A presentation at OWASP Suffolk meet in in Suffolk, UK by Vandana Verma
Life in the world of Zero Trust Vandana Verma Sehgal @Infosecvandana
WHO AM I ● Information Security Architect ● OWASP Global Board of Directors ● Speaker/Trainer at DEFCON(AppSec Village), Asst. Trainer at Black Hat, OWASP AppSec Conferences and others ● Member of Review Board at Grace Hopper, BSides Conferences, Global AppSec, etc. ● Involved in Diversity Initiatives: ○ InfosecGirls, ○ WoSec (Women In Security) ○ IBM WiSE
Conventional Security Model
Conventional Security Model https://ostec.blog/wp-content/uploads/2016/11/tudo-precisa-saber-3-ingles.png
Conventional Security Model http://www.vce-download.net/study-guide/comptia-securityplus-2.3.4-security-topologies-tunneling.html
Can we trust?…………
Can we trust?…………
Can we trust?………… Server
Can we trust?…………
Can we trust?………… Network
Can we trust?………… Network
Advancements in Security Model Access control lists (ACLs) Role-based access controls (RBAC) Principles of least privilege Zero Trust model
Zero Trust is build upon a strict identity verification process and says trust no one.
Never Trust, Always Verify •Never Trust the client •Never Trust the server •Never Trust the network
History • First in 2010 by John Kindervag Forrester Zero Trust • Later Google introduced “Beyond Corp” in 2011 Google Beyondcorp • Gartner Continuous Adaptive Risk and Trust Assessment (CARTA) in 2017 Gartner CARTA
Breach statistics - Past years $6 trillion $3.62 million Cybercrime cost by 2021, Src:- Cybersecurity Ventures Average cost of data breach Src:- Ponemon institute (sponsored by IBM) 80% Data breaches Privileged access abuse Src:- Forrester estimates
Can we say?……. Identity is new security perimeter
Zero Trust Architecture
https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/assets/ztnw_0102.png
Src: Forrester
Least Privilege
Isolate the Network Infrastructure
Protect Corporate Applications also
Put Identity, Authentication, and Authorization in Place Before Providing Access
Provide Application-Only Access to the users, Not the Network Access
Categorize Data
Use Advanced Threat Protection
Monitor Internet-Bound Traffic and Activity
Logging and Monitoring
Perfect fit for the Cloud
Zero trust is Not a product but a “perspective”
Key Takeaways
Do you agree?…………… The new security perimeter is identity
Zero Now an essential a “perimeter-everywhere” world. Trust security is no longer just a concept.
“Trust is a dangerous vulnerability that can be exploited” - John Kindervag
Reach Me!! ● Twitter: @InfosecVandana ● LinkedIn: vandana-verma
References • https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture • https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/ • https://ldapwiki.com/wiki/Zero%20Trust • https://www.youtube.com/watch?v=-Why_ZjJUhg • https://www.forbes.com/sites/louiscolumbus/2019/02/07/digital-transformations-missing-link-is-zerotrust/#6be166fe727f • https://www.akamai.com/us/en/multimedia/documents/white-paper/how-to-guide-zero-trust-securitytransformation.pdf • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://heimdalsecurity.com/blog/what-is-the-zero-trust-model/
Thank you!
Here’s what was said about this presentation on social media.
Failure to remove privileges when leaving an organisation is an ISO27001 fail - @martinruss Indeed, Never Trust.! @InfosecVandana has just begun her powerful talk on #ZeroTrust Security. cc'd: @owasp #OWASPSuffolk pic.twitter.com/IsaFwLA08F
— OWASPSUFFOLK (@owaspsuffolk) April 24, 2020
We are live now for April month meetup! Big cheers to @InfosecVandana for helping us with a remote talk!
— OWASPSUFFOLK (@owaspsuffolk) April 24, 2020
Looking forward to a great session on #ZeroTrustSecurity
Cc'd @owasp @owaspsuffolk @wtc08231536 @AbhinavSejpal https://t.co/H7yZ0TRQua pic.twitter.com/hOrmruMJy4
It was pleasure to have you, thank you for your awesome talk.
— Wojciech T Cichon (@WojciechCichon) April 25, 2020