Zero trust networks: building secure systems in untrusted networks
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo
O'Reilly
July 2017
|
| Ausgabe: | First edition |
| Schlagworte: | |
| Online-Zugang: | Inhaltsverzeichnis |
| Beschreibung: | xiv, 223 Seiten Illustrationen, Diagramme |
| ISBN: | 9781491962190 1491962194 |
Internformat
MARC
| LEADER | 00000nam a2200000 c 4500 | ||
|---|---|---|---|
| 001 | BV044430487 | ||
| 003 | DE-604 | ||
| 005 | 20181206 | ||
| 007 | t | ||
| 008 | 170731s2017 a||| |||| 00||| eng d | ||
| 020 | |a 9781491962190 |c pbk. |9 978-1-491-96219-0 | ||
| 020 | |a 1491962194 |9 1-491-96219-4 | ||
| 035 | |a (OCoLC)1002229512 | ||
| 035 | |a (DE-599)BVBBV044430487 | ||
| 040 | |a DE-604 |b ger |e rda | ||
| 041 | 0 | |a eng | |
| 049 | |a DE-706 |a DE-11 |a DE-739 |a DE-M347 | ||
| 084 | |a ST 200 |0 (DE-625)143611: |2 rvk | ||
| 084 | |a ST 277 |0 (DE-625)143643: |2 rvk | ||
| 100 | 1 | |a Gilman, Evan |e Verfasser |0 (DE-588)1138588660 |4 aut | |
| 245 | 1 | 0 | |a Zero trust networks |b building secure systems in untrusted networks |c Evan Gilman and Doug Barth |
| 250 | |a First edition | ||
| 264 | 1 | |a Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo |b O'Reilly |c July 2017 | |
| 300 | |a xiv, 223 Seiten |b Illustrationen, Diagramme | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 650 | 0 | 7 | |a Computersicherheit |0 (DE-588)4274324-2 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Rechnernetz |0 (DE-588)4070085-9 |2 gnd |9 rswk-swf |
| 653 | 0 | |a Computer security | |
| 653 | 0 | |a Computer networks / Security measures | |
| 653 | 0 | |a Data encryption (Computer science) | |
| 689 | 0 | 0 | |a Computersicherheit |0 (DE-588)4274324-2 |D s |
| 689 | 0 | 1 | |a Rechnernetz |0 (DE-588)4070085-9 |D s |
| 689 | 0 | |5 DE-604 | |
| 700 | 1 | |a Barth, Doug |e Sonstige |0 (DE-588)1138588776 |4 oth | |
| 776 | 0 | 8 | |i Erscheint auch als |n Online-Ausgabe, e-Book |z 978-1-4919-6216-9 |
| 856 | 4 | 2 | |m Digitalisierung UB Passau - ADAM Catalogue Enrichment |q application/pdf |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=029831890&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |3 Inhaltsverzeichnis |
| 999 | |a oai:aleph.bib-bvb.de:BVB01-029831890 | ||
Datensatz im Suchindex
| _version_ | 1804177731783491584 |
|---|---|
| adam_text | Table of Contents Preface...................................................................................................... ix 1. Zero Trust Fundamentals..............................................................................1 What Is a Zero Trust Network? Introducing the Zero Trust Control Plane Evolution of the Perimeter Model Managing the Global IP Address Space Birth of Private IP Address Space Private Networks Connect to Public Networks Birth of NAT The Contemporary Perimeter Model Evolution of the Threat Landscape Perimeter Shortcomings Where the Trust Lies Automation as an Enabler Perimeter Versus Zero Trust Applied in the Cloud Summary 1 3 4 4 6 6 7 8 9 12 15 15 16 18 19 2. Managing Trust...................................................................................... 21 Threat Models Common Threat Models Zero Trusts Threat Model Strong Authentication Authenticating Trust What Is a Certificate Authority? Importance of PKI in Zero Trust Private Versus Public PKI 23 23 24 25 28 28 29 29
Public PKI Strictly Better Than None Least Privilege Variable Trust Control Plane Versus Data Plane Summary 30 30 33 36 38 3. Network Agents................................................................... .................. 41 What Is an Agent? Agent Volatility What’s in an Agent? How Is an Agent Used? Not for Authentication How to Expose an Agent? No Standard Exists Rigidity and Fluidity, at the Same Time Standardization Desirable In the Meantime? Summary 42 42 43 43 44 45 46 46 47 48 48 4. Making Authorization Decisions............................................... .................. 51 Authorization Architecture Enforcement Policy Engine Policy Storage What Makes Good Policy? Who Defines Policy? Trust Engine What Entities Are Scored? Exposing Scores Considered Risky Data Stores Summary 51 53 54 55 56 58 58 59 60 60 62 5. Trusting Devices................................................................... ................... 65 Bootstrapping Trust Generating and Securing Identity Identity Security in Static and Dynamic Systems Authenticating Devices with the Control Plane X.509 TPMs Hardware-Based Zero Trust Supplicant? Inventory Management Knowing What to Expect iv ļ Table of Contents 65 66 67 70 70 73 77 78 79
80 81 83 83 85 85 87 88 89 89 89 89 90 90 Secure Introduction Renewing Device Trust Local Measurement Remote Measurement Software Configuration Management CM-Based Inventory Secure Source of Truth Using Device Data for User Authorization Trust Signals Time Since Image Historical Access Location Network Communication Patterns Summary 6. Trusting Users.................................................................. ......................... 93 93 Identity Authority 95 Bootstrapping Identity in a Private System 95 Government-Issued Identification 96 Nothing Beats Meatspace 97 Expectations and Stars 97 Storing Identity 97 User Directories 98 Directory Maintenance 99 When to Authenticate Identity 99 Authenticating for Trust 99 Trust as the Authentication Driver 100 The Use of Multiple Channels 101 Caching Identity and Trust 101 How to Authenticate Identity 102 Something You Know: Passwords 103 Something You Have: TOTP 104 Something You Have: Certificates 104 Something You Have: Security Tokens 105 Something You Are: Biometrics 106 Out-of-Band Authentication 106 Single Sign On 107 Moving Toward a Local Auth Solution 108 Authenticating and Authorizing a Group 108 Shamir’s Secret Sharing 109 Red October 110 See Something, Say Something Table of Contents I v
Trust Signals Summary ПО 111 7. Trusting Applications.............................................................................. 113 Understanding the Application Pipeline Trusting Source Securing the Repository Authentic Code and the Audit Trail Code Reviews Trusting Builds The Risk Trusted Input, Trusted Output Reproducible Builds Decoupling Release and Artifact Versions Trusting Distribution Promoting an Artifact Distribution Security Integrity and Authenticity Trusting a Distribution Network Humans in the Loop Trusting an Instance Upgrade-Only Policy Authorized Instances Runtime Security Secure Coding Practices Isolation Active Monitoring Summary 114 115 116 116 118 118 118 120 120 121 122 122 123 123 125 126 127 127 128 130 130 131 132 134 8. Trusting the Traffic................................................................................. 137 Encryption Versus Authentication Authenticity Without Encryption? Bootstrapping Trust: The First Packet fwknop A Brief Introduction to Network Models Network Layers, Visually OSI Network Model TCP/IP Network Model Where Should Zero Trust Be in the Network Model? Client and Server Split The Protocols IKE/IPsec vi I Table of Contents 137 138 139 140 142 142 143 145 145 147 150 150
Mutually Authenticated TLS Filtering Host Filtering Bookended Filtering Intermediary Filtering Summary 155 163 164 167 169 171 9. Realizing a Zero Trust Network.................................................................. 173 Choosing Scope What’s Actually Required? Building a System Diagram Understanding Your Flows Controller-Less Architecture “Cheating” with Configuration Management Application Authentication and Authorization Authenticating Load Balancers and Proxies Relationship-Oriented Policy Policy Distribution Defining and Installing Policy Zero Trust Proxies Client-Side Versus Server-Side Migrations Case Studies Case Study: Google BeyondCorp The Major Components of BeyondCorp Leveraging and Extending the GFE Challenges with Multiplatform Authentication Migrating to BeyondCorp Lessons Learned Conclusion Case Study: PagerDuty’s Cloud Agnostic Network Configuration Management as an Automation Platform Dynamically Calculated Local Firewalls Distributed Traffic Encryption Decentralized User Management Rollout Value of a Provider-Agnostic System Summary 173 174 178 180 182 182 183 184 185 185 186 187 189 190 190 192 194 196 197 199 201 202 202 203 204 205 206 207 207 10. The Adversarial View............................................................................. 209 Identity Theft Distributed Denial of Service Endpoint Enumeration 210 210 211 Table of Contents I vii
Untrusted Computing Platform Social Engineering Physical Coercion Invalidation Control Plane Security Summary 212 212 213 214 215 216 Index...................................................................................................... 217 viii I Table of Contents
|
| any_adam_object | 1 |
| author | Gilman, Evan |
| author_GND | (DE-588)1138588660 (DE-588)1138588776 |
| author_facet | Gilman, Evan |
| author_role | aut |
| author_sort | Gilman, Evan |
| author_variant | e g eg |
| building | Verbundindex |
| bvnumber | BV044430487 |
| classification_rvk | ST 200 ST 277 |
| ctrlnum | (OCoLC)1002229512 (DE-599)BVBBV044430487 |
| discipline | Informatik |
| edition | First edition |
| format | Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01840nam a2200433 c 4500</leader><controlfield tag="001">BV044430487</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20181206 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">170731s2017 a||| |||| 00||| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781491962190</subfield><subfield code="c">pbk.</subfield><subfield code="9">978-1-491-96219-0</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">1491962194</subfield><subfield code="9">1-491-96219-4</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1002229512</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV044430487</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-706</subfield><subfield code="a">DE-11</subfield><subfield code="a">DE-739</subfield><subfield code="a">DE-M347</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 200</subfield><subfield code="0">(DE-625)143611:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Gilman, Evan</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)1138588660</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Zero trust networks</subfield><subfield code="b">building secure systems in untrusted networks</subfield><subfield code="c">Evan Gilman and Doug Barth</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">First edition</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo</subfield><subfield code="b">O'Reilly</subfield><subfield code="c">July 2017</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">xiv, 223 Seiten</subfield><subfield code="b">Illustrationen, Diagramme</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Rechnernetz</subfield><subfield code="0">(DE-588)4070085-9</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="653" ind1=" " ind2="0"><subfield code="a">Computer security</subfield></datafield><datafield tag="653" ind1=" " ind2="0"><subfield code="a">Computer networks / Security measures</subfield></datafield><datafield tag="653" ind1=" " ind2="0"><subfield code="a">Data encryption (Computer science)</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Rechnernetz</subfield><subfield code="0">(DE-588)4070085-9</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Barth, Doug</subfield><subfield code="e">Sonstige</subfield><subfield code="0">(DE-588)1138588776</subfield><subfield code="4">oth</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Online-Ausgabe, e-Book</subfield><subfield code="z">978-1-4919-6216-9</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau - ADAM Catalogue Enrichment</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=029831890&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-029831890</subfield></datafield></record></collection> |
| id | DE-604.BV044430487 |
| illustrated | Illustrated |
| indexdate | 2024-07-10T07:52:44Z |
| institution | BVB |
| isbn | 9781491962190 1491962194 |
| language | English |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-029831890 |
| oclc_num | 1002229512 |
| open_access_boolean | |
| owner | DE-706 DE-11 DE-739 DE-M347 |
| owner_facet | DE-706 DE-11 DE-739 DE-M347 |
| physical | xiv, 223 Seiten Illustrationen, Diagramme |
| publishDate | 2017 |
| publishDateSearch | 2017 |
| publishDateSort | 2017 |
| publisher | O'Reilly |
| record_format | marc |
| spelling | Gilman, Evan Verfasser (DE-588)1138588660 aut Zero trust networks building secure systems in untrusted networks Evan Gilman and Doug Barth First edition Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo O'Reilly July 2017 xiv, 223 Seiten Illustrationen, Diagramme txt rdacontent n rdamedia nc rdacarrier Computersicherheit (DE-588)4274324-2 gnd rswk-swf Rechnernetz (DE-588)4070085-9 gnd rswk-swf Computer security Computer networks / Security measures Data encryption (Computer science) Computersicherheit (DE-588)4274324-2 s Rechnernetz (DE-588)4070085-9 s DE-604 Barth, Doug Sonstige (DE-588)1138588776 oth Erscheint auch als Online-Ausgabe, e-Book 978-1-4919-6216-9 Digitalisierung UB Passau - ADAM Catalogue Enrichment application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=029831890&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis |
| spellingShingle | Gilman, Evan Zero trust networks building secure systems in untrusted networks Computersicherheit (DE-588)4274324-2 gnd Rechnernetz (DE-588)4070085-9 gnd |
| subject_GND | (DE-588)4274324-2 (DE-588)4070085-9 |
| title | Zero trust networks building secure systems in untrusted networks |
| title_auth | Zero trust networks building secure systems in untrusted networks |
| title_exact_search | Zero trust networks building secure systems in untrusted networks |
| title_full | Zero trust networks building secure systems in untrusted networks Evan Gilman and Doug Barth |
| title_fullStr | Zero trust networks building secure systems in untrusted networks Evan Gilman and Doug Barth |
| title_full_unstemmed | Zero trust networks building secure systems in untrusted networks Evan Gilman and Doug Barth |
| title_short | Zero trust networks |
| title_sort | zero trust networks building secure systems in untrusted networks |
| title_sub | building secure systems in untrusted networks |
| topic | Computersicherheit (DE-588)4274324-2 gnd Rechnernetz (DE-588)4070085-9 gnd |
| topic_facet | Computersicherheit Rechnernetz |
| url | http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=029831890&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |
| work_keys_str_mv | AT gilmanevan zerotrustnetworksbuildingsecuresystemsinuntrustednetworks AT barthdoug zerotrustnetworksbuildingsecuresystemsinuntrustednetworks |