Abstract
Zero Trust is considered a powerful strategy for securing systems by emphasizing distrust of all resource access requests. There are different approaches to integrating ZTAs into a system, differing in their components, assembly, and allocation. Early evaluation and selection of the right approach can reduce the costs of resources. In this paper, we propose a novel zero trust architecture (ZTA) metamodel based on literature and industry applications. We introduce our proposed metamodel elements and provide a model instance using the Palladio Component Model (PCM). We describe the requirements for enabling two existing approaches to performance simulation and security data flow analysis on the architectural level and outline how we realize them in our PCM-based implementation. Our evaluation demonstrates the applicability of our ZTA metamodel. It can represent real-world ZTA approaches in various domains, enabling the simulation of performance impact and analysis of the correct implementation of zero trust principles at the architectural level.
N. Boltz, L. Schmid and B. Taghavi—The main authors contributed equally.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alagappan, A., Venkatachary, S.K., Andrews, L.J.B.: Augmenting zero trust network architecture to enhance security in virtual power plants. Energy Rep. 8, 1309–1320 (2022)
Alshareef, H., et al.: Precise analysis of purpose limitation in data flow diagrams. In: ARES (2022)
Becker, M., Becker, S., Meyer, J.: SimuLizar: design-time modeling and performance analysis of self-adaptive systems (2013)
Becker, S., Koziolek, H., Reussner, R.: Model-based performance prediction with the palladio component model. In: WOSP, pp. 54–65 (2007)
Bhuiyan, E.A., et al.: Towards next generation virtual power plant: technology review and frameworks. Renew. Sustain. Energy Rev. 150 (2021)
Boltz, N., et al.: An extensible framework for architecture-based data flow analysis for information security. In: Tekinerdoğan, B., Spalazzese, R., Sözer, H., Bonfanti, S., Weyns, D. (eds.) ECSA 2023. LNCS, vol. 14590, pp. 342–358. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-66326-0_21
Chen, B., et al.: A security awareness and protection system for 5G smart healthcare based on zero-trust architecture. IEEE IoT J. 8(13), 10248–10263 (2020)
Chen, X., et al.: Zero trust architecture for 6G security. IEEE Netw. (2023)
Cholakov, E.: Modelling and analysing zero-trust-architectures regarding performance and security. Master’s thesis (2024). https://doi.org/10.5445/IR/1000171583
Cortellessa, V., Trubiani, C., Mostarda, L., Dulay, N.: An architectural framework for analyzing tradeoffs between software security and performance. In: Giese, H. (ed.) ISARCS 2010. LNCS, vol. 6150, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13556-9_1
Cybersecurity and Infrastructure Security Agency (CISA), CISA Zero Trust Maturity Model (2023). https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf. Accessed 23 Feb 2024
DeMarco, T.: Structure analysis and system specification. In: Tekinerdoğan, B., Spalazzese, R., Sözer, H., Bonfanti, S., Weyns, D. (eds.) ECSA 2023. LNCS, vol. 14590, pp. 255–288. Springer, Cham (1979). https://doi.org/10.1007/978-3-031-66326-0_21
Fernandez, E.B., Brazhuk, A.: A critical analysis of zero trust architecture (ZTA). Comput. Stand. Interfaces 89, 103832 (2024)
Ferraiolo, D.F., et al.: Proposed NIST standard for role-based access control. TISSEC 4(3), 224–274 (2001)
Ghate, N., et al.: Advanced zero trust architecture for automating fine-grained access control with generalized attribute relation extraction. IEICE Proc. Ser. 68(C1-5) (2021)
Google Cloud: BeyondCorp (2024). http://cloud.google.com/beyondcorp
Gorsler, F., Brosig, F., Kounev, S.: Controlling the Palladio Bench using the Descartes Query Language. In: KPDAYS, pp. 109–118 (2013)
Heinrich, R., et al.: Composing Model-Based Analysis Tools. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-81915-6
Heinrich, R. et al.: The palladio-bench for modeling and simulating software architectures. In: ICSE-C, pp. 37–40 (2018)
IoT - Market data analysis and forecasts. https://de.statista.com/statistik/studie/id/109209/dokument/internet-der-dinge-market-outlook-report/
Jung, B.G. et al.: ZTA-based federated policy control paradigm for enterprise wireless network infrastructure. In: APCC, pp. 1–5 (2022)
Lee, B. et al.: Situational awareness based risk-adapatable access control in enterprise networks. arXiv preprint arXiv:1710.09696 (2017)
Microsoft Corporation, Evolving Zero Trust (2021). https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWJJdT. Accessed 23 Feb 2024
National Cyber Security Centre UK, ZTA design principles. https://www.ncsc.gov.uk/collection/zero-trust-architecture. Accessed 23 Feb 2024
Osborn, B. et al.: BeyondCorp: design to deployment at google. USENIX Association: login: Magazine (2016)
Paul, B., Rao, M.: Zero-trust model for smart manufacturing industry. Appl. Sci. 13(1), 221 (2022)
Ramezanpour, K., Jagannath, J.: Intelligent ZTA for 5G/6G networks: principles, challenges, and the role of machine learning in the context of O-RAN. Comput. Netw. 217, 109358 (2022)
Reussner, R.H., et al.: Modeling and Simulating Software Architectures: The Palladio Approach. MIT Press, Cambridge (2016)
Rodigari, S., et al.: Performance analysis of zero-trust multi-cloud. In: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pp. 730–732 (2021)
Rose, S., et al.: Zero Trust Architecture. NIST Special Publication (2020). https://doi.org/10.6028/NIST.SP.800-207
Runeson, P., et al.: Case Study Research in Software Engineering: Guidelines and Examples. Wiley, Hoboken (2012)
Seifermann, S., et al.: Detecting violations of access control and information flow policies in data flow diagrams. J. Syst. Softw. 184, 111138 (2022)
Sharma, V.S., Trivedi, K.S.: Quantifying software performance, reliability and security: an architecture-based approach. J. Syst. Softw. (2007)
Sion, L. et al.: Solution-aware data flow diagrams for security threat modeling. In: SAC, pp. 1425–1432 (2018)
Strittmatter, M., Kechaou, A.: The media store 3 case study system. KIT (2016)
Teerakanok, S., Uehara, T., Inomata, A.: Migrating to zero trust architecture: reviews and challenges. Secur. Commun. Netw. (2021)
Tuma, K., Scandariato, R., Balliu, M.: Flaws in flows: unveiling design flaws via information flow analysis. In: ICSA, pp. 191–200 (2019)
Ward, R., Beyer, B.: BeyondCorp: a new approach to enterprise security. USENIX Association: login: Magazine (2014)
WG: SDP and Zero Trust, Integrating SDP and DNS Enhanced Zero Trust Policy Enforcement. CSA (2022). https://cloudsecurityalliance.org/artifacts/integrating-sdp-and-dns-enhanced-zero-trust-policy-enforcement/
WG: SDP and Zero Trust, SDP Specification v2.0. CSA (2022). https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trustspecification-v2/
Acknowledgements
This publication is partially based on the research project SofDCar (19S21002), which is funded by the German Federal Ministry for Economic Affairs and Climate Action. This work was also supported by funding from the pilot program Core Informatics at KIT (KiKIT) and the topic Engineering Secure Systems of the Helmholtz Association (HGF), KASTEL Security Research Labs, and the German Research Foundation (DFG) under project number 499241390 (FeCoMASS).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Data Availability
We provide a data set (https://doi.org/10.5281/zenodo.11580654) containing all code artifacts, PCM instances of our ZTA modeling templates, and the used case study model instances.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Boltz, N., Schmid, L., Taghavi, B., Gerking, C., Heinrich, R. (2024). Modeling and Analyzing Zero Trust Architectures Regarding Performance and Security. In: Galster, M., Scandurra, P., Mikkonen, T., Oliveira Antonino, P., Nakagawa, E.Y., Navarro, E. (eds) Software Architecture. ECSA 2024. Lecture Notes in Computer Science, vol 14889. Springer, Cham. https://doi.org/10.1007/978-3-031-70797-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-70797-1_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-70796-4
Online ISBN: 978-3-031-70797-1
eBook Packages: Computer ScienceComputer Science (R0)