EIR: A Unified Theoretical Framework for Zero Trust Architectures

EIR：零信任架构的统一理论框架

• 批准号: 2200622
• 负责人: Onyema Osuagwu
• 金额: $ 30万
• 依托单位: Morgan State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-09-01 至 2025-08-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2200622&HistoricalAwards=false
• 关键词: EIR; Unified; Theoretical; Framework; Zero

Zero Trust, has generally been explained as a network in which capabilities and access among all of the participating systems are highly regulated or require a sufficiently high level of proof before permissions are granted for any period of time. As reassuring as these words are for many in this space, the implementation of such networks and architecture lags due to the lack of an rigorous ground truth for success. In other words, if you ask any number of people to show you how they ”implemented” their Zero Trust environment with the same initial specifications you will get at a minimum number of responses with varying levels of verifiable security. The multiple responses are not the problem in this case as much as the variability in the level of security due to the ill-posed question of trust in these systems. The failure to develop true resilience is strongly related to the lack of a unified theoretical framework born out of fundamental cybersecurity experiments and results. This work will first frame and identify the appropriate scale for the question of trust in the cybersecurity domain. The education and research goals of this project are designed to strongly support the engagement in the community.The proposed research task is to do the research and development of the mathematical rules and bounds, e.g., first-order logic, formal methods, etc. to accurately encapsulate all the requirements needed to achieve a “True Zero Trust” architecture for a networked environment. The second research challenge is to prototype, build, test and attack these “True Zero-Trust” networks and compare them to other standards. These research tasks require accurate, detailed, and reproducible testbed construction and validation paired with the architecture. They will use Amazon Web Services to design and test initial architectures across four phases. The third research challenge is to verify the “True Zero-Trust” architecture at scale during varied attack scenarios under high utilization stress. The fourth research challenge is to develop an “Equation of State” for these systems that provides a “Figure of Merit” when judging the security of these systems. This work is strongly aligned with the CISE directorate’s mission in particular the CCF program’s Foundations of Emerging Technology thrust and the SaTC program.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

零信任通常被解释为一种网络，其中所有参与系统之间的能力和访问都受到高度管制，或者在任何时间段内授予权限之前需要足够高的证明。尽管这些话对这个领域的许多人来说是令人放心的，但由于缺乏严格的成功基础，这种网络和架构的实施滞后。换句话说，如果你要求任何数量的人向你展示他们是如何“实现”他们的零信任环境的，你将得到最少数量的响应，这些响应具有不同的可验证安全级别。在这种情况下，多个响应不是问题，而是由于这些系统中的信任问题的不适定而导致的安全级别的可变性。未能发展真正的弹性与缺乏一个统一的理论框架密切相关，该框架诞生于基本的网络安全实验和结果。这项工作将首先为网络安全领域的信任问题制定和确定适当的规模。本项目的教育和研究目标旨在大力支持社区的参与。拟议的研究任务是研究和开发数学规则和界限，例如，一阶逻辑、形式化方法等，以准确地封装实现网络环境的“真正零信任”架构所需的所有需求。第二个研究挑战是对这些“真正的零信任”网络进行原型设计、构建、测试和攻击，并将其与其他标准进行比较。这些研究任务需要准确，详细，可重复的测试平台的建设和验证与架构配对。 他们将使用Amazon Web Services在四个阶段设计和测试初始架构。第三个研究挑战是在高利用率压力下的各种攻击场景中大规模验证“真正的零信任”架构。第四个研究挑战是为这些系统开发一个“状态方程”，在判断这些系统的安全性时提供一个“品质因数”。这项工作与CISE董事会的使命，特别是CCF计划的新兴技术基础和SaTC计划密切相关。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。