看到美國總統行政辦公室發佈的「Moving the U.S. Government Toward Zero Trust Cybersecurity Principles」這個備忘錄,在講 Zero trust security model,算是讓其他聯邦單位可以依循的指引,從比較高的角度來說明聯邦政府對系統安全設計的方向。
裡面有提到「Phishing-resistant MFA」,一般的 MFA 無法防止 phishing (像是軟體 TOTP 類的 Google Authenticator 或是硬體式 TOTP 的 RSA SecurID,或是透過簡訊輸入收到的字串那種),要能夠對抗 phishing 的應該只有 U2F 或是後續的 WebAuthn 這種有把網站位置也放進 protocol 的協定。
另外提到了 RBAC 與 ABAC 兩種設計,而且更偏好用 ABAC 得到更多彈性:
Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.
另外因為 zero trust 的設計,內部網路其實只能當作是一個傳輸媒介,不能當作是一個安全的傳輸層,任何的傳輸都需要有另外的驗證機制確保 CIA,所以從 DNS 的流量必須是透過 DNS over HTTPS 或是 DNS over TLS 的保護:
Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers.
任何 HTTP 傳輸都需要使用 HTTPS 保護,甚至是把 .gov
直接放進 HTTPS-only 清單 (應該是指 HSTS preload?):
More generally, the .gov top-level domain has announced an intent to eventually preload the entirety of the .gov domain space as an HTTPS-only zone.
不過裡面也有提到 email 的 encryption 到目前為止沒有好的方法可以確保 encryption 的使用,尤其是跟外部的人溝通:
Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.
然後提到安全漏洞的測試與回報機制也蠻有趣的,像是鼓勵外部測試:
In addition to their own testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify
以及鼓勵安全回報的制度:
Public vulnerability disclosure programs, which allow security researchers and other members of the general public to report security issues safely, are used widely across the Federal Government and many private-sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.
拿來翻一翻讀一讀...