零信任安全:Zero Trust Architecture
零信任安全:Zero Trust Architecture
什么是零信任
零信任是一种安全模型,核心原则是"永不信任,始终验证"。它假设网络内外都存在威胁,每次访问请求都必须经过验证,无论请求来自何处。
零信任原则
零信任核心原则:
├── 永不信任: 不默认信任任何实体
├── 始终验证: 每次访问都进行验证
├── 最小权限: 只授予必要的访问权限
├── 微分段: 网络细分以限制攻击面
└── 持续监控: 实时监控和分析行为
身份认证
OAuth2/OIDC配置
# identity-provider.yaml
identity_provider:
issuer: "https://auth.example.com"
authorization_endpoint: "https://auth.example.com/authorize"
token_endpoint: "https://auth.example.com/token"
userinfo_endpoint: "https://auth.example.com/userinfo"
# MFA配置
mfa:
enabled: true
methods:
- totp
- sms
- email
# 条件访问
conditional_access:
- name: "高风险操作需要MFA"
conditions:
- action: "delete"
- action: "update_production"
require: "mfa"
服务认证配置
# service-auth.yaml
services:
api-gateway:
auth_type: "oauth2"
client_id: "api-gateway"
scopes:
- "read"
- "write"
token_endpoint: "https://auth.example.com/token"
backend-service:
auth_type: "mtls"
certificate:
ca: "/etc/certs/ca.crt"
cert: "/etc/certs/service.crt"
key: "/etc/certs/service.key"
微分段
网络策略
# kubernetes-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: web-frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
服务网格配置
# istio-authorization-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-authz
namespace: production
spec:
selector:
matchLabels:
app: api-server
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/web-frontend"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/*"]
- from:
- source:
principals: ["cluster.local/ns/production/sa/admin"]
to:
- operation:
methods: ["DELETE"]
paths: ["/api/*"]
设备信任
设备注册
#!/bin/bash
# device-registration.sh
DEVICE_ID=$1
DEVICE_NAME=$2
# 生成设备证书
openssl req -new -newkey rsa:2048 -nodes \
-keyout /etc/certs/devices/$DEVICE_ID.key \
-out /etc/certs/devices/$DEVICE_ID.csr \
-subj "/CN=$DEVICE_NAME"
# 签发证书
openssl x509 -req -days 365 \
-in /etc/certs/devices/$DEVICE_ID.csr \
-CA /etc/certs/ca.crt \
-CAkey /etc/certs/ca.key \
-CAcreateserial \
-out /etc/certs/devices/$DEVICE_ID.crt
# 注册设备
curl -X POST https://mdm.example.com/api/devices \
-H "Authorization: Bearer $TOKEN" \
-d "{
\"device_id\": \"$DEVICE_ID\",
\"device_name\": \"$DEVICE_NAME\",
\"certificate\": \"$(cat /etc/certs/devices/$DEVICE_ID.crt)\"
}"
访问代理
Pomerium配置
# pomerium.yaml
address: ":443"
grpc_address: ":443"
authenticate_service_url: "https://authenticate.example.com"
authorize_service_url: "https://authorize.example.com"
databroker_service_url: "https://databroker.example.com"
certificate: "/etc/pomerium/cert.pem"
certificate_key: "/etc/pomerium/key.pem"
idp_provider: "oidc"
idp_provider_url: "https://auth.example.com"
idp_client_id: "pomerium"
idp_client_secret: "secret"
policy:
- from: https://app.example.com
to: http://web-server:8080
allowed_idp_email:
- admin@example.com
- from: https://api.example.com
to: http://api-server:3000
allowed_groups:
- developers
零信任代理
# zero-trust-proxy.yaml
proxy:
upstream:
timeout: "30s"
retries: 3
authentication:
method: "oidc"
provider: "https://auth.example.com"
redirect_url: "https://proxy.example.com/callback"
authorization:
rules:
- path: "/admin/*"
require:
role: "admin"
mfa: true
- path: "/api/*"
require:
group: "developers"
- path: "/*"
require:
authenticated: true
数据保护
加密配置
# encryption-policy.yaml
encryption:
at_rest:
algorithm: "AES-256-GCM"
key_management: "aws-kms"
key_rotation: "90d"
in_transit:
min_tls_version: "1.2"
cipher_suites:
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
certificate_auto_renewal: true
application:
field_encryption:
enabled: true
fields:
- "email"
- "phone"
- "ssn"
- "credit_card"
监控和审计
安全事件日志
# security-audit.yaml
audit:
enabled: true
events:
- authentication
- authorization
- data_access
- configuration_change
log_format: "json"
log_destination: "siem"
retention:
hot: "30d"
warm: "90d"
cold: "1y"
异常检测
# anomaly-detection.yaml
detection:
rules:
- name: "异常登录"
condition: "failed_logins > 5 in 5m"
action: "block_account"
notify: true
- name: "异常访问模式"
condition: "access_from_new_location AND sensitive_resource"
action: "require_mfa"
notify: true
- name: "数据外泄"
condition: "large_data_download > 1GB"
action: "block_and_alert"
实施路线图
# zero-trust-roadmap.yaml
roadmap:
phase_1:
name: "身份基础"
duration: "3个月"
tasks:
- "实施SSO和MFA"
- "建立身份目录"
- "设备注册系统"
phase_2:
name: "网络微分段"
duration: "3个月"
tasks:
- "部署服务网格"
- "实施网络策略"
- "流量加密"
phase_3:
name: "数据保护"
duration: "3个月"
tasks:
- "数据分类"
- "加密策略"
- "DLP实施"
phase_4:
name: "持续监控"
duration: "3个月"
tasks:
- "SIEM集成"
- "异常检测"
- "自动化响应"
最佳实践
- 渐进实施: 从关键系统开始,逐步扩展
- 用户培训: 培训用户适应新的安全流程
- 持续评估: 定期评估零信任实施效果
- 自动化: 尽可能自动化安全策略执行
- 事件响应: 制定零信任环境下的事件响应流程