Op werkdagen voor 23:00 besteld, morgen in huis Gratis verzending vanaf €20

Zero Trust Networks

Building Secure Systems in Untrusted Networks

Paperback Engels 2017 9781491962190
Verwachte levertijd ongeveer 8 werkdagen


The perimeter defenses guarding your network perhaps are not as secure as you think. Hosts behind the firewall have no defenses of their own, so when a host in the "trusted" zone is breached, access to your data center is not far behind. That’s an all-too-familiar scenario today. With this practical book, you’ll learn the principles behind zero trust architecture, along with details necessary to implement it.

The Zero Trust Model treats all hosts as if they’re internet-facing, and considers the entire network to be compromised and hostile. By taking this approach, you’ll focus on building strong authentication, authorization, and encryption throughout, while providing compartmentalized access and better operational agility.

- Understand how perimeter-based defenses have evolved to become the broken model we use today
- Explore two case studies of zero trust in production networks on the client side (Google) and on the server side (PagerDuty)
- Get example configuration for open source tools that you can use to build a zero trust network
- Learn how to migrate from a perimeter-based network to a zero trust network in production


Aantal pagina's:223
Hoofdrubriek:IT-management / ICT


Wees de eerste die een lezersrecensie schrijft!


Who Should Read This Book
Why We Wrote This Book
Zero Trust Networks Today
Navigating This Book
Conventions Used in This Book
O’Reilly Safari
How to Contact Us

1. Zero Trust Fundamentals
What Is a Zero Trust Network?
Introducing the Zero Trust Control Plane
Evolution of the Perimeter Model
Managing the Global IP Address Space
Birth of Private IP Address Space
Private Networks Connect to Public Networks
Birth of NAT
The Contemporary Perimeter Model
Evolution of the Threat Landscape
Perimeter Shortcomings
Where the Trust Lies
Automation as an Enabler
Perimeter Versus Zero Trust
Applied in the Cloud

2. Managing Trust
Threat Models
Common Threat Models
Zero Trust’s Threat Model
Strong Authentication
Authenticating Trust
What Is a Certificate Authority?
Importance of PKI in Zero Trust
Private Versus Public PKI
Public PKI Strictly Better Than None
Least Privilege
Variable Trust
Control Plane Versus Data Plane

3. Network Agents
What Is an Agent?
Agent Volatility
What’s in an Agent?
How Is an Agent Used?
Not for Authentication
How to Expose an Agent?
No Standard Exists
Rigidity and Fluidity, at the Same Time
Standardization Desirable
In the Meantime?

4. Making Authorization Decisions
Authorization Architecture
Policy Engine
Policy Storage
What Makes Good Policy?
Who Defines Policy?
Trust Engine
What Entities Are Scored?
Exposing Scores Considered Risky
Data Stores

5. Trusting Devices
Bootstrapping Trust
Generating and Securing Identity
Identity Security in Static and Dynamic Systems
Authenticating Devices with the Control Plane
Hardware-Based Zero Trust Supplicant?
Inventory Management
Knowing What to Expect
Secure Introduction
Renewing Device Trust
Local Measurement
Remote Measurement
Software Configuration Management
CM-Based Inventory
Secure Source of Truth
Using Device Data for User Authorization
Trust Signals
Time Since Image
Historical Access
Network Communication Patterns

6. Trusting Users
Identity Authority
Bootstrapping Identity in a Private System
Government-Issued Identification
Nothing Beats Meatspace
Expectations and Stars
Storing Identity
User Directories
Directory Maintenance
When to Authenticate Identity
Authenticating for Trust
Trust as the Authentication Driver
The Use of Multiple Channels
Caching Identity and Trust
How to Authenticate Identity
Something You Know: Passwords
Something You Have: TOTP
Something You Have: Certificates
Something You Have: Security Tokens
Something You Are: Biometrics
Out-of-Band Authentication
Single Sign On
Moving Toward a Local Auth Solution
Authenticating and Authorizing a Group
Shamir’s Secret Sharing
Red October
See Something, Say Something
Trust Signals

7. Trusting Applications
Understanding the Application Pipeline
Trusting Source
Securing the Repository
Authentic Code and the Audit Trail
Code Reviews
Trusting Builds
The Risk
Trusted Input, Trusted Output
Reproducible Builds
Decoupling Release and Artifact Versions
Trusting Distribution
Promoting an Artifact
Distribution Security
Integrity and Authenticity
Trusting a Distribution Network
Humans in the Loop
Trusting an Instance
Upgrade-Only Policy
Authorized Instances
Runtime Security
Secure Coding Practices
Active Monitoring

8. Trusting the Traffic
Encryption Versus Authentication
Authenticity Without Encryption?
Bootstrapping Trust: The First Packet
A Brief Introduction to Network Models
Network Layers, Visually
OSI Network Model
TCP/IP Network Model
Where Should Zero Trust Be in the Network Model?
Client and Server Split
The Protocols
Mutually Authenticated TLS
Host Filtering
Bookended Filtering
Intermediary Filtering

9. Realizing a Zero Trust Network
Choosing Scope
What’s Actually Required?
Building a System Diagram
Understanding Your Flows
Controller-Less Architecture
“Cheating” with Configuration Management
Application Authentication and Authorization
Authenticating Load Balancers and Proxies
Relationship-Oriented Policy
Policy Distribution
Defining and Installing Policy
Zero Trust Proxies
Client-Side Versus Server-Side Migrations
Case Studies
Case Study: Google BeyondCorp
The Major Components of BeyondCorp
Leveraging and Extending the GFE
Challenges with Multiplatform Authentication
Migrating to BeyondCorp
Lessons Learned
Case Study: PagerDuty’s Cloud Agnostic Network
Configuration Management as an Automation Platform
Dynamically Calculated Local Firewalls
Distributed Traffic Encryption
Decentralized User Management
Value of a Provider-Agnostic System

10. The Adversarial View
Identity Theft
Distributed Denial of Service
Endpoint Enumeration
Untrusted Computing Platform
Social Engineering
Physical Coercion
Control Plane Security


Managementboek Top 100


Populaire producten



        Zero Trust Networks