Description:TECHNICAL FIELD
The present disclosure relates generally to network security systems and more specifically relates to zero trust security systems using digital ledger technology.

BACKGROUND ART
[0001] Recent technology advancements provide various opportunities to significantly modernize government services in order to stay up with private sector capabilities and public expectations. The frequency and durability of large cybersecurity incidents demonstrate the inadequacy of the current procedures employed to protect government networks and data. The capabilities of mobile and cloud-enabled settings are expanding and modern systems are stretching the boundaries of perimeter-based cybersecurity techniques.

[0002] Cyber attacks provide disadvantages such as less safer data, less secure network, breaches in the network, less visibility and compliance in the environment, less cost saving. Unless these shortfalls and challenges are rapidly and effectively addressed, the government will not be able to adequately safeguard our national assets and take advantage of the potential benefits that technology breakthroughs afford.

[0003] Techniques exists for preventing cyber attacks. For example, reference can be made to WO2017046238A1 which discloses preventing attacks originated in data storage systems, such as USB devices. Further, reference can be made to US10257226B2 which discloses cyber attacks on networks via wireless access points which are vulnerable. However, none of the cited arts provides techniques for holistically strengthening visibility into what is happening across the network without unnecessary trusting anyone in the network environment.

OBJECTS OF THE INVENTION

[0004] The principal object of the present invention is to provide techniques for implementing a never trust, always verify approach for strengthening visibility into what is happening across a network.

[0005] Another object of the present invention is to provide techniques for fulfilling demand for safer data.

[0006] Another object of the present invention is to provide techniques lessening the effects of breaches.

[0007] Another object of the present invention is to provide techniques for improving security by using blockchain technology.

SUMMARY OF THE INVENTION

[0008] In one embodiment, a zero trust security system is disclosed. The zero trust security system comprises a user authentication unit configured to authenticate identity of one or more users, a device authentication unit configured to authenticate a device, a network authentication unit configured to authenticate a network, an application and workload authentication unit configured to check application security and workload security, an automation and orchestration unit configured to check security of automation responses, a security analysis unit configured to analyse security and visibility in the network and a trust score computation unit configured to check trustworthiness based on result from the user authentication unit, device authentication unit, network authentication unit, application and workload authentication unit, automation and orchestration unit and security analysis unit.

[0009] In another embodiment, a method for implementing zero trust security system is disclosed. The method comprises authenticating, by a user authentication unit, identity of one or more users, authenticating, by a device authentication unit, a device, authenticating, by a network authentication unit, a network, checking, by an application and workload authentication unit, application security and workload security, checking, by an automation and orchestration unit, security of automation responses, analysing, by a security analysis unit, security and visibility in the network and checking, a trust score computation unit, trustworthiness based on result from the user authentication unit, device authentication unit, network authentication unit, application and workload authentication unit, automation and orchestration unit and security analysis unit.

BRIEF DESCRIPTION OF DRAWINGS

[0010] Figure 1 illustrates a block diagram of a zero trust security system, in accordance with one embodiment of the present invention.
[0011] Figure 2 illustrates a flowchart of a method for implementing zero trust security system, in accordance with one embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0012] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0013] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0014] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0015] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0016] Referring to FIG. 1, a block diagram of a zero trust security system 100 is shown. The zero trust security system 100 comprises user authentication unit 102, device authentication unit 104, network authentication unit 106, application and workload authentication unit 108, an automation and orchestration unit 110, a security analysis unit 112, a trust score computation unit 114, a control plane 116, a score computation unit 118.
[0017] The zero trust security system 100 is responsible for performing zero trust security. zero trust is a security concept built on the premise that organizations must actively manage all interactions between individuals, data, and information systems in order to reduce security risks to manageable levels. Despite escalating budgetary problems, an overworked workforce, and difficulties in locating and retaining trained experts, agencies are nonetheless compelled to modernize their antiquated cybersecurity infrastructures to meet emerging threats and service needs. Modern IT security solutions need the following prerequisites: 1. Segment people, devices, data, and services inside a trust-based architecture to guarantee that every 2. be able to withstand attacks while carrying a little administrative burden; 3. be able to easily and rapidly (if not automatically) adjust to a service environment that is always changing; and 4. Access requests should be assessed and intentionally approved or rejected.
[0018] Zero trust complies with these criteria by treating all users, devices, data, and service requests similarly. By requiring continual authentication and authorization before any asset can be used, it modifies the common security policy of an organization's assets being open and accessible. Zero trust is distinctive due to its fundamental alteration. Zero trust is not a product that you buy, it is a security concept, strategy, and architectural design approach.
[0019] The Jericho Forum, a group of Chief Information Security Officers (CISOs) located in the UK, noticed how access and authorization were changing as a result of the increased usage of cloud and mobile computing, and they developed the notion of zero trust as a security design concept in 2004. In a world where processes were migrating to the cloud, the old boundary was dissolving, or becoming less important, and mobile endpoints were becoming the standard for application access, this innovative group proposed a security paradigm. We have seen this intensify in recent years as some businesses wonder whether they should even offer network services given the transition to powerful, quick 5G networks3. John Kindervag created the word "Zero Trust" or “Zero Trust Network” in 2010 while conducting research at Forrester. The Jericho Forum suggested "Zero Trust Network" as a solution to the de-parameterization issue. Since then, interest in zero trust as a viable security strategy to deal with the continually eroding or dissolving boundary has grown. The majority of business networks in use today are flat, meaning there is little to no distinction between user and data networks. The classic hub-and-spoke network model's design is where it falls short. It is fundamentally dangerous to use a firewall to cross the divide between trust and mistrust. Instead of making a distinction between "within" and "outside" the network perimeter, Zero Trust does not.
[0020] The user authentication unit 102 is responsible for authenticating user’s identity. Zero trust places a high priority on ongoing authentication of trusted users. In order to control user access and privileges, this includes employing technologies like Identity, credential, and Access Management (ICAM) and multi-factor authentication as well as ongoing monitoring and validation of user credibility. Additionally crucial are technologies that secure and safeguard user interactions, such as conventional web gateway systems.
[0021] The device authentication unit 104 is responsible for authenticating device in a network. A fundamental characteristic of a zero trust method is the dependability of devices and the real-time cybersecurity posture. Data from some "system of record" solutions, like mobile device managers, might be helpful for determining how trustworthy a device is. Every access request should also undergo further evaluations (such as checks for breach states, software versions, protection statuses, encryption enabling, etc.).
[0022] The network authentication unit 106 is responsible for checking security of a network. Some contend that networks, processes, tools, and operations are becoming more vital than perimeter defences. This is the result of several new technologies and services that enable people to work and communicate in novel ways, rather than a single technology or use-case. Although "perimeter less" is occasionally used to characterize zero trust networks, this is a bit misleading. Zero Trust Networks genuinely make an effort to separate and isolate vital data from extraneous data by bringing perimeters in from the network edge. Even yet, the perimeter now manifests itself in far more minute details. The typical "castle and moat" perimeter firewall strategy is insufficient. Micro-segmentation and the perimeter must work together to come closer to the data in order to enhance controls and safeguards. As organizations extend their networks in order to partially or completely switch to Software Defined Networks, Software Defined Wide Area Networks, and internet-based technologies, network security is growing. Controlling privileged network access, managing internal and external data flows, stopping lateral network movement, and having visibility are essential for determining dynamic policy and trust on network and data traffic. A crucial component of security and a requirement for a zero trust network is the capacity to segment, isolate, and regulate the network.
[0023] The application and workload authentication unit 108 is responsible for checking application security and workload security in the network. Adoption of zero trust depends heavily on the security and effective management of the application layer, compute containers, and virtual machines. Making more precise and detailed access decisions is made possible by being able to recognize and manage the technological stack. Unsurprisingly, delivering adequate access control to applications in zero trust settings depends increasingly on multi-factor authentication.
[0024] The automation and orchestration unit 110 is responsible for checking security of automation and orchestration. Zero trust uses security automation response solutions to the fullest extent possible, automating processes across products through workflows while providing for end-user monitoring and participation. Other automated technologies are frequently used in security operation centers for user and entity behavior analysis as well as security information and event management. These security solutions are connected via security orchestration, which helps in controlling various security systems. When used together, these tools may significantly reduce manual labor requirements, event response times, and expenses.
[0025] The security analysis unit 112 is responsible for analyzing security and checking visibility in the network. A threat that you cannot see or comprehend cannot be defeated. Zero trust makes use of tools like security information management, sophisticated security analytics platforms, security user behaviour analytics, and other analytics systems to make it possible for security professionals to monitor events in real time and intelligently position defences. Prioritizing the study of data from cyber-related events can assist in creating preventative security measures before an actual disaster.
[0026] With the help of an organizational framework and a strategic effort called Zero Trust, security executives and decision-makers may execute security measures that are both practical and efficient. For zero trust initiatives to be successful, a difficult confluence of policies, practices, and technology must be included, coordinated, and integrated. To comprehend and arrange those components, a conceptual security model may be useful.
[0027] The trust score computation unit 114 is responsible for checking trustworthiness. Using a trust score, the trust score computation unit dynamically assesses how trustworthy a person, device, or application is inside the network. For each transaction request, the trust engine utilizes the derived trust score to make policy-based permission choices. The trustworthiness of a particular user, device, or application is assessed using a Trust Score, which is a value calculated from variables and conditions that are either pre-defined or chosen by the organization. The trust score could be affected by details such as location, time of day, duration of access, and actions taken. A security approach called micro-segmentation enables the assignment of fine-grained security policies to data center applications, down to the workload level as well as devices. This implies that safety policies can be synchronized.
[0028] The control plane 116 is a foundation of a zero trust architecture. The control plane is made up of elements that take requests from data plane devices seeking to access network resources and process them. The rest of the Zero Trust architecture, which the control plane coordinates and configures, is referred to as the data plane. The programs, firewalls, proxies, and routers that directly process all network traffic are all found on the data plane. The zero trust architecture allows requests made through the control plane, where the device and user must both be authenticated and approved, for access to protected resources. At this layer, fine-grained regulation can be used, presumably based on role in the organization, time of day, or type of device. Access to more secure resources can additionally mandate stronger authentication. Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client.
[0029] The score computation unit 118 integrates the score component in the policies. By integrating the score component in policies, the depth of information stored in the agent enables extremely flexible but fine-grained access control that can adjust to changing circumstances. The control plane instructs the data plane to accept the incoming request if the request is approved. The encryption settings can also be configured using this operation. Data at rest and data in motion can both be encrypted at the device level, the application level, or both. There must be at least one for confidentiality.
[0030] The zero-trust security system 100 may claim that each and every flow on the network is authenticated and anticipated with the help of these authentication and authorization components, as well as the control plane's assistance in coordinating encrypted channels. Network devices and hosts may reject communication that has not all of these components applied, significantly reducing the likelihood of sensitive data leaks. Additionally, by logging each of the control plane events and actions, network traffic can be easily audited on a flow-by-flow or request-by-request basis.
[0031] In one embodiment, the zero trust security system 100 provides demand for safer data. The security of the data that a network transmits and keeps accounts for a sizeable percentage of its value. The protection of all data, whether it is in motion or at rest, is one of the key elements of a ZT architecture. Data loss prevention solutions, virtual private networks (VPNs), and encryption are crucial technologies that aid in this protection. Network administrators can choose a combination tool with several functions or separate solutions for each type of security.
[0032] In one embodiment, the security system 100 provides for a more secure network. In another embodiment, the security system 100 provides for implementing a ‘never trust, always verity approach’. The “never trust, always verify” approach should strengthen visibility into what is happening across the network. New tools can provide increased visibility into the user, device, location, and reputation of anyone requesting access. It is difficult for operators to prevent or repair what they cannot see, so visibility is key. If a user, device, or behavior is not recognized or is out-of-bounds of a user’s baseline risk score, they will be dropped. Zero trust security systems also segments the internal architecture to limit user “roaming” often associated with system penetration breaches.
[0033] In one embodiment, the security system 100 lessens the effects of breaches. Because of the network's segmentation and the users' restricted access, a zero trust security system design will lessen the effect of breaches. A breach's smaller effects will cause less inconvenience to company and keep cleanup expenses down. The reputation and stakeholder and consumer confidence of a business can be preserved with a lower effect after a breach. The main technique to reduce the breach's impact is segmentation. Access should only be granted to those parts of the network where each individual user needs to go. This helps lessen the effect of breaches. Providing sufficient network segmentation to enhance security while avoiding negative effects on network performance, application performance, and business process requirements is a problem. Access restrictions continue
[0034] In one embodiment, the security system 100 provides increased visibility and compliance and improved security. In one embodiment, the zero trust security system 100 uses blockchain technology. Blockchain technology has the potential to fundamentally alter how your sensitive and important data is seen. Blockchain reduces fraud and unlawful behavior by generating a record that cannot be changed and is encrypted end-to-end. By employing permissions to restrict access and anonymizing personal data, privacy concerns may also be solved on the blockchain. To prevent hackers from accessing data, information is kept across a network of computers rather than on a single server.
[0035] In one embodiment, the security system 100 provides for potential Cost Savings. Better integrated technologies, less VPN usage, more straightforward operating models, and the avoidance of lost data, legal actions, and reputational harm can all lead to lower expenses. Each possible cost savings has the potential to increase the value of the ZT design. Government agencies may try to update their infrastructure utilizing cheap, common circuits that are made possible (in terms of risks) when combined with zero trust security system design.
[0036] Referring to FIG. 2 now, a flowchart of a method 200 for implementing zero trust security system is disclosed. At step 202, the method comprises checking various authentication parameters relating to user, device, network, application and workload security, Automation and Orchestration, security analytics and visibility. At step 204, the method comprises calculating trust score based on the various authentication parameters. At step 206, the method comprises calculating scores for various policies in the control plane.
[0037] The various actions, acts, blocks, steps, or the like in the flow diagram may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some of the actions, acts, blocks, steps, or the like may be omitted, added, modified, skipped, or the like without departing from the scope of the invention.
[0038] Although particular embodiments of the invention have been described in detail for purposes of illustration, various modifications and enhancements may be made without departing from the spirit and scope of the invention.

, Claims:CLAIMS:
I/We Claim:
1. A zero trust security system (100) comprises:
a user authentication unit (102) configured to authenticate identity of one or more users;
a device authentication unit (104) configured to authenticate a device;
a network authentication unit (106) configured to authenticate a network;
an application and workload authentication unit (108) configured to check application security and workload security;
an automation and orchestration unit (110) configured to check security of automation responses;
a security analysis unit (112) configured to analyse security and visibility in the network;
a trust score computation unit (114) configured to check trustworthiness based on result from the user authentication unit, device authentication unit, network authentication unit, application and workload authentication unit, automation and orchestration unit and security analysis unit.

2. The system as claimed in claim 1, further comprising:
a control plane (116) configured to process network resources;
a score computation unit (118) configured to calculate a score based on result from the control plane.

3. The system as claimed in claim 1, wherein the trust score computation unit is configured to compute trust score based on location, time of day, duration of access and actions taken.

4. The system as claimed in claim 1, wherein the control plane (116) is configured to take requests from a data plane.

5. The system as claimed in claim 1, wherein zero trust security system uses blockchain technology.

6. A method for implementing zero trust security system (100) comprises:
authenticating, by a user authentication unit (102), identity of one or more users;
authenticating, by a device authentication unit (104), a device;
authenticating, by a network authentication unit (106), a network;
checking, by an application and workload authentication unit (108), application security and workload security;
checking, by an automation and orchestration unit (110), security of automation responses;
analysing, by a security analysis unit (112), security and visibility in the network;
checking, a trust score computation unit (114), trustworthiness based on result from the user authentication unit, device authentication unit, network authentication unit, application and workload authentication unit, automation and orchestration unit and security analysis unit.

7. The method as claimed in claim 6, further comprising:
processing, by a control plane (116), network resources;
calculating, by a score computation unit (118), a score based on result from the control plane.

8. The method as claimed in claim 6, further comprising computing trust score based on location, time of day, duration of access and actions taken.

9. The method as claimed in claim 7, wherein the control plane (116) is configured to take requests from a data plane.

10. The method as claimed in claim 6, wherein zero trust security system uses blockchain technology.