Description
Zero Trust is the concept of not implicitly granting trust to any entity. With
a rapidly growing technology landscape, the legacy concept of implicit
trust is not state-of-the-art anymore. To trust all entities behind a
perimeter is the approach of perimeter-based network security. Insider
threats and Advanced Persistent Threats (APTs) make use of these
implicit trust zones and stay undetected. A Zero Trust Architecture
(ZTA) allows enterprises to change from a perimeter-based approach to
Zero Trust. Enterprises can challenge their security posture by choosing
the Cloud as a future deployment location. Security challenges arise in
cloud computing, where resources and network architectures can be
dynamically deployed. In general, cloud standards can benchmark the
security status of cloud architectures, and audits verify implemented
security measures. The question arises whether cloud standards support
the Zero Trust concept. A methodology is presented to analyze standards
according to their Zero Trust maturity. These findings are incorporated
in a framework that takes a novel approach by trying to quantify Zero
Trust in the Cloud. Metrics are presented that measure Zero Trust
concepts and can be used by implementations to test the Zero Trust
maturity of Cloud Service Providers (CSPs). A tool that evaluates Zero
Trust is developed that takes a sample of the proposed framework
controls and implements the underlying metric calculation.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching