Notes from _Zero Trust Networks_, part 2
• Mark Eschbach
It was a nice three day weekend. I found some more time to continue with ZTN.
Trust Delegation (Ch 2)
The authors advocate the use of a private X.509 infrastructure to build an authentication framework which includes both users and devices. From there the system builds upon the authorization side of the equation with a policy framework which takes into account the requesting device, the user, and the requested operation. Network Agents are an interface into the authorization control plane, and can possibly control network rules, firewalls, and applications.
Network Agents (Ch 3)
Network Agents should consider multiple factors of when judging a specific request, ranging from attributes of the device through the specific request of the user. These are expected to trust normal operations while requesting additional verification or outright denying abnormal requests. This chapter has a very low page count.
Authorization (Ch 4)
ZNT system defines four components to the authorization framework. Enforcement is done by the Network Agents. These collaborate with a policy engine to provides on how to proceed, pulling data from a trust engine and the current system state. Policies applied by the engine determine what risk level is reasonable for operations. The trust engine determines, from historical record, if the operation is intended to be executed by the user.