Skip to main content
Springer Nature Link
Log in

‘State of the Union’: Evaluating Open Source Zero Trust Components

  • Conference paper
  • First Online:
Security and Trust Management (STM 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14336))

Included in the following conference series:

  • 423 Accesses

Abstract

Zero Trust Architecture (ZTA) is a security model based on the principle “never trust, always verify”. In such a system, trust must be established for both the user and the device for access to be granted. While industry adoption of commercial ZTA solutions is accelerating, the state of open-source implementations has yet to be explored. To that end, we survey open-source implementations of zero trust components and put forward a set of ZTA specific requirements to evaluate against. We also identify seven major challenges that hinder the adoption and deployment of open-source zero trust solutions. Our results show that implementations for individual components are much more mature compared to “all-in-one” ZTA solutions. The interoperability between solutions and the development of inter-component protocols are the main areas in which improvements can be made. Despite encouraging developments, we conclude that building ZTAs on top of open-source components is difficult.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. National Institute of Standards and Technology: [NIST SP 800–207] Zero Trust Architecture. NIST Special Publication - 800 series (2020)

    Google Scholar 

  2. Jericho Forum ™ Commandments (2007). https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

  3. Ward, R., Beyer, B.: BeyondCorp : a new approach to enterprise security. Login Mag. USENIX & SAGE 39(6), 6–11 (2014)

    Google Scholar 

  4. Zimmer, B.: LISA: a practical zero trust architecture. In: Enigma 2018 (Enigma 2018). USENIX Association, Santa Clara, CA (2018)

    Google Scholar 

  5. Microsoft Corporation: Zero Trust Model - Modern Security Architecture|Microsoft Security (2022). https://www.microsoft.com/en-us/security/business/zero-trust. Visited 13 Apr 2023

  6. Microsoft and Hypothesis Group: Zero Trust Adoption Report (2021)

    Google Scholar 

  7. Kindervag, J.: No More Chewy Centers: Introducing the Zero Trust Model of Information Security (2010)

    Google Scholar 

  8. The Open Group: Zero Trust Core Principles (2021). https://publications.opengroup.org/w210

  9. Rose, S.: Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators (2022)

    Google Scholar 

  10. Køien, G.M.: Zero-trust principles for legacy components: 12 rules for legacy devices: an antidote to chaos. Wireless Pers. Commun. 121, 1169–1186 (2021). https://doi.org/10.1007/s11277-021-09055-1

    Article  Google Scholar 

  11. He, Y., Huang, D., Chen, L., Ni, Y., Ma, X.: A survey on zero trust architecture: challenges and future trends. Wirel. Commun. Mobile Computing 2022, 1–13 (2022)

    Google Scholar 

  12. Buck, C., Olenberger, C., Schweizer, A., Völter, F., Eymann, T.: Never trust, always verify: a multivocal literature review on current knowledge and research gaps of zero-trust. Comput. Secur. 110, 102436 (2021). https://doi.org/10.1016/j.cose.2021.102436

    Article  Google Scholar 

  13. Syed, N.F., Shah, S.W., Shaghaghi, A., Anwar, A., Baig, Z., Doss, R.: Zero Trust Architecture (ZTA): a comprehensive survey. IEEE Access 10, 57143–57179 (2022). https://doi.org/10.1109/ACCESS.2022.3174679

    Article  Google Scholar 

  14. Olson, K., Keller, E.: Federating trust: network orchestration for cross-boundary zero trust. In: Proceedings of the 2021 SIGCOMM 2021 Poster and Demo Sessions, Part of SIGCOMM 2021 (2021). https://doi.org/10.1145/3472716.3472865

  15. Hatakeyama, K., Kotani, D., Okabe, Y.: Zero trust federation: sharing context under user control towards zero trust in identity federation. In: 2021 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events, PerCom Workshops 2021 (2021). https://doi.org/10.1109/PerComWorkshops51409.2021.9431116

  16. Tulshibagwale, A.: Re-thinking federated identity with the Continuous Access Evaluation Protocol\(|\)Google Cloud Blog (2019). https://cloud.google.com/blog/products/identity-security/re-thinking-federated-identity-with-thecontinuous-access-evaluation-protocol. Visited 13 Apr 2023

  17. Maler, E., Machulak, M., Richer, J., Hardjono, T.: User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 authorization. Technical report (2019)

    Google Scholar 

  18. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, RFC Editor (2012)

    Google Scholar 

  19. Wohlin, C.: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, pp. 1–10 (2014)

    Google Scholar 

  20. Anderson, A., et al.: eXtensible Access Control Markup Language (XACML) Version 2.0. Oasis (2004)

    Google Scholar 

  21. Envoy Project Authors: envoyproxy/envoy: Cloud-native high-performance edge/middle/service proxy (2016). https://github.com/envoyproxy/envoy. Visited 13 Apr 2023

  22. Styra Inc.: OpenZiti: programmable network overlay and associated edge components for application-embedded, zero-trust networking (2019). https://github.com/openziti/. Visited 13 Apr 2023

  23. Fond, J.: Juanfont/Headscale: An Open Source, Self-Hosted Implementation of the TAILSCALE Control Server (2020). https://github.com/juanfont/headscale. Visited 13 Apr 2023

  24. Tailscale Inc.: Tailscale is a WireGuard-based app that makes secure, private networks easy for teams of any scale (2020). https://github.com/tailscale. Visited 13 Apr 2023

  25. Donenfeld, J.A.: Wireguard: next generation kernel network tunnel. In: NDSS 2017, pp. 1–12. The Internet Society (2017)

    Google Scholar 

  26. Pomerium Inc.: pomerium/pomerium: Pomerium is an identity-aware access proxy (2019). https://github.com/pomerium/pomerium. Visited 13 Apr 2023

  27. HashiCorp Inc: hashicorp/boundary: Boundary enables identity-based access management for dynamic infrastructure (2020). https://github.com/hashicorp/boundary. Visited 13 Apr 2023

  28. Ockam Inc.: build-trust/ockam: Orchestrate end-to-end encryption, mutual authentication, key management, credential management & authorization policy enforcement - at scale (2018). https://github.com/build-trust/ockam. Visited 13 Apr 2023

  29. Marlinspike, M., Perrin, T.: The X3DH key agreement protocol. Open Whisper Syst. 283, 10 (2016)

    Google Scholar 

  30. Ory Corp: ory/oathkeeper: a cloud native Identity & Access Proxy/API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests (2017). https://github.com/ory/oathkeeper. Visited 13 Apr 2023

  31. Ory Corp: ory/keto: Open Source (Go) implementation of “Zanzibar: Google’s Consistent, Global Authorization System” (2018). https://github.com/ory/keto. Visited 13 Apr 2023

  32. Pang, R., et al.: Zanzibar: Google’s consistent, global authorization system. In: 2019 USENIX Annual Technical Conference (USENIX ATC 2019), Renton, WA (2019)

    Google Scholar 

  33. Styra Inc.: open-policy-agent/opa: An open source, general-purpose policy engine (2015). https://github.com/open-policy-agent/opa. Visited 13 Apr 2023

  34. The SPIFFE authors: SPIFFE: Secure Production Identity Framework for Everyone (2017). https://spiffe.io. Visited 13 Apr 2023

  35. OpenID Foundation: Shared Signals - A Secure Webhooks Framework\(|\)OpenID (2017). https://openid.net/wg/sharedsignals/. Visited 13 Apr 2023

  36. Hunt, P., Jones, M., Denniss, W., Ansari, M.: Security Event Token (SET). RFC 8417, RFC Editor (2018)

    Google Scholar 

  37. Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). RFC 7515, RFC Editor (2015)

    Google Scholar 

  38. cogolabs contributers: cogolabs/beyond: BeyondCorp-inspired HTTPS/SSO Access Proxy. Secure internal services outside your VPN/perimeter network during a zero-trust transition (2017). https://github.com/cogolabs/beyond. Visited 13 Apr 2023

  39. Yakimov, C.: cyakimov/helios: Identity-Aware Proxy (2019). https://github.com/cyakimov/helios. Visited 13 Apr 2023

  40. Seknox Pte. Ltd.: seknox/trasa: Zero Trust Service Access (2020). https://github.com/seknox/trasa. Visited 13 Apr 2023

  41. Pritunl Inc: pritunl/pritunl-zero: Zero trust system (2017). https://github.com/pritunl/pritunl-zero. Visited 13 Apr 2023

  42. Kerman, A., Souppaya, M., Grayeli, P., Symington, S.: Implementing a zero trust architecture (Preliminary Draft), Technical report, National Institute of Standards and Technology (2022)

    Google Scholar 

  43. Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. The OpenID Foundation (2014)

    Google Scholar 

  44. Hilbig, T.: hm-seclab/paper-th-zta-components-materials: Supporting materials for STM 2023 (2023). https://github.com/hm-seclab/paper-th-zta-componentsmaterials. Visited 19 Aug 2023

Download references

Author information

Authors and Affiliations

  1. HM Munich University of Applied Sciences, Munich, Germany

    Tobias Hilbig & Thomas Schreck

  2. Siemens AG, Munich, Germany

    Tobias Limmer

Authors
  1. Tobias Hilbig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Schreck
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Limmer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tobias Hilbig .

Editor information

Editors and Affiliations

  1. University of Malaga, Málaga, Spain

    Ruben Rios

  2. University of Passau, Passau, Germany

    Joachim Posegga

Ethics declarations

Data Availability

The full results of the evaluation, i.e., a table listing the components together with our assessment of fulfilled requirements, is available online [44].

Competing interests

All authors declare that they have no conflicts of interest.

A List of Requirements

A List of Requirements

In the following, we list the requirements used in the evaluation together with a short explanation, examples and the desired state.

1.1 A.1 Policy Enforcement Point

  • Architecture: Integrated operation, i.e., directly integrated into the target application or service, for example via libraries. Proxy mode, i.e., as a seperate component in front of the server. Client side, i.e., the PEP is deployed on the client device. All architectures are equally desirable.

  • Supported protocols for PEP-PDP communication: A list of protocols the PEP supports for interacting with PDPs. Existing, well-defined protocols with wide usage are desirable.

  • Push-based demotion and termination: This advanced feature allows PDPs to demote or terminate established sessions by instructing the PEP to do so. Support for this is desirable.

1.2 A.2 Policy Decision Point

  • Supported policy languages: A list of languages the PDP supports for encoding policies. Existing, well-defined languages with wide usage are desirable.

  • Options for ingesting policies: A list of options allowing the ingestion of policy information. Examples include user interfaces, REST APIs and the file system. CLI- or API-based ingestion is preferred.

  • Policy storage mechanisms: A list of supported ways to store policies. The local filesystem is an example. Here it is desirable to have the option of using a database.

  • Supported protocols for PEP, PIP, PDP communication: A list of protocols the PDP supports for interacting with other components. Existing, well-defined protocols with wide usage are desirable.

  • Federated operation: The capability and maturity of operating the PDP in a federated environment. It is desirable to have this feature.

1.3 A.3 Policy Information Point

  • Data sources: A list of supported data sources the PIP can query. Examples include device registries, generic databases and CTI feeds. Support for many sources is desirable.

  • Identity providers: A list of IdPs the PIP can interface with, for example generic support for SAML. Support for well known IdPs and protocols is desirable, especially OIDC.

  • Query protocol: The protocol, or the protocols, the PIP supports for querying data. This protocol can then be used by the PDP for policy decisions. Existing, well-defined protocols with wide usage are desirable.

  • Supported protocols for PIP-PIP communication: In federated environments, PIPs might need to interface with other PIPs to exchange data. Existing, well-defined protocols with wide usage are desirable.

1.4 A.4 Agent

  • Hardware-based collection capabilities: A list of information items the agent is able to collect about the hardware of the client. Examples include the secure boot state, firmware version information or CPU vulnerabilities. It may be desirable to collect as much information as possible.

  • Software-based collection capabilities: A list of information items the agent is able to collect about the software of the client. Examples include the operating system type and version, currently running software or antivirus software state. It may be desirable to collect as much information as possible.

  • Supported protocols for Agent-PIP communication: A list of protocols the agent supports for interacting with PIPs. Existing, well-defined protocols with wide usage are desirable.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hilbig, T., Schreck, T., Limmer, T. (2023). ‘State of the Union’: Evaluating Open Source Zero Trust Components. In: Rios, R., Posegga, J. (eds) Security and Trust Management. STM 2023. Lecture Notes in Computer Science, vol 14336. Springer, Cham. https://doi.org/10.1007/978-3-031-47198-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-47198-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-47197-1

  • Online ISBN: 978-3-031-47198-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics