O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Zero Trust Networks, 1st Edition

Book Description

With Early Release ebooks, you get books in their earliest form—the author's raw and unedited content as he or she writes—so you can take advantage of these technologies long before the official release of these titles. You'll also receive updates when significant changes are made, new chapters are available, and the final ebook bundle is released.

The perimeter defenses guarding your network perhaps are not as secure as you think. Hosts behind the firewall have no defenses of their own, so when a host in the "trusted" zone is breached, access to your data center is not far behind. That’s an all-too-familiar scenario today. With this practical book, you’ll learn the principles behind zero trust architecture, along with details necessary to implement it.

The Zero Trust Model treats all hosts as if they’re internet-facing, and considers the entire network to be compromised and hostile. By taking this approach, you’ll focus on building strong authentication, authorization, and encryption throughout, while providing compartmentalized access and better operational agility.

  • Understand how perimeter-based defenses have evolved to become the broken model we use today
  • Explore two case studies of zero trust in production networks on the client side (Google) and on the server side (PagerDuty)
  • Get example configuration for open source tools that you can use to build a zero trust network
  • Learn how to migrate from a perimeter-based network to a zero trust network in production

Table of Contents

  1. 1. Zero Trust Fundamentals
    1. What is a Zero Trust Network?
    2. Evolution of the Perimeter Model
      1. Managing the Global IP Address Space
      2. Birth of Private IP Address Space
      3. Private Networks Connect to Public Networks
      4. Birth of NAT
      5. The Contemporary Perimeter Model
    3. Evolution of the Threat Landscape
    4. Perimeter Shortcomings
    5. Where the Trust Lies
    6. Automation as an Enabler
    7. Perimeter vs Zero Trust
    8. Applied in the Cloud
    9. Summary
  2. 2. Managing Trust
    1. Threat Models
      1. Common Threat Models
      2. Zero Trust’s Threat Model
    2. Strong Authentication
    3. Authenticating Trust
      1. What is a Certificate Authority?
      2. Importance of PKI in Zero Trust
      3. Private vs Public PKI
      4. Public PKI Strictly Better than None
    4. Least privilege
    5. Variable Trust
    6. Control plane vs. Data plane
    7. Summary
  3. 3. Network Agents
    1. What is an agent?
      1. Agent Volatility
      2. What’s in an Agent?
    2. How an agent is used?
      1. For Policy
      2. Not for Authentication
    3. How to expose an agent?
    4. No Standard Exists
      1. Rigidity and Fluidity, at the Same Time
      2. Standardization Desirable
      3. In the Meantime?
    5. Summary
  4. 4. Making Authorization Decisions
    1. Authorization Architecture
    2. Enforcement
    3. Policy Engine
      1. Policy Storage
      2. What Makes Good Policy?
      3. Who Defines Policy?
    4. Trust Engine
      1. What entities are scored?
      2. Exposing scores considered risky
    5. Data Stores
    6. Summary
  5. 5. Trusting Devices
    1. Bootstrapping Trust
      1. Generating and Securing Identity
      2. Identity Security in Static and Dynamic Systems
    2. Authenticating Devices with the Control Plane
      1. X.509
      2. TPMs
      3. Hardware-Based Zero Trust Supplicant?
    3. Inventory Management
      1. Knowing What to Expect
      2. Secure Introduction
    4. Renewing Device Trust
      1. Local Measurement
      2. Remote Measurement
    5. Software Configuration Management
      1. CM-based Inventory
      2. Secure Source of Truth
    6. Using Device Data for User Authorization
    7. Trust Signals
      1. Time Since Image
      2. Historical Access
      3. Location
      4. Network Communication Patterns
    8. Summary
  6. 6. Trusting Users
    1. Identity Authority
    2. Bootstrapping Identity in a Private System
      1. Government Issued Identification
      2. Nothing Beats Meat Space
      3. Expectations and Stars
    3. Storing Identity
      1. User Directories
      2. Directory maintenance
    4. When to Authenticate Identity
      1. Authenticating for Trust
      2. Trust as the Authentication Driver
      3. The Use of Multiple Channels
      4. Caching Identity and Trust
    5. How to Authenticate Identity
      1. Something you know: passwords
      2. Something you have: TOTP
      3. Something you have: Certificates
      4. Something you have: Security Tokens
      5. Something you are: Biometrics
      6. Out-of-Band Authentication
      7. Single Sign On
      8. Moving Towards a Local Auth Solution
    6. Authenticating and Authorizing a Group
      1. Shamir’s Secret Sharing
      2. Red October
    7. See Something, Say Something
    8. Trust Signals
    9. Summary
  7. 7. Trusting Applications
    1. Understanding the Application Pipeline
    2. Trusting Source
      1. Securing the Repository
      2. Authentic Code and the Audit Trail
      3. Code Reviews
    3. Trusting Builds
      1. The Risk
      2. Trusted Input, Trusted Output
      3. Reproducible Builds
      4. Decoupling Release and Artifact Versions
    4. Trusting Distribution
      1. Promoting an Artifact
      2. Distribution Security
      3. Integrity and Authenticity
      4. Trusting a Distribution Network
    5. Humans in the Loop
    6. Trusting an Instance
      1. Upgrade-only Policy
      2. Authorized Instances
    7. Runtime Security
      1. Secure Coding Practices
      2. Isolation
      3. Active Monitoring
    8. Summary