Mitigasi Insider Threats Menggunakan Zero Trust Architecture (NIST SP 800-207) Pada Aplikasi Web

Abstract

Penerapan keamanan tradisional berbasis perimeter saat ini tidak lagi memadai untuk ancaman internal seperti lateral movement dan eskalasi hak akses. Hal ini disebabkan oleh model keamanan konvensional yang cenderung memberikan kepercayaan penuh terhadap entitas yang sudah berada di dalam jaringan. Penelitian ini bertujuan mengimplementasikan Zero Trust Architecture (ZTA) berbasis standar NIST SP 800-207 pada aplikasi web Laravel untuk meningkatkan kontrol akses. Metodologi yang digunakan meliputi pemodelan komponen ZTA (Policy Engine, Policy Administrator, dan Policy Enforcement Point) melalui integrasi Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC), dan pencatatan log aktivitas. Proses pengembangan juga melibatkan konfigurasi middleware khusus pada Laravel untuk memastikan setiap permintaan akses diverifikasi secara ketat. Selain itu dilakukan simulasi serangan lateral movement dan privilege escalation untuk menguji ketahanan sistem. Hasil pengujian menunjukkan bahwa arsitektur yang dibangun mampu membatasi akses secara ketat berdasarkan identitas dan peran, serta berhasil memitigasi upaya pergerakan lateral dalam aplikasi. Simpulan dari penelitian ini menegaskan bahwa pendekatan "never trust, always verify" efektif dalam memperkuat keamanan aplikasi web, meskipun implementasi algoritma kepercayaan dinamis masih memerlukan pengembangan lebih lanjut sebagai kontribusi masa depan.

Kata kunci: Zero Trust Architecture, NIST SP 800-207, Laravel, Lateral Movement, Keamanan Aplikasi Web

 ----------------------------------------------------------------------

Mitigating Insider Threats Using Zero Trust Architecture (NIST SP 800-207) In Web Applications

Traditional perimeter-based security applications are no longer sufficient to mitigate internal threats such as lateral movement and privilege escalation. This is due to conventional security models that tend to grant implied trust to entities already within the network. This study aims to implement Zero Trust Architecture (ZTA) based on the NIST SP 800-207 standard on a Laravel web application to enhance access control. The methodology involves modeling core ZTA components (Policy Engine, Policy Administrator, and Policy Enforcement Point) through the integration of Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC), and comprehensive activity logging. The development process also involves configuring custom middleware in Laravel to ensure every access request is strictly verified. Furthermore, simulations of lateral movement and privilege escalation attacks were conducted to test system resilience. The results indicate that the constructed architecture is capable of strictly limiting access based on identity and roles, effectively mitigating lateral movement attempts within the application. This study concludes that the "never trust, always verify" approach is effective in strengthening web application security, although the implementation of dynamic trust algorithms remains a necessity for future development.

Keywords: Zero Trust Architecture, NIST SP 800-207, Laravel, Lateral Movement, Web Application Security