基于零信任的远程办公系统安全模型研究与实现

信息安全研究 ›› 2020, Vol. 6 ›› Issue (4): 289-295.

基于零信任的远程办公系统安全模型研究与实现

魏小强

北京奇虎360科技有限公司未来网络安全研究院天枢智库

收稿日期:2020-04-06 出版日期:2020-04-03 发布日期:2020-04-06
通讯作者: 魏小强
作者简介:魏小强, 1972. 硕士学位。目前供职于360公司未来网络研究院。高级研究员。智库安全研究部负责人。主要研究领域:云安全，零信任，5G安全，勒索病毒等。联系方式：weixq2020@163.com

Research and Implementation of Security Model of Telecommuting System Based on Zero Trust

Received:2020-04-06 Online:2020-04-03 Published:2020-04-06

摘要/Abstract

摘要： 远程办公因其众多的优点而成为一种潮流为大众所接受, 然而也带来了诸多网络安全问题.伴随新技术的不断出现、网络环境的日趋演进、自带设备(BYOD)的普及和不断出现的网络安全事件使得远程办公面临的安全风险大增.因为传统的网络边界防御模型不再能满足今天网络安全的需求，零信任被越来越多的人认可并成为新的安全模型.零信任模型最早是由Forrester的专家提出来的，该安全模型不再把网络分为信任区和非信任区，零信任模型不是一个简单的网络架构，而是一套方法论.基于对零信任网络模型的理解，结合具体的网络安全实例对比分析了零信任模型与传统安全模型的区别，主要是为了发现一个系统的方法来指导企业解决远程办公的安全问题，旨在给准备实施零信任战略的企业提供一些参考.

关键词: 远程办公, 自带设备, 零信任, 网络安全, 网络威胁, 多因素认证, 远程访问

Abstract: Telecommuting has become very popular and been widely accepted because of its various advantages. However, it brings numbers of serious problems related to network security. With the continuous emergence of new technologies, the gradual evolution of the network environment, the popularity of BYOD and the ever-increasing network security incidents, the security risks faced by telecommuting have greatly increased. Since the traditional network boundary defense model can no longer meet the needs of network security today, the Zero Trust Network is being recognized as a new security model by more and more people. The term zero trust was first used by a Forrester's expert when describing a new security model in which networks were no longer split into trusted and untrusted zones. ZTA is not a single network architecture, it is a methodology. Based on the understanding of the Zero Trust Network model, this paper compares it with the traditional perimeter model using an analysis of a real case, aiming to find a systematic approach to guide enterprises to solve telecommuting security problems. Addressing to provide some references for the companies preparing to implement this strategy.

Key words: telecommuting, BYOD, zero trust, cybersecurity, cyberthreat, multi-factor authentication, remote access

魏小强. 基于零信任的远程办公系统安全模型研究与实现[J]. 信息安全研究, 2020, 6(4): 289-295.

参考文献

[1] Murugiah Souppaya, Karen Scarfone, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, National Institute of Standards and Technology Special Publication 800-46 Revision 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-46 Rev. 2, 53 pages (July 2016) CODEN: NSPUE2 [2]网络安全标准实践指南-远程办公安全防护（v1.0-202003），全国信息安全标准化技术委员会秘书处。www.tc260.org.cn Cybersecurity StandardS Practice Guide, Teleoffice Security, National Information Security Standardization Technical Coommittee. [3] Karen Scarfone Paul Hoffman, Guidelines on Firewalls and Firewall Policy：Recommendations of the National Institute of Standards and Technology,Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology Gaithersburg, MD 20899-8930, 2009.9 [4] Scott Rose,Oliver Borchert, Stu Mitchell, Sean Connelly, Zero Trust Architecture,National Institute of Standards and Technology Special Publication 800-207 Natl. Inst. Stand. Technol. Spec. Publ. 800-207, 58 pages (February 2020) CODEN: NSPUE2) [5] Rory Ward, Betsy Beyer, BeyondCorp: A New Approach to Enterprise Security, https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf 2014.12.) [6] Brent Bilger, VP Solutions Architecture, Vidder, Alan Boehme, Bob Flores, Jeff Schweitzer, Junaid Islam, Software Defined Perimeter Working Group:Software Defined Perimeter，https://cloudsecurityalliance.org/artifacts/software-defined-perimeter/ 2013.12 [7] Matt Conran, ZERO TRUST: SINGLE PACKET AUTHORIZATION | PASSIVE AUTHORIZATION，https://network-insight.net/2019/06/zero-trust-single-packet-authorization-passive-authorization/ 2019.6.18) [8] Bill Goodwin, Cyber gangsters demand payment from Travelex after ‘Sodinokibi’ attack，https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack,Computer Weekly, 2020.1.6) [9] Christopher Hines, Remote Access VPNs Have Ransomware on Their Hands, https://www.zscaler.com/blogs/research/remote-access-vpns-have-ransomware-their-hands) [10] 网上的文献(360远程云盾甲面向政企免费提供远程办公安全接入服务，https://www.360.cn/n/11512.html, 2020.2.6) [10]网上的文献（360 Remote Cloud Shield A provides free remote office secure access service for government and enterprises，https://www.360.cn/n/11512.html, 2020.2.6)

[1]	杨鹏飞罗奇伟李尧. 数字政府网络安全指数评估体系研究[J]. 信息安全研究, 2021, 7(3): 257-262.
[2]	门嘉平肖扬文马涛. 社会工程学攻击之钓鱼邮件分析[J]. 信息安全研究, 2021, 7(2): 166-170.
[3]	王逸鹤黄亦芃. 面向网络安全防御防护的大数据平台架构研究[J]. 信息安全研究, 2021, 7(1): 75-80.
[4]	寇春静刘志娟张弛雷灵光. 中国大陆信息网络安全学术研究的影响力分析[J]. 信息安全研究, 2020, 6(9): 0-0.
[5]	吉梁. 央企商密网分类分域安全防护体系设计与思考[J]. 信息安全研究, 2020, 6(9): 0-0.
[6]	邱勤张滨吕欣. 5G安全需求与标准体系研究[J]. 信息安全研究, 2020, 6(8): 673-679.
[7]	段伟伦韩晓露吕欣李阳. 美国5G安全战略分析及启示[J]. 信息安全研究, 2020, 6(8): 688-693.
[8]	崔枭飞樊晓贺. 新基建浪潮下5G mMTC业务场景安全问题研究[J]. 信息安全研究, 2020, 6(8): 710-715.
[9]	张彦司群冯凤娟. 铁路网络安全测评体系研究[J]. 信息安全研究, 2020, 6(8): 738-743.
[10]	张泽樊江伟周南. 基于MEA-LVQ的网络态势预测模型 [J]. 信息安全研究, 2020, 6(6): 0-0.
[11]	肖喜生彭凯飞龙春魏金侠赵静. 基于人工智能的安全态势预测技术研究综述[J]. 信息安全研究, 2020, 6(6): 0-0.
[12]	李憧刘鹏蔡国庆. 基于流量感知的动态网络资产监测研究[J]. 信息安全研究, 2020, 6(6): 0-0.
[13]	刘思博刘鹏. 态势感知在电子政务信息安全中的应用[J]. 信息安全研究, 2020, 6(6): 0-0.
[14]	蔡国庆刘鹏李憧. 政务网站流量安全基线分析研究[J]. 信息安全研究, 2020, 6(6): 0-0.
[15]	刘蓓程浩包丽娜文博. 远程移动办公安全标准研究与实践[J]. 信息安全研究, 2020, 6(4): 282-288.