Zero Trust Networks

Zero Trust Networks

Released
Publisher(s): O'Reilly Media, Inc.
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

None

Table of contents

  1. Preface
    1. Who Should Read This Book
    2. Why We Wrote This Book
    3. Zero Trust Networks Today
    4. Navigating This Book
    5. Conventions Used in This Book
    6. O’Reilly Safari
    7. How to Contact Us
    8. Acknowledgments
  2. 1. Zero Trust Fundamentals
    1. What Is a Zero Trust Network?
      1. Introducing the Zero Trust Control Plane
    2. Evolution of the Perimeter Model
      1. Managing the Global IP Address Space
      2. Birth of Private IP Address Space
      3. Private Networks Connect to Public Networks
      4. Birth of NAT
      5. The Contemporary Perimeter Model
    3. Evolution of the Threat Landscape
    4. Perimeter Shortcomings
    5. Where the Trust Lies
    6. Automation as an Enabler
    7. Perimeter Versus Zero Trust
    8. Applied in the Cloud
    9. Summary
  3. 2. Managing Trust
    1. Threat Models
      1. Common Threat Models
      2. Zero Trust’s Threat Model
    2. Strong Authentication
    3. Authenticating Trust
      1. What Is a Certificate Authority?
      2. Importance of PKI in Zero Trust
      3. Private Versus Public PKI
      4. Public PKI Strictly Better Than None
    4. Least Privilege
    5. Variable Trust
    6. Control Plane Versus Data Plane
    7. Summary
  4. 3. Network Agents
    1. What Is an Agent?
      1. Agent Volatility
      2. What’s in an Agent?
    2. How Is an Agent Used?
      1. Not for Authentication
    3. How to Expose an Agent?
    4. No Standard Exists
      1. Rigidity and Fluidity, at the Same Time
      2. Standardization Desirable
      3. In the Meantime?
    5. Summary
  5. 4. Making Authorization Decisions
    1. Authorization Architecture
    2. Enforcement
    3. Policy Engine
      1. Policy Storage
      2. What Makes Good Policy?
      3. Who Defines Policy?
    4. Trust Engine
      1. What Entities Are Scored?
      2. Exposing Scores Considered Risky
    5. Data Stores
    6. Summary
  6. 5. Trusting Devices
    1. Bootstrapping Trust
      1. Generating and Securing Identity
      2. Identity Security in Static and Dynamic Systems
    2. Authenticating Devices with the Control Plane
      1. X.509
      2. TPMs
      3. Hardware-Based Zero Trust Supplicant?
    3. Inventory Management
      1. Knowing What to Expect
      2. Secure Introduction
    4. Renewing Device Trust
      1. Local Measurement
      2. Remote Measurement
    5. Software Configuration Management
      1. CM-Based Inventory
      2. Secure Source of Truth
    6. Using Device Data for User Authorization
    7. Trust Signals
      1. Time Since Image
      2. Historical Access
      3. Location
      4. Network Communication Patterns
    8. Summary
  7. 6. Trusting Users
    1. Identity Authority
    2. Bootstrapping Identity in a Private System
      1. Government-Issued Identification
      2. Nothing Beats Meatspace
      3. Expectations and Stars
    3. Storing Identity
      1. User Directories
      2. Directory Maintenance
    4. When to Authenticate Identity
      1. Authenticating for Trust
      2. Trust as the Authentication Driver
      3. The Use of Multiple Channels
      4. Caching Identity and Trust
    5. How to Authenticate Identity
      1. Something You Know: Passwords
      2. Something You Have: TOTP
      3. Something You Have: Certificates
      4. Something You Have: Security Tokens
      5. Something You Are: Biometrics
      6. Out-of-Band Authentication
      7. Single Sign On
      8. Moving Toward a Local Auth Solution
    6. Authenticating and Authorizing a Group
      1. Shamir’s Secret Sharing
      2. Red October
    7. See Something, Say Something
    8. Trust Signals
    9. Summary
  8. 7. Trusting Applications
    1. Understanding the Application Pipeline
    2. Trusting Source
      1. Securing the Repository
      2. Authentic Code and the Audit Trail
      3. Code Reviews
    3. Trusting Builds
      1. The Risk
      2. Trusted Input, Trusted Output
      3. Reproducible Builds
      4. Decoupling Release and Artifact Versions
    4. Trusting Distribution
      1. Promoting an Artifact
      2. Distribution Security
      3. Integrity and Authenticity
      4. Trusting a Distribution Network
    5. Humans in the Loop
    6. Trusting an Instance
      1. Upgrade-Only Policy
      2. Authorized Instances
    7. Runtime Security
      1. Secure Coding Practices
      2. Isolation
      3. Active Monitoring
    8. Summary
  9. 8. Trusting the Traffic
    1. Encryption Versus Authentication
      1. Authenticity Without Encryption?
    2. Bootstrapping Trust: The First Packet
      1. fwknop
    3. A Brief Introduction to Network Models
      1. Network Layers, Visually
      2. OSI Network Model
      3. TCP/IP Network Model
    4. Where Should Zero Trust Be in the Network Model?
      1. Client and Server Split
    5. The Protocols
      1. IKE/IPsec
      2. Mutually Authenticated TLS
    6. Filtering
      1. Host Filtering
      2. Bookended Filtering
      3. Intermediary Filtering
    7. Summary
  10. 9. Realizing a Zero Trust Network
    1. Choosing Scope
      1. What’s Actually Required?
    2. Building a System Diagram
    3. Understanding Your Flows
    4. Controller-Less Architecture
      1. “Cheating” with Configuration Management
      2. Application Authentication and Authorization
      3. Authenticating Load Balancers and Proxies
      4. Relationship-Oriented Policy
      5. Policy Distribution
    5. Defining and Installing Policy
    6. Zero Trust Proxies
    7. Client-Side Versus Server-Side Migrations
    8. Case Studies
    9. Case Study: Google BeyondCorp
      1. The Major Components of BeyondCorp
      2. Leveraging and Extending the GFE
      3. Challenges with Multiplatform Authentication
      4. Migrating to BeyondCorp
      5. Lessons Learned
      6. Conclusion
    10. Case Study: PagerDuty’s Cloud Agnostic Network
      1. Configuration Management as an Automation Platform
      2. Dynamically Calculated Local Firewalls
      3. Distributed Traffic Encryption
      4. Decentralized User Management
      5. Rollout
      6. Value of a Provider-Agnostic System
    11. Summary
  11. 10. The Adversarial View
    1. Identity Theft
    2. Distributed Denial of Service
    3. Endpoint Enumeration
    4. Untrusted Computing Platform
    5. Social Engineering
    6. Physical Coercion
    7. Invalidation
    8. Control Plane Security
    9. Summary
  12. Index

Product information

  • Title: Zero Trust Networks
  • Author(s):
  • Release date:
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: None