Zero Trust 是一个基于 永不信任,始终验证 原则的安全模型 — 而不是根据网络位置(内部与外部)信任任何东西,每个访问请求都经过身份验证、授权和验证。它解决了传统边界安全的失败。
边界安全的问题
text
TRADITIONAL ("castle and moat") security:
→ a strong PERIMETER (firewall); trust everything INSIDE the network
✗ once an attacker gets IN (breach, insider, compromised device), they move FREELY
(lateral movement) — the inside is implicitly trusted
✗ doesn't fit modern reality: cloud, remote work, mobile, distributed services (no clear
perimeter)
零信任:永不信任,始终验证
text
ZERO TRUST assumes NO implicit trust — verify EVERY request regardless of location:
→ AUTHENTICATE & AUTHORIZE every access (every request, every resource), inside or out
→ "assume breach" — act as if attackers are already inside
→ LEAST PRIVILEGE → minimal access; verify continuously (identity, device, context)
→ MICRO-SEGMENTATION → limit lateral movement (a breach in one area is contained)
→ trust is never assumed based on network location; it's continuously established.