Perimeter defense strategies are inadequate to ensure cybersecurity of infrastructures consisting of heterogeneous and dynamic resources. The Zero Trust security model emerges as the most promising solution to mitigate risks and protect assets, but significant organizational and implementation challenges hinder its adoption. Microsegmentation of networked systems composed by dynamic IT components and mobile devices cause several technological and management concerns. We present a comprehensive analysis of microsegmentation with the goal of identifying the key aspects that distinguish it from traditional perimeter defenses. We then propose a modular architectural design pattern that ensures adherence to the Zero Trust principles and satisfies its security constraints. This design is based on the concept of Security Domain, which represents the fundamental unit of network segmentation. By combining multiple Security Domains and following precise rules that provably preserve network security, it becomes possible to create complex infrastructures from elementary building blocks. We provide also a formal specification of the proposed design by means of the TLA+ modeling language. We leverage this model to verify its correctness and security properties even in the presence of insider threats.
Cybersecurity Domains: A design pattern for creating Zero Trust Architectures through microsegmentation / Zanasi, C.; Marchetti, M.; Colajanni, M.. - (2024), pp. 15-22. ( 2024 IEEE Conference on Dependable, Autonomic and Secure Computing (DASC) Boracay Island, Malay, Philippines 5-8 November 2024) [10.1109/DASC64200.2024.00009].
Cybersecurity Domains: A design pattern for creating Zero Trust Architectures through microsegmentation
Marchetti M.;
2024
Abstract
Perimeter defense strategies are inadequate to ensure cybersecurity of infrastructures consisting of heterogeneous and dynamic resources. The Zero Trust security model emerges as the most promising solution to mitigate risks and protect assets, but significant organizational and implementation challenges hinder its adoption. Microsegmentation of networked systems composed by dynamic IT components and mobile devices cause several technological and management concerns. We present a comprehensive analysis of microsegmentation with the goal of identifying the key aspects that distinguish it from traditional perimeter defenses. We then propose a modular architectural design pattern that ensures adherence to the Zero Trust principles and satisfies its security constraints. This design is based on the concept of Security Domain, which represents the fundamental unit of network segmentation. By combining multiple Security Domains and following precise rules that provably preserve network security, it becomes possible to create complex infrastructures from elementary building blocks. We provide also a formal specification of the proposed design by means of the TLA+ modeling language. We leverage this model to verify its correctness and security properties even in the presence of insider threats.
| File | Dimensione | Formato | |
|---|---|---|---|
|
Cybersecurity_Domains_A_design_pattern_for_creating_Zero_Trust_Architectures_through_microsegmentation.pdf
Accesso riservato
Tipologia:
VOR - Versione pubblicata dall'editore
Dimensione
671.5 kB
Formato
Adobe PDF
|
671.5 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris
