All Projects → pomerium → Awesome Zero Trust

pomerium / Awesome Zero Trust

A curated collection of awesome resources for the zero-trust security model.

Labels

Projects that are alternatives of or similar to Awesome Zero Trust

magic-admin-python
Magic admin Python SDK makes it easy to leverage Decentralized ID tokens to protect routes and restricted resources for your application.
Stars: ✭ 20 (-95.98%)
Mutual labels:  identity
Uport Connect
Main uPort library for front end developers
Stars: ✭ 295 (-40.76%)
Mutual labels:  identity
Scatterwebextension
Extension that allows you to sign transactions with your private keys securely from within the browser without ever exposing them.
Stars: ✭ 359 (-27.91%)
Mutual labels:  identity
aragon-id
Aragon's simple identity solution to allow easy and secure ENS name assignments
Stars: ✭ 26 (-94.78%)
Mutual labels:  identity
Openstack4j
A Fluent OpenStack SDK / Client Library for Java
Stars: ✭ 271 (-45.58%)
Mutual labels:  identity
Aspnetcoreapistarter
An ASP.NET Core (v2.1) Web API project to quickly bootstrap new projects. Includes Identity, JWT authentication w/ refresh tokens.
Stars: ✭ 304 (-38.96%)
Mutual labels:  identity
syscoin
Syscoin is a crypto currency that is universally merge-mineable and offers a unique variety of services including decentralized identities, asset token issuance platform capabilities directly on the blockchain and trustless 0-counterparty interoptibility with the Ethereum blockchain
Stars: ✭ 152 (-69.48%)
Mutual labels:  identity
Spring Boot Security Saml Sample
SBS3 — A sample SAML 2.0 Service Provider built on Spring Boot.
Stars: ✭ 469 (-5.82%)
Mutual labels:  identity
Awesome Falsehood
😱 Falsehoods Programmers Believe in
Stars: ✭ 16,614 (+3236.14%)
Mutual labels:  identity
Aws Security Workshops
A collection of the latest AWS Security workshops
Stars: ✭ 332 (-33.33%)
Mutual labels:  identity
Newid
A sequential id generator that works across nodes with no collisions
Stars: ✭ 255 (-48.8%)
Mutual labels:  identity
Identityserver4aspnetcoreidentitytemplate
An ASP.NET Core 3.1 IdentityServer4 Identity Bootstrap 4 template with localization
Stars: ✭ 262 (-47.39%)
Mutual labels:  identity
Django Oidc Provider
OpenID Connect and OAuth2 provider implementation for Djangonauts.
Stars: ✭ 320 (-35.74%)
Mutual labels:  identity
Identity Address DB
(China) 1. MySQL 身份证 地区 数据库(包含已被合并的区县,详见README) 2. PHP 验证身份证号是否正确 3. 从身份证号中获取 性别 生日 年龄 出生地 等信息 4.路过留个star
Stars: ✭ 38 (-92.37%)
Mutual labels:  identity
Ockam
End-to-end encrypted messaging and mutual authentication between cloud and edge-device applications
Stars: ✭ 395 (-20.68%)
Mutual labels:  identity
osma
An open source mobile agent for achieving SSI
Stars: ✭ 41 (-91.77%)
Mutual labels:  identity
Hugo Awesome Identity
😤 Awesome Identity is a single-page Hugo theme to introduce yourself.
Stars: ✭ 301 (-39.56%)
Mutual labels:  identity
Equatable
A Dart package that helps to implement value based equality without needing to explicitly override == and hashCode.
Stars: ✭ 488 (-2.01%)
Mutual labels:  identity
Product Is
Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Stars: ✭ 435 (-12.65%)
Mutual labels:  identity
Aspnetcore Webapi Course
Professional REST API design with ASP.NET Core 3.1 WebAPI
Stars: ✭ 323 (-35.14%)
Mutual labels:  identity

Awesome Zero trust

History

For years, security has been synonymous with the perimeter security model. This model relies on the strength of its outer defenses. That is, your corporate network is safe so long as your perimeter is impenetrable. Perimeter security typically incorporates tools like firewalls, network segmentation, and VPNs. But perimeter security’s shortcomings have become apparent as:

  • Software is shipped differently now. Organizations now deploy code outside their perimeter, in public and private clouds.
  • Workforce habits are changing. A majority of the global workforce now works remotely at least one day a week.
  • Remote workers want an equivalent user-experience. Traditional tools for internal access like VPNs are clunky and frustrating to use.
  • There are now many perimeters to secure and boundaries of the perimeter have become ephemeral and nebulous.

Most networks [have] big castle walls, hard crunchy outer shell, and soft gooey centers...

Rob Joyce Chief of Tailored Access Operations, National Security Agency @ ENIGMA 2016

Most importantly, the model is just not as secure as we thought. Recent high-profile breaches have demonstrated how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many breaches, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by hacking the HVAC system which was connected to the internal corporate network from which hackers were then able to move laterally and exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military known as Operation Aurora. After which, Google did a bottom up review of their security posture. The resulting actions from that review would be released as a series of white papers called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.

In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles.

Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018

The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of micro-services, and cloud computing where service communication requirements are constantly in flux.

In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure appropriate access controls. However, in practice, operators are usually pulled in the direction of one of two extremes. That is, either a very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break.

Gaps in the perimeter

In summary, perimeter based security suffers from the following shortcomings:

  • Perimeter security largely ignores the insider threat.
  • The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations.
  • Network segmentation is a time-consuming, and difficult to get exactly right mechanism for ensuring secure communication.
  • Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units.
  • VPNs are often misused and exacerbate the issue by opening yet another door into your network organization.

Zero-trust, security behind the gates

Zero-trust instead attempts to mitigate these shortcomings by adopting the following principles:

  • Trust flows from identity, device-state, and context; not network location.
  • Treat both internal and external networks as untrusted.
  • Act like you are already breached, because you probably are.
  • Every device, user, and application's communication should be authenticated, authorized, and encrypted.
  • Access policy should be dynamic, and built from multiple sources.

To be clear, perimeter security is not defunct, nor is zero-trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls.

Further reading

The zero-trust security model was first articulated by John Kindervag in 2010, and by Google in 2011 as a result of the Operation Aurora breach. What follows is a curated list of resources that covers the topic in more depth.

Government Recommendations

Books

Papers

Posts

Videos

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].