SDP: The most Advanced Zero Trust Architecture
https://cloudsecurityalliance.org/artifacts/sdp-the-most-advanced-zero-trust-architecture/

What is Zero Trust

Allowing access to the network changes with “Zero Trust”; as the

name implies - users aren’t allowed access to anything until they

authenticate who they are. 在用户认证通过前，不能访问任何对象。

A network security architecture that withholds access until a user,

device or even an individual packet has been thoroughly inspected

and authenticated. 当一个用户、设备甚至一个单独的包完全被检查和认证前，隐藏对网络的访问。

Specifically, the least amount of necessary access is granted. 仅授予最小访问权限。

Continuous monitoring of suspicious user activity 持续监控可疑用户行为。

Why Zero Trust

Changing Perimeter - fixed network perimeter problematic for mobile devices  更改边界，尤其对移动设备

IP address conundrum – IP addresses simply providesconnectivity; no user context; inherently open to compromises.Changes to IP addresses can mean extensive configuration, and errors creeping into network security groups, and network access control lists. IP地址难题– IP地址仅提供连接； 没有用户上下文； 天生就可以妥协。 更改IP地址可能意味着需要进行大量配置，并且错误会蔓延到网络安全组和网络访问控制列表中。

Implementing integrated controls can be a challenge. An SDP deployment can offer a single point for network layer firewall configuration. 实施集成控制可能是一个挑战。 SDP部署可以为网络层防火墙配置提供单点控制。

What Zero Trust Addresses

- Access Control Vulnerabilities - access control mechanisms with current authentication and authorization protocols have weaknesses that are being exploited or bypassed 访问控制漏洞-具有当前身份验证和授权协议的访问控制机制存在被利用或绕过的漏洞

- Endpoint monitoring Weaknesses - Vulnerabilities at the Network Layer prior to transport and application protocol and endpoint protection measures. 端点监视弱点-传输和应用协议以及端点保护措施之前的网络层漏洞。

- Network Packet Inspection Limitations - Packet analysis happens at the application layer, so incursions can happen prior to detection. 网络数据包检查限制-数据包分析发生在应用程序层，因此入侵可能发生在检测之前。

Implementing Zero Trust

Requires authentication before access
- implicitly requires separate control and data planes
- immediate authentication

Requires ability to limit network connectivity and exposure
- drop network connections if authentication fails.

Requires granular trust mechanism
- unlike VPNs that do not have fine-grained access control
- implicitly requires authorization as well as authentication and access

Requires monitoring for suspicious activity
- implicitly requires instant knowledge of connectivity and use of services

访问前需要身份验证
-隐式需要控制平面和数据平面分离
-立即认证

需要具有限制网络连接和暴露的能力
-如果身份验证失败，则断开网络连接。

需要精细的信任机制
-与没有细粒度访问控制的VPN不同
-隐式要求授权以及身份验证和访问

需要监视可疑活动
-隐式需要即时了解连接和使用服务

How SDP Implements Zero Trust

隐藏资产
-网关拒绝所有访问，直到已验证用户/设备为止

单包授权
-启用集成的身份验证控制和授权

访问之前进行身份验证
-实现单独的控制和数据通道
-在TLS / TCP握手之前进行验证
-此设计中隐含的细粒度访问控制
-强制双向加密通信

Benefits of SDP

减少攻击面
-增强了对云应用程序的保护
-为业务/系统所有者提供更集中的控制
-可见性：了解来自何人，何处、什么时候的所有授权连接
-由于集成了访问控制，因此可以立即进行监控

降低拥有成本
-降低端点预防/检测的成本
-降低事件响应的成本
-降低集成控制的复杂性

开放规范
-由社区审核
-黑客马拉松

SDP References

Cloud Security Alliance Initiatives

-  SDP Architecture version 2.0 published May 2019

SDP Architecture Guide

-  SDP as a DDoS Defense Mechanism published October 2019

SDP as a DDoS Prevention Mechanism

-  Next Publication - Zero Trust paper - Call to Action

-  Specification 2.0 in Jan 2020 - In progress

Market Awareness and Adoption Overview

- Cloud Security Alliance The State of SDP Survey: A Summary

Open Source Reference Implementation (funded by DHS)

- http://sdpcenter.com/test-sdp/