutionAuthenticating and Authorizing a GroupShamirs Secret SharingRed OctoberSee Something, Say SomethingTrust SignalsSummary7. Trusting ApplicationsUnderstanding the Application PipelineTrusting SourceSecuring the RepositoryAuthentic Code and the Audit TrailCode ReviewsTrusting BuildsThe RiskTrusted Input, Trusted OutputReproducible BuildsDecoupling Release and Artifact VersionsTrusting DistributionPromoting an ArtifactDistribution SecurityIntegrity and AuthenticityTrusting a Distribution NetworkHumans in the LoopTrusting an InstanceUpgrade-Only PolicyAuthorized InstancesRuntime SecuritySecure Coding PracticesIsolationActive MonitoringSummary8. Trusting the TrafficEncryption Versus AuthenticationAuthenticity Without Encryption?Bootstrapping Trust: The First PacketfwknopShort-lived exceptionsSPA payloadPayload encryptionHMACA Brief Introduction to Network ModelsNetwork Layers, VisuallyOSI Network ModelLayer 1Physical LayerLayer 2Data Link LayerLayer 3Network LayerLayer 4Transport LayerLayer 5Session LayerLayer 6Presentation LayerLayer 7Application LayerTCP/IP Network ModelWhere Should Zero Trust Be in the Network Model?Client and Server SplitNetwork support issuesDevice support issuesApplication support issuesA pragmatic approachThe ProtocolsIKE/IPsecIKE and IPsecAuthentication credentialsIKE SA_INIT and AUTHCipher suite selectionIPsec security associationsIPsec tunnel mode versus transport modeIKE/IPsec for device authenticationMutually Authenticated TLSCipher suite negotiation and selectionWho gets to sayKey exchangePerfect Forward SecrecyMind Your CurvesAuthenticationSeparation of dutyBulk encryptionMessage authenticityMutually authenticated TLS for device authenticationFilteringHost FilteringBookended FilteringIntermediary FilteringSummary9. Realizing a Zero Trust NetworkChoosing ScopeWhats Actually Required?All network flows MUST be authenticated before being processedAll network flows SHOULD be encrypted before being transmittedAuthentication and encryption MUST be performed by the application-layer endpointsAll network flows MUST be enumerated so that access can be enforced by the systemThe strongest authentication and encryption suites available SHOULD be used within the networkAuthentication SHOULD NOT rely on public PKI providersprivate PKI systems should be used insteadDevices SHOULD be regularly scanned, patched, and rotatedBuilding a System DiagramUnderstanding Your FlowsController-Less ArchitectureCheating with Configuration ManagementApplication Authentication and AuthorizationAuthenticating Load Balancers and ProxiesRelationship-Oriented PolicyPolicy DistributionDefining and Installing PolicyZero Trust ProxiesClient-Side Versus Server-Side MigrationsCase StudiesCase Study: Google BeyondCorpThe Major Components of BeyondCorpSecurely identifying the deviceDevice inventory databaseDevice identitySecurely identifying the userExternalizing applications and workflows: The access proxyImplementing inventory-based access controlLeveraging and Extending the GFEUser authenticationAuthorizationMutual authentication between the proxy and the backendChallenges with Multiplatform AuthenticationDesktops and laptopsMobile devicesMigrating to BeyondCorpDeploying an unprivileged networkWorkflow qualificationCutting back on VPN usageTraffic analysis pipelineUnprivileged network simulationMigration strategyExemption handlingLessons LearnedCommunicationEngineers need supportData quality and correlationSparse data setsConclusionCase Study: PagerDutys Cloud Agnostic NetworkConfiguration Management as an Automation PlatformDynamically Calculated Local FirewallsDistributed Traffic EncryptionDecentralized User ManagementRolloutValue of a Provider-Agnostic SystemSummary10. The Adversarial ViewIdentity TheftDistributed Denial of ServiceEndpoint EnumerationUntrusted Computing PlatformSocial EngineeringPhysical CoercionInvalidationControl Plane SecuritySummaryIndex

E-informatyka

pinokio morawiecki, kurs korony norweskiej bankier, boze cialo swieto obowiazkowe, wizzair siatka, gus średnia krajowa 2018, hurts tłumacz, zmiana stanowiska pracy wzór, czy w zielone swiatki mozna pracowac, belgia włochy, jacek ptak, mapa zakażeń koronawirus polska, przechodzenie na czerwonym świetle, eger, bedoes & kubi producent – napad (official video), poland food, polska agencja ratingowa, protesty wrocław dzisiaj, ganja mafia – pole marysi (prod. psr, cuty: dj feel-x)

yyyyy