|
| Trust pillar | Minimal Viable Security | Fully Implemented Security |
|
| User Equipment (device) | NAC with device posture/profiling at admission time. Dynamic authorisation based on posture checks. Device unique identifications are part of the asset register and Identity Provider (IdP) | Ongoing device profiling. Dynamic authorisation: granular access control is gated on the device risk profile. Endpoint threat detection and response (ETDR) solutions [50] are deployed and centrally managed. NAC and ETDR logs ship to Security Information and Event Management (SIEM) |
| User | Highly available, central user Identity and Access Management (IAM) covering authentication options, authorisation methods, and accounting. Users are authorised based on the principle of least privilege with multiple authorisation profiles. MFA for all users. SSO where applicable. Access and access change logging. Full integration with all ZTS enablers. Federated access | MFA with passwordless authentication is enabled. User behaviour and location changes are incorporated into the authentication and authorisation decision |
| Session | User-initiated sessions set behind SSO. Central secret management solution for credentials, API keys, key pairs, and authentication passwords. Reverify sessions based on frequent predefined intervals and consider changes from other functional layers. All traffic (payload and signalling) is encrypted E2E. PAM controls the session lifecycle | Secrets management must be decentralised wherever possible at a functional layer level. Authentication and authorisation sessions do not persist. Once established, all sessions are continuously verified. Enable logging across sessions’ lifecycle inclusive of cipher configuration changes. Develop security monitoring use-cases. Apply network DLP and ship DLP logs to SIEM |
| Application | Application patching and hardening. Continuous application vulnerability scanning. Continuous application discovery on-prem and in the cloud using cloud access security broker (CASB) solutions [51]. First release and major change application penetration testing. Initial static code review. Developer security training | Application whitelisting. Automated code review. Web Application Firewall (WAF) [52] |
| Data | Classify and label data. Govern access decisions by data classification | Augment data classification by unsupervised machine learning models. Govern access decisions by a centralised MEC security policy engine “orchestrator.” Integrate DLP solution with data classification |
| Infrastructure | Workloads, that is, servers and VMs, are initially hardened, uniquely identified, and security-baselined. Monitor workloads and trigger alerts for abnormal behaviour or change against the security baseline. Build an interoperable “data centre” infrastructure (network, compute, and storage). Deploy ingress/egress cloud microperimeters, segmentation, and Just-In-Time IAM verification. Enable cloud-native filtering and protection for known threats. Encrypt user-to-application traffic | Prevent unauthorised deployments and trigger alerts. Granular access control and visibility are available across all compute workloads, network, block, and object-level storage. Deploy a distributed full suite microsegmentation. Apply DLP to all infrastructure-type entities and ship DLP logs to SIEM for correlation and dynamic policy enforcement. Enable ML-based threat protection and filtering with context-based signals. Encrypt all traffic (payload and signalling) E2E |
|
