After 2021, the security concept of “zero trust” was selected as one of the top ten trends of industrial Internet Security in 2022. However, different from the “zero trust architecture entering the implementation and application promotion period” proposed in 2021, the recently released “Top Ten Trends of Internet Security in 2022 industry” (hereinafter referred to as the “report”) proposes that the commercialization of zero trust will pay more attention to practical results, anti generalization, abuse and conceptualization.
The report said that zero trust, as a system and direction, subverted the paradigm of industrial security, broke the boundary concept of traditional network security, and guided the transformation of industrial security architecture from network centralization to identity centralization.
So far, in addition to European and American IT enterprises such as Google, Microsoft and Cisco, Tencent security, Qi An Xin Technology Group Inc(688561) , Sangfor Technologies Inc(300454) , Wangsu Science & Technology Co.Ltd(300017) , etc. in China have also been overweight around zero trust.
Forrester’s latest new tech: Zero trust network access in the second quarter of 2021 shows that as enterprises seek more secure solutions, zero trust network access has become a landmark security technology, and many security manufacturers have launched zero trust related solutions and products. Therefore, next, zero trust is expected to become the next round of explosion point of industrial security.
outbreak coming
“Zero trust” is a security concept put forward by John kindervag, chief analyst of Forrester in 2010. Its core idea is that by default, it does not trust anyone, devices and systems inside and outside the enterprise network. It needs to rebuild the trust foundation of access control based on identity authentication and authorization.
In short, the strategy of zero trust is “continuous verification and never trust”. The existing traditional access authentication model only needs to know the IP address or host information, but in the “zero trust” model, it needs more clear information. All requests that do not know the user’s identity or do not know the authorization path are rejected.
Although the concept of zero trust has a long history, it began to be popularized in the industry in 2017. At that time, Google’s project based on zero trust security was successfully implemented, which verified the feasibility of zero trust security in large-scale network scenarios. Then, the industry began a series of zero trust practices.
In 2019, in the guidance on promoting the development of network security industry (Exposure Draft) issued by the Ministry of industry and information technology, zero trust security was listed as the key technology to be broken through in network security for the first time.
In the past two years, with telecommuting becoming the social norm, zero trust security has also been accelerated. In fact, the large-scale remote access, the insecurity of terminal equipment and the weakness of network environment make the network attack surface surge. How to ensure the security of remote office has become the primary problem of enterprises and the new blue ocean of security manufacturers, and zero trust is the key to the new blue ocean.
Wangsu Science & Technology Co.Ltd(300017) vice president and chief security officer LV Shibiao told the 21st Century Business Herald, “zero trust, as a new security concept, has been accelerated to be adopted by the market in the past two years. Customers’ demand for zero trust is growing. We expect the zero trust market to break out in 2023.”
According to the data of markets and markets, the scale of the global zero trust security market is expected to increase from US $19.6 billion in 2020 to US $51.6 billion in 2026. IDC predicts that by 2024, secure remote access solutions will occupy 12.5% of the global network security market with a value of US $26 billion, in which zero trust related products and solutions will occupy an important position.
remove the virtual to the real
Looking forward to 2022, the report believes that zero trust will drive many significant changes in the network security industry. First, a large number of security manufacturers will intensively launch zero trust security products and realize a certain range of landing applications among government and enterprise users.
Secondly, multi-dimensional identity attribute proxy technology needs in-depth research. For example, the identity entity attributes of user information, device status, network address, business context, access time, spatial location and other dimensions are used as the basis for authorization, which is generated temporarily as needed and invalidated regularly when applying for authorization.
Previously, some security experts in the industry proposed to the 21st Century Business Herald reporter that a major challenge of zero trust security in the development process is how to demonstrate its security. If we can enhance the security of identity authentication through multi-dimensional identity attributes, we can effectively reduce the vulnerability risk of access authorization, so as to improve the overall security of zero trust security.
The report also refers to the variable trust evaluation technology, and believes that the real-time trust evaluation and analysis of the multi-dimensional real-time attribute information provided by the network agent based on this technology can provide a judgment basis for access authorization through continuous quantitative evaluation of the risk level of network activities.
In addition, cloud computing business will need zero trust technology. The rapid development and popularization of cloud computing, including cloud application, isomerization and mixing of infrastructure, digital ecology of business and diversification of access networks and devices, have promoted more enterprises to establish a new security system that can adapt to the cloud era by deploying zero trust architecture.
At present, the normalization of remote office and mobile office under the multi cloud mixed mode makes network attackers start to target identity and access management functions to achieve long-term latency, which also makes the identity centered network security mechanism gradually attract attention.
Therefore, more organizations will adopt the zero trust security model in the future. The report said that zero trust is evolving from the initial prototype concept to the mainstream security technology architecture, from the initial differential segment of the network control plane to the full scene of access control and network protection covering the cloud side. The rise of zero trust can not be simply seen as the expansion of a certain technology and product, but a change in the inherent security idea, which is its core value point.
However, the development of zero trust security is not plain sailing. The report pointed out that although there have been examples of the application of zero trust from governments to enterprises, many people are still deterred by various pits and layout difficulties in the implementation process of zero trust.
In general, zero trust has some local applications according to different demand scenarios, but it has not been integrated as a whole, and the application in some scenarios is also very difficult.
At the same time, in the process of the sudden increase of zero trust, the industry also presents the characteristics of “mixed fish and Dragons”. Based on the welcome of customers to new concepts and new trends, a large number of security service providers adopt the means of “new bottled old wine” to re package and sell some old products with the concept of zero trust. In fact, they do not provide the industry with incremental service value and product technology innovation.
Therefore, the report believes that in 2022, the product exploration based on the idea of zero trust will pay more attention to practical results based on the needs of customers and obtain the market with the goal of solving practical demands. At the same time, the industry will jointly oppose the generalization, abuse and conceptualization of zero trust.