Life in the world of Zero Trust Vandana Verma Sehgal @Infosecvandana

WHO AM I ● Information Security Architect ● OWASP Global Board of Directors ● Speaker/Trainer at DEFCON(AppSec Village), Asst. Trainer at Black Hat, OWASP AppSec Conferences and others ● Member of Review Board at Grace Hopper, BSides Conferences, Global AppSec, etc. ● Involved in Diversity Initiatives: ○ InfosecGirls, ○ WoSec (Women In Security) ○ IBM WiSE

Conventional Security Model

Conventional Security Model https://ostec.blog/wp-content/uploads/2016/11/tudo-precisa-saber-3-ingles.png

Conventional Security Model http://www.vce-download.net/study-guide/comptia-securityplus-2.3.4-security-topologies-tunneling.html

Can we trust?…………

Can we trust?…………

Can we trust?………… Server

Can we trust?…………

Can we trust?………… Network

Can we trust?………… Network

Advancements in Security Model Access control lists (ACLs) Role-based access controls (RBAC) Principles of least privilege Zero Trust model

Zero Trust is build upon a strict identity verification process and says trust no one.

Never Trust, Always Verify •Never Trust the client •Never Trust the server •Never Trust the network

History • First in 2010 by John Kindervag Forrester Zero Trust • Later Google introduced “Beyond Corp” in 2011 Google Beyondcorp • Gartner Continuous Adaptive Risk and Trust Assessment (CARTA) in 2017 Gartner CARTA

Breach statistics - Past years $6 trillion $3.62 million Cybercrime cost by 2021, Src:- Cybersecurity Ventures Average cost of data breach Src:- Ponemon institute (sponsored by IBM) 80% Data breaches Privileged access abuse Src:- Forrester estimates

Can we say?……. Identity is new security perimeter

Zero Trust Architecture

https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/assets/ztnw_0102.png

Src: Forrester

Least Privilege

Isolate the Network Infrastructure

Protect Corporate Applications also

Put Identity, Authentication, and Authorization in Place Before Providing Access

Provide Application-Only Access to the users, Not the Network Access

Categorize Data

Use Advanced Threat Protection

Monitor Internet-Bound Traffic and Activity

Logging and Monitoring

Perfect fit for the Cloud

Zero trust is Not a product but a “perspective”

Key Takeaways

Do you agree?…………… The new security perimeter is identity

Zero Now an essential a “perimeter-everywhere” world. Trust security is no longer just a concept.

“Trust is a dangerous vulnerability that can be exploited” - John Kindervag

Reach Me!! ● Twitter: @InfosecVandana ● LinkedIn: vandana-verma

References • https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture • https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/ • https://ldapwiki.com/wiki/Zero%20Trust • https://www.youtube.com/watch?v=-Why_ZjJUhg • https://www.forbes.com/sites/louiscolumbus/2019/02/07/digital-transformations-missing-link-is-zerotrust/#6be166fe727f • https://www.akamai.com/us/en/multimedia/documents/white-paper/how-to-guide-zero-trust-securitytransformation.pdf • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://heimdalsecurity.com/blog/what-is-the-zero-trust-model/

Thank you!