NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication...
Transcript of NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication...
![Page 1: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/1.jpg)
NIST Special Publication 800-207
Scott Rose Oliver Borchert
Stu Mitchell Sean Connelly
https://doi.org/10.6028/NIST.SP.800-207
C O M P U T E R S E C U R I T Y
PwC
![Page 2: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/2.jpg)
NIST Special Publication 800-207
Scott Rose Oliver Borchert
Advanced Network Technologies Division Information Technology Laboratory
Stu Mitchell Stu2Labs
Stafford, VA
Sean Connelly Cybersecurity & Infrastructure Security Agency
Department of Homeland Security
https://doi.org/10.6028/NIST.SP.800-207
August 2020
U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
![Page 3: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/3.jpg)
NIST
NIST
NIST
NIST NIST https://csrc.nist.gov/publications
(FISMA Federal Information Security Modernization Act) 2014 (U.S. Code) 44 3541 (P.L.) 113 -28
(NIST National Institute of Standards and Technology NIST ) NIST
(OMBOffice of Management and Budget) (Circular) A-130
NIST
National Institute of Standards and Technology Special Publication 800-207 Natl. Inst. Stand. Technol. Spec. Publ. 800-207, 59 pages (August 2020)
CODEN: NSPUE2
https://doi.org/10.6028/NIST.SP.800-207
National Institute of Standards and Technology
Attn: Advanced Network Technologies Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920
Email: [email protected]
(FOIA Freedom of Information Act)
![Page 4: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/4.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
ii
NIST (ITL Information Technology Laboratory)
ITL (IT) ITL
Special Publication 800 ITL
(ZT)
(ZTA)
( ) ( )
( ) BYOD (Bring Your Own Device)
( ) (ZTA)
; ; ; ; https://doi.org/10.6028/N
IST.SP.800-207
![Page 5: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/5.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
iii
CIO
Federal CIO Council ZTA Greg HoldenNIST/National Cybersecurity Center of Excellence ZTA Alper Kerman Douglas Montgomery
ZTA
ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 6: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/6.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
iv
(ITL) ITL
ITL ITL
ITL 1
ITL
NIST (1) (2)
https://doi.org/10.6028/NIST.SP.800-207
![Page 7: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/7.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
v
1 ...................................................................................................................... 1
1.1 ..................................... 2
1.2 .................................................................................................. 2
2 ..................................................................................................... 4
2.1 ........................................................................................ 6
2.2 .......................................................................... 8
3 ........................................................... 9
3.1 ................................ 11
3.1.1 ZTA ........................... 11
3.1.2 ZTA ............................................. 12
3.1.3 Software Defined Perimeter ZTA ........ 12
3.2 ........................................ 13
3.2.1 / .................................... 13
3.2.2 .................................................................... 14
3.2.3 ............................................................. 15
3.2.4 ......................................... 16
3.3 ....................................................................................... 17
3.3.1 .................................................... 19
3.4 / ............................................................................. 21
3.4.1 ZTA ........................................... 21
4 / ...................................................................................... 23
4.1 ......................................................................... 23
4.2 /Cloud to Cloud ...................................................... 24
4.3 / ................................ 25
4.4 ................................................................................ 26
4.5 ........................................... 27
5 ............................................................. 28
5.1 ZTA ............................................................................. 28
5.2 .............................................................. 28
5.3 / ............................................................... 29
https://doi.org/10.6028/NIST.SP.800-207
![Page 8: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/8.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
vi
5.4 .................................................................................. 29 5.5 .................................................................. 30
5.6 .......................................... 30
5.7 ZTA (NPE) ................................ 30
6 ..................... 32
6.1 ZTA NIST ................................................... 32
6.2 NIST ................................................ 32
6.3 ZTA .......................................................................................................... 33
6.4 ZTA Trusted Internet Connections 3.0 ........................................................ 33
6.5 ZTA EINSTEIN (NCPS - National Cybersecurity Protection System) ......... 34
6.6 ZTA DHS Continuous Diagnostics and Mitigations (CDM) ......... 34
6.7 ZTA Cloud Smart Federal Data Strategy ................................................... 35
7 ....................................................................... 36
7.1 .................................................................. 36
7.2 ZTA ................................................ 36
7.3 ZTA ....................... 37
7.3.1 .......................................................................... 38
7.3.2 .................................................................. 38
7.3.3 ......................... 38
7.3.4 ZTA ............................................................................ 39
7.3.5 ..................................................................... 40
7.3.6 ........................................................................ 40
7.3.7 ZTA .......................................................................................... 41
........................................................................................................................ 42
A- .................................................................................................................... 45
B-ZTA ................................................................... 46
B.1 ....................................................................................................... 46
B.2 ZTA ................................................................... 47
https://doi.org/10.6028/NIST.SP.800-207
![Page 9: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/9.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
vii
B.2.1 ZTA .................................. 47
B.2.2 ZTA .................................................................................................. 47
B.3 ZTA .............................................................. 47
B.3.3 ........................................ 47
B.3.4 API ........... 47
B.4 ZTA ........................................................ 48
B.4.5 ZTA .................................................................. 49
B.4.6 ZTA ................................................... 49
B.4.7 ZTA .......................... 49
B.5 ....................................................................................................... 50
1 .................................................................................................. 5
2 .............................................................. 9
3 / ................................................................. 14
4 ............................................................................... 15
5 .......................................................................................... 16
6 ............................................................................. 17
7 ..................................................................................... 18
8 ............................................................................. 24
9 ................................................................................ 24
10 ................................................................................. 25
11 ...................................................................................... 26
12 ZTA .................................................................................................. 37
B-1: ............................................................................ 46
https://doi.org/10.6028/NIST.SP.800-207
![Page 10: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/10.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
1
/
(ZT) ZT
() (
) / (subject)
ZT
ZT ( / )
(ZTA) ZT ( )
ZTA
ZT[FIPS199] ZTA
ZTA
IT
ZTA
1
https://doi.org/10.6028/NIST.SP.800-207
![Page 11: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/11.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
2
1.1
(DISA) [BCORE]
2004
[JERICHO] Forrester John Kindervag 1
2
10 (FISMA) (RMF) Federal
Identity Credential Access Management (FICAM) Trusted Internet Connections (TIC) (CDM)
1.2
2 ZT ZTA ZTZT
3 ZT ( ) ZTA
1https://go.forrester.com/blogs/next-generation-access-and-zero-trust/ 2NIST NIST
https://doi.org/10.6028/NIST.SP.800-207
![Page 12: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/12.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
3
4 ZTA
5 ZTA
6 ZTA
7 ( ) ZTAZT
https://doi.org/10.6028/NIST.SP.800-207
![Page 13: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/13.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
4
( )
() (
)
( ) Trusted Internet Connections (TIC)
TIC
( )
(ZT)
(ZTA)
()
( 2.1
)
( /) ( )
ZTZTA ( Internet of Things [IoT] )
2
https://doi.org/10.6028/NIST.SP.800-207
![Page 14: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/14.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
5
1 (PDP) (PEP) 3
1
PDP/PEP
()
( )
PDP/PEP
(PDP/PEP)
PDP/PEP PEPPDP/PEPPDP/PEP
PDP/PEP
3 OASIS XACML 2.0 https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
()
/
(PDP/PEP)
https://doi.org/10.6028/NIST.SP.800-207
![Page 15: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/15.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
6
2.1
ZT ( ) ZTA
( 3.1 )
ZT ZTA
1.
/ SaaS
2.
( )
3.
4. /
()
( )
https://doi.org/10.6028/NIST.SP.800-207
![Page 16: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/16.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
7
/
5.
ZTA (CDM)
()
()
6. /
ZTA Identity Credential and Access Management (ICAM)
(MFA)
()
7.
( 3.3.3.1 )
ZT (ID) /
()
( ) ZT
https://doi.org/10.6028/NIST.SP.800-207
![Page 17: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/17.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
8
2.2
ZTA
( Wi-Fi) ZTA ZTA
ZTA
1.
( 2.1 2 )
2.
BYOD (Bring-your-own-device)
3. PEP
( 2.1 6 )
4.
( DNS ) ( )
5. ( )
/ (
) ZTA
6.
( )
https://doi.org/10.6028/NIST.SP.800-207
![Page 18: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/18.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
9
ZTA2
1 (PDP) ( )
ZTA ( 3.4 )
2
(PE) PE ( CDM
) ( 3.3 )
PE ( )
(PA) ( PEP ) PA
PA PEPE PA PEP
() PA PEP PE PA
(PDP)
(PEP)
(PA)
(PE)
CDM
(PKI)
ID
SIEM
3
https://doi.org/10.6028/NIST.SP.800-207
![Page 19: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/19.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
10
PA PEP
(PEP) PEP PA PA
ZTA ( ) (
) PEP
( 2 )
ZTA
()
(CDM)
CDM (OS)
CDM
(FISMA )
/
( )
/
https://doi.org/10.6028/NIST.SP.800-207
![Page 20: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/20.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
11
(PKI)
PKI4 PKIX.509 PKI
ID (Lightweight Directory Access Protocol (LDAP) )
( )
(PKI )
(SIEM)
3.1
ZTAZT
( 2.1 ) ( ) ZT
ZTA
3.1.1 ZTA
ZTA
( )
PEP
4 https://www.idmanagement.gov/topics/fpki/
https://doi.org/10.6028/NIST.SP.800-207
![Page 21: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/21.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
12
( 4.3 )
( 3.2.3 )
ZT/ ( SaaS )
3.1.2 ZTA
ZTA ( )
(NGFW) PEP
( 3.2.1 )
PEPPEP ( 3.2.1
)
PEP PE/PA
(IGP) PEP
PEP
3.1.3 Software Defined Perimeter ZTA
ZTA ZTA ( OSI 7
) Software Defined Perimeter (SDP)
https://doi.org/10.6028/NIST.SP.800-207
![Page 22: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/22.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
13
(SDN) [SDNBOOK] (IBN) [IBNVN] PA PE
PAPEP
( 7)
/ ( 3.2.1 ) ( PEP PA )
IP
3.2
PKI
ZT PEPA
ZTA
3.2.1 /
PEP
( ) ( )
PEP
( 3 ) https://doi.org/10.6028/N
IST.SP.800-207
![Page 23: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/23.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
14
3 /
(/ )
(IP)
/ (
)
(CSA) Software Defined Perimeter (SDP) [CSA-SDP] BYOD
3.2.2
/4
( ) (
[API] ) (
)
(PA)
(PE)
https://doi.org/10.6028/NIST.SP.800-207
![Page 24: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/24.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
15
4
/
/
/
3.2.3
PEP
5
(PA)
(PE)
https://doi.org/10.6028/NIST.SP.800-207
![Page 25: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/25.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
16
5
BYOD
PEP
(DoS) DoS
3.2.4
/
(PA)
(PE)
https://doi.org/10.6028/NIST.SP.800-207
![Page 26: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/26.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
17
6
6PEP PEP
PEP
3.3
ZTA PE (TA)
( 3 )
7
/
OS
PEP PEP
https://doi.org/10.6028/NIST.SP.800-207
![Page 27: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/27.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
18
7
7
OS
()
[SP800-63] ( )
/ [SP800-162] [NISTIR 7987]
( ID) PEP
ID (TA)
( 3.3.1 )
( ) (/BYOD) ( )
OS ( )
https://doi.org/10.6028/NIST.SP.800-207
![Page 28: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/28.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
19
ID [SP800-63] MFA
( IP )
( ) ()
( )
PA PAPEP ZTA
PA
PA ( ) 3.3.1
TA
TA
/
vs. TA
( / )
TA
https://doi.org/10.6028/NIST.SP.800-207
![Page 29: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/29.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
20
()
vs. TA
TAPE
PE
PE PA ( PEP)
/ ( ) TA
TA
ZTATA
20 30TA 1 100
TATA
TA
TA NIST Special Publication 800-63A [SP800-63A]
/
ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 30: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/30.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
21
/
3.4 /
ZT/ ( )
/ [Gilman]
(
)
PA PEP/
3.4.1 ZTA
1.
(LAN) ( DNS)
2. (
MAC )
3. ( OSI 7)
( ) PE
4. PEP
PEP PEPPEP
DoS ( DNS )
5. PEP
/
https://doi.org/10.6028/NIST.SP.800-207
![Page 31: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/31.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
22
PEPPEP
6. PEP PEP
7. PEP
PEP
PEP
8.
( ) ( [VPN] )
9. ZTA
ZTA PE PA PEPPEP ( PEP PA/PE )
ZTA
10. PEP
( )
https://doi.org/10.6028/N
IST.SP.800-207
![Page 32: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/32.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
23
ZTA
ZTA
ZTA 7.2ZTA
4.1
( 8 )
MPLS (Multiprotocol Label Switch)
/
() (
)
PE/PA ()
( 3.2.1 ) ( 3.2.3 )
PE/PA
4 /
https://doi.org/10.6028/NIST.SP.800-207
![Page 33: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/33.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
24
8
4.2 /Cloud to Cloud
ZTA ( 9 )
//
AB
9
CSA Software Defined Perimeter (SDP) [CSA-SDP] -
2.2 ZT
A B
https://doi.org/10.6028/NIST.SP.800-207
![Page 34: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/34.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
25
PEP /PE PA
() PEP
ZTA
4.3 /
/ (
10 ) /
( )
10
SDP ZTA
( east-west)
https://doi.org/10.6028/NIST.SP.800-207
![Page 35: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/35.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
26
PE PA LAN ()
( 3.2.1 ) ( 3.2.3 ) PA (
)
4.4
A B ( 11 ) (G2G)
(G2B) AB
A B
ID PEP ID
11
11 ( 4.1 ) A
B IP A (ACL)
1PE PA VPN
B ( 3.2.3 )
A B
1
2
https://doi.org/10.6028/NIST.SP.800-207
![Page 36: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/36.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
27
4.5
()
() ZTA
( )
( ) ( )
MFA
https://doi.org/10.6028/NIST.SP.800-207
![Page 37: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/37.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
28
ZTAZTA
5.1 ZTA
ZTA
PE PA PE PAPE
PA ( )
PE PA
5.2
ZTA PA PA
PEP PE/PA ( DoS )
[SP 800-160v2]
Mirai
DoS5
( 1 ) PEP PA
VPN ZTA
PE PA (IaaS) 6 SaaS
7
5 https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/ 6 https://aws.amazon.com/message/41926/ 7
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12286870
5
https://doi.org/10.6028/NIST.SP.800-207
![Page 38: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/38.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
29
PA PADDoS
5.3 /
ZT
ZT
ZTA
MFA (
)
ZTA (
)
( 3.3.3.1 ) TA
5.4
3.4.1
( ) 3 (
) / ( )
https://doi.org/10.6028/NIST.SP.800-207
![Page 39: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/39.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
30
( )
[Anderson]
5.5
ZT
()
5.6
ZTA
( ) () DoS
ZTA ZTA ( )
5.7 ZTA (NPE)
ZTA ( ) ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 40: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/40.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
31
API
(
) ( )
NPE
( API vs. MFA)
https://doi.org/10.6028/NIST.SP.800-207
![Page 41: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/41.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
32
ZTA
ICAM ZTA
6.1 ZTA NIST
ZTA
( 7.3.3 )
NIST (RMF) [SP800-37]
ZTA
( PEP) RMF
ZTA 6.2 NIST
( )
FISMA Heath Insurance Portability and Accountability Act (HIPAA) NIST
[NISTPRIV]
ZTA
ZT (
)
[NISTIR 8062] () NIST
[NISTPRIV]
6
https://doi.org/10.6028/NIST.SP.800-207
![Page 42: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/42.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
33
6.3 ZTA
ZTA PE
PE
(OMB) M-19-17
... [M-19-17]
ICAMNIST SP 800-63-3, Digital Identity Guidelines
[SP800-63] ZTA ZTA ICAM
6.4 ZTA Trusted Internet Connections 3.0
TIC OMB DHS (GSA)
TICTIC1.0 TIC2.0
ZTA ( ) TIC2.0
TIC () ZT
TIC3.0 [M-19-26] TIC3.0
TIC3.0 TIC Security Capability Handbook 2 (1) (2) TIC
(PEP) PEP PEP PEP
PEP TIC3.0ZTA (
) TIC3.0
TIC3.0 ZTA
TIC3.0ZTA TIC ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 43: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/43.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
34
6.5 ZTA EINSTEIN (NCPS - National Cybersecurity Protection System)
NCPS ( EINSTEIN ) NCPS
EINSTEIN CISANational Cybersecurity and Communications Integration Center (NCCIC)
DHS NCPS
ZTA NCPS
ZTA NCPSNCPS ZTA
ZTA NCPSNCPS
ZTA
ZTA ZTA
6.6 ZTA DHS Continuous Diagnostics and Mitigations (CDM)
DHS CDM (IT)
NPE
CDM ZTA ZTA
DHS CDM ZTA
https://doi.org/10.6028/NIST.SP.800-207
https://doi.org/10.6028/NIST.SP.800-207
![Page 44: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/44.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
35
DHS Hardware Asset Management (HWAM) [HWAM]
ZTA ( )
6.7 ZTA Cloud Smart Federal Data Strategy
Cloud Smart8 Data Center Optimization Initiative [M-19-19] Federal Data Strategy9 ZTA
ZTA
ZTA ( 7.3.3 )
Federal Data Strategy
ZTA ( 4.4 ) ZTA
8 https://cloud.cio.gov/strategy/ 9 https://strategy.data.gov/
![Page 45: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/45.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
36
ZTA
IT /ZT IT
ZT [ACT-IAC]
/
7.1
/
ZT
ZT [SP8900-160v1]
( ID )
7.2 ZTA
ZTAZTA ZTA
( ID) ZTA
ZTA
7
https://doi.org/10.6028/NIST.SP.800-207
![Page 46: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/46.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
37
ZTA ( ) [SP800-160v1]
7.3 ZTA
ZTA ( ) ( )
PE PEIT
ZTAZTA
ZTARMF [SP800-37]
ZTA 12
12 ZTA
RMF
/ /
https://doi.org/10.6028/NIST.SP.800-207
![Page 47: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/47.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
38
7.3.1
PENPE
ZTA
ZTA NIST SP 800-63A5 [SP800-63A]
7.3.2
2.1 ZTAZTA
ZTA (
IoT ) ( )
( 2.1 ) ( )
PE
IT
( MAC ) (
BYOD PEP ) IT
ZTA () IT
IT
https://doi.org/10.6028/NIST.SP.800-207
![Page 48: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/48.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
39
HWAM [HWAM] (SWAM) [SWAM] CDM ZTA
(HVA) ZTA (M-19-03) ZTA ( )
ZTA
7.3.3
ZTA
ZTA
VPNPEP
ZTA
7.3.4 ZTA
NIST [SP800-37]
( ID
) ( ) ( ) ZTA
( ) / ( )
( TA
) ( TA ) ( 3.3.1 )
https://doi.org/10.6028/NIST.SP.800-207
![Page 49: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/49.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
40
7.3.5
( 3.1 )
BYOD
( north-south ) (east-west )
ZTA
ZT PE
(Web [SSH] ) (IPv4 IPv6) Web
1 ZTAZTA
7.3.6
ZTA
( )
ZT
https://doi.org/10.6028/NIST.SP.800-207
![Page 50: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/50.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
41
MFA IP IPZT
7.3.7 ZTA
( 2.1 )
ZT
ZT
( ZT )
https://doi.org/10.6028/NIST.SP.800-207
![Page 51: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/51.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
42
[ACT-IAC] American Council for Technology and Industry Advisory Council (2019) Zero Trust Cybersecurity Current Trends. Available at https://www.actiac.org/zero-trust-cybersecurity-current-trends
[Anderson] Anderson B, McGrew D (2017) Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non- Stationarity. Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (ACM, Halifax, Nova Scotia, Canada), pp 1723-1732. https://doi.org/10.1145/3097983.3098163
[BCORE] Department of Defense CIO (2007). Department of Defense Global Information Grid Architecture Vision Version 1.0 June 2007. Available at http://www.acqnotes.com/Attachments/DoD%20GIG%20Architectural% 20Vision,%20June%2007.pdf
[CSA-SDP] Cloud Security Alliance (2015) SDP Specification 1.0. Available at https://cloudsecurityalliance.org/artifacts/sdp-specification-v1-0/
[FIPS199] National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, DC), Federal Information Processing Standards Publication (FIPS) 199. https://doi.org/10.6028/NIST.FIPS.199
[Gilman] Gilman E, Barth D (2017) Zero Trust Networks: Building Secure Systems in Untrusted Networks (O’Reilly Media, Inc., Sebastopol, CA), 1st Ed.
[HWAM] Department of Homeland Security (2015) Hardware Asset Management (HWAM) Capability Description. Available at https://www.us- cert.gov/sites/default/files/cdm_files/HWAM_CapabilityDescription.pdf
[IBNVN] Cohen R, Barabash K, Rochwerger B, Schour L, Crisan D, Birke R, Minkenberg C, Gusat M, Recio R, Jain V (2013) An Intent-based Approach for Network Virtualization. 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013). (IEEE, Ghent, Belgium), pp 42-50. Available at https://ieeexplore.ieee.org/document/6572968
[JERICHO] The Jericho Forum (2007) Jericho Forum Commandments, version 1.2. Available at https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
[M-19-03] Office of Management and Budget (2018) Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program. (The White House, Washington, DC), OMB Memorandum M- 19-03, December 10, 2018. Available at https://www.whitehouse.gov/wp- content/uploads/2018/12/M-19-03.pdf
https://doi.org/10.6028/NIST.SP.800-207
![Page 52: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/52.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
43
[M-19-17] Office of Management and Budget (2019) Enabling Mission Delivery through Improved Identity, Credential, and Access Management. (The White House, Washington, DC), OMB Memorandum M-19-17, May 21, 2019. Available at https://www.whitehouse.gov/wp- content/uploads/2019/05/M-19-17.pdf
[M-19-19] Office of Management and Budget (2019) Update on Data Center Optimization Initiative (DCOI). (The White House, Washington, DC), OMB Memorandum M-19-19, June 25, 2019. Available at https://datacenters.cio.gov/assets/files/m_19_19.pdf
[M-19-26] Office of Management and Budget (2019) Update to the Trusted Internet Connections (TIC) Initiative. (The White House, Washington, DC), OMB Memorandum M-19-26, September 12, 2019. Available at https://www.whitehouse.gov/wp-content/uploads/2019/09/M-19-26.pdf
[NISTIR 7987] Ferraiolo DF, Gavrila S, Jansen W (2015) Policy Machine: Features, Architecture, and Specification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7987, Rev. 1. https://doi.org/10.6028/NIST.IR.7987r1
[NISTIR 8062] Brooks SW, Garcia ME, Lefkovitz NB, Lightman S, Nadeau EM (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. https://doi.org/10.6028/NIST.IR.8062
[NISTPRIV] National Institute of Standards and Technology (2020) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD). https://doi.org/10.6028/NIST.CSWP.01162020
[SDNBOOK] Nadeau T, Gray K (2013) SDN: Software Defined Networks: An Authoritative Review of Network Programmability Technologies. (O’Reilly) 1st Ed.
[SP800-37] Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. https://doi.org/10.6028/NIST.SP.800-37r2
https://doi.org/10.6028/NIST.SP.800-207
![Page 53: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/53.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
44
[SP800-63] Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. https://doi.org/10.6028/NIST.SP.800-63-3
[SP800-63A] Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. https://doi.org/10.6028/NIST.SP.800-63A
[SP800-160v1] Ross R, McEvilley M, Oren JC (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. https://doi.org/10.6028/NIST.SP.800-160v1
[SP800-160v2] Ross R, Pillitteri V, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. https://doi.org/10.6028/NIST.SP.800-160v2
[SP800-162] Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. https://doi.org/10.6028/NIST.SP.800-162
[SWAM] Department of Homeland Security (2015) Software Asset Management (SWAM) Capability Description. Available at https://www.us- cert.gov/sites/default/files/cdm_files/SWAM_CapabilityDescription.pdf
https://doi.org/10.6028/NIST.SP.800-207
![Page 54: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/54.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
45
API Application Programming Interface
BYOD Bring Your Own Device
CDM Continuous Diagnostics and Mitigation
DHS Department of Homeland Security
DoS Denial of Service
G2B Government to Business (private industry)
G2G Government to Government
NIST National Institute of Standards and Technology
NPE Non-Person Entity
PA Policy Administrator
PDP Policy Decision Point
PE Policy Engine
PEP Policy Enforcement Point
PKI Public Key Infrastructure
RMF NIST Risk Management Framework
SDN Software Defined Network
SDP Software Defined Perimeter
SIEM Security Information and Event Monitoring
TIC Trusted Internet Connections
VPN Virtual Private Network
ZT Zero Trust
ZTA Zero Trust Architecture
A-
https://doi.org/10.6028/NIST.SP.800-207
![Page 55: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/55.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
46
ZTAZTA
ZTA
ZTA
ZTAZTA
B.1
ZTA ( )
( ) ( ) B-1
B-1
ZTA TIC FISMA
ZTA
ZTA
ZTA
API
ZTA
ZTA
ZTA
ZTA
B-ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 56: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/56.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
47
B.2 ZTA
ZTA
ZTA
B.2.1 ZTA
ZTA ( )
2.1 3.1 ZTAZTA ZTA
ZTAZTA
B.2.2 ZTA
ZTA
( 6 )
ID CDM ZTA ( 7.3 ) ZTA
B.3 ZTA
ZTA
ZTA ZTA ( (SDO)
) B.3.3
https://doi.org/10.6028/NIST.SP.800-207
![Page 57: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/57.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
48
( MFA )API
API APIAPI
API
API
MFA
ZTA
B.3.4 API
ZTA
ZTAZTA
ZTAInternet Engineering Task Force (IETF)
SDO (XMPP-Grid [1] ) (CSA) Software Defined Perimeter(SDP) [2]
ZTA ZTA ZTA
B.4 ZTA
ZTAZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 58: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/58.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
49
B.4.5 ZTA
ZTAZTA
ZTA
MFA ()
ZTA/ ZTA () ZTA
( ) ZTA ZTA ZTA B.4.6 ZTA
ZTA
ZTAZTA MFA
ZTA
ZTA MFA
[3]
MFA [4] [5] (
) MFAIT
B.4.7 ZTA
ZTA ZTA
https://doi.org/10.6028/NIST.SP.800-207
![Page 59: NIST Special Publication 800-207 ゼロトラスト・アーキテク …...NIST Special Publication 800-207 ゼロトラスト・アーキテクチャ Scott Rose Oliver Borchert Advanced](https://reader030.fdocuments.net/reader030/viewer/2022012003/60a4dc100eaa673b2a2a65c6/html5/thumbnails/59.jpg)
NIST SP 800-207 ZERO TRUST ARCHITECTURE
50
PE PA (DDoS) PEP
ZTA ZTA
ZTA COOP (Continuity of Operations)
ZTACOOP
MFA
B.5
[1] Cam-Winget N (ed.), Appala S, Pope S, Saint-Andre P (2019) Using
Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange. (Internet Engineering Task Force (IETF)), IETF Request for Comments (RFC) 8600. https://doi.org/10.17487/RFC8600
[2] Software Defined Perimeter Working Group “SDP Specification 1.0” Cloud Security Alliance. April 2014.
[3] Stanton B, Theofanos MF, Spickard Prettyman S, Furman S (2016) Security Fatigue. IT Professional 18(5):26-32. https://doi.org/10.1109/MITP.2016.84
[4] Strouble D, Shechtman GM, Alsop AS (2009) Productivity and Usability Effects of Using a Two-Factor Security System. SAIS 2009 Proceedings (AIS, Charleston, SC), p 37. Available at http://aisel.aisnet.org/sais2009/37
[5] Weidman J, Grossklags J (2017) I Like It but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication. Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017) (ACM, Orlando, FL), pp 212-224. https://doi.org/10.1145/3134600.3134629
https://doi.org/10.6028/NIST.SP.800-207