Evolution of Access Control Technology to Fulfill Zero Trust Security
Traditional IT security models have shown a practice of being thoroughly vigilant against outsiders and having relatively high confidence in insiders. In addition, such loopholes have been exploited by outsiders to steal an insider's account or by insiders to maliciously leak corporate information and threaten companies. For this reason, the zero-trust security model, which aims to thoroughly verify everything without separating the outside and inside, is drawing attention.
‘Zero Trust’ security model
A zero-trust security model, also known as borderless security, describes an approach to the design and implementation of IT systems. The combination of zero and trust is based on the basic premise that no one trusts anything.
The zero-trust security model was first mentioned in a report by IT market research firm Forrester Research in 2010, and many foreign companies paid attention to the zero-trust security model, but in Korea, telecommuting has not been popular and has been tied to the office environment. However, after the spread of Covid-19, many companies in Korea also moved to telework, leaving the office where people and devices were security strongholds, and expanding cloud-based work environment that allows access anywhere, both inside and outside. As a result, it is rushing to introduce a 'zero trust' security model that requires thorough identification process.
The principle of zero trust is △Verify explicitly △ Grant last privileged access △ Centralized Policy Management. In other words, from access and control to security policies, data is now suspected and validated by all users around user objects, regardless of internal and external separation. Existing access control technologies only define control of network environments and server access rights under security policies. Usually, access rights of target equipment are separated by IP (Information), protocol (Port), and account. However, in this case, control and auditing are mostly difficult after obtaining server access, and the problem exists when different users share and use the same account. Furthermore, security holes can be further compromised by administrators' mistakes, such as permitting DAC (Discretionary Access Control) privileges, and most access control auditing solutions only load history of the instructions used, which takes too much time to track the cause of the accidents and slow responses. As such, it does not perfectly fit the zero-trust model, which requires everyone to suspect and verify all their actions.
User object-based access control technology through server hooking
Access control technologies that conform to zero-trust strategies include user-based object access control technology through server hooking. This technology goes further from server access to controlling permissions on files and directories within the server. It uses the LINUX Security Module Hooking technology to hook control immediately before execution of the command to determine whether the request process and the request object have rights. More detailed control is possible with a deeper verification step than the commonly used SYSTEM CALL hooking. In other words, previously, you can log in to the server and use all the permissions allowed under DAC permissions, but this technology allows you to control certain actions with that permission (DAC permissions).
In particular, the security regulations are designed to separate authentication and authorization rather than granting permissions every time, to specify the extent to which levels can be accessed differently from authorized users. Furthermore, the scope of this design applies to file and directory units within the server, allowing access based on user-specific authentication and authorization status. It is a structure that acquires privileges according to the user's authentication level, reducing the burden on administrators and creating synergy as a security model suitable for cloud-based free network environments. This allows users to control access to files and directories separately, even if they own the same account, enabling zero-trust security by verifying access at the end of the kernel area, even if there is a mistake in DAC, which is the default file and directory access in the operating system checks. In Korea, NETAND, an integrated access and account management development company, recently obtained a patent for the technology. Security technologies developed with traditional borderline security models have recently evolved with changes in IT technology and the environment. In particular, the existing 'inside trust' network security model, which allows all access and tasks for insiders who have undergone normal authentication, is no longer suitable. Access control by user object with server hooking technology is more useful as it further fits the security model of zero trust beyond the limitations of existing access control technology.
[Source: Boan News https://www.boannews.com/media/view.asp?idx=97851]