Living In A World of Zero Trust

A presentation at OWASP Suffolk meet in April 2020 in Suffolk, UK by Vandana Verma

Slide 1

Slide 1

Life in the world of Zero Trust Vandana Verma Sehgal @Infosecvandana

Slide 2

Slide 2

WHO AM I ● Information Security Architect ● OWASP Global Board of Directors ● Speaker/Trainer at DEFCON(AppSec Village), Asst. Trainer at Black Hat, OWASP AppSec Conferences and others ● Member of Review Board at Grace Hopper, BSides Conferences, Global AppSec, etc. ● Involved in Diversity Initiatives: ○ InfosecGirls, ○ WoSec (Women In Security) ○ IBM WiSE

Slide 3

Slide 3

Conventional Security Model

Slide 4

Slide 4

Conventional Security Model https://ostec.blog/wp-content/uploads/2016/11/tudo-precisa-saber-3-ingles.png

Slide 5

Slide 5

Conventional Security Model http://www.vce-download.net/study-guide/comptia-securityplus-2.3.4-security-topologies-tunneling.html

Slide 6

Slide 6

Can we trust?…………

Slide 7

Slide 7

Can we trust?…………

Slide 8

Slide 8

Can we trust?………… Server

Slide 9

Slide 9

Can we trust?…………

Slide 10

Slide 10

Can we trust?………… Network

Slide 11

Slide 11

Can we trust?………… Network

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

Advancements in Security Model Access control lists (ACLs) Role-based access controls (RBAC) Principles of least privilege Zero Trust model

Slide 15

Slide 15

Zero Trust is build upon a strict identity verification process and says trust no one.

Slide 16

Slide 16

Never Trust, Always Verify •Never Trust the client •Never Trust the server •Never Trust the network

Slide 17

Slide 17

History • First in 2010 by John Kindervag Forrester Zero Trust • Later Google introduced “Beyond Corp” in 2011 Google Beyondcorp • Gartner Continuous Adaptive Risk and Trust Assessment (CARTA) in 2017 Gartner CARTA

Slide 18

Slide 18

Breach statistics - Past years $6 trillion $3.62 million Cybercrime cost by 2021, Src:- Cybersecurity Ventures Average cost of data breach Src:- Ponemon institute (sponsored by IBM) 80% Data breaches Privileged access abuse Src:- Forrester estimates

Slide 19

Slide 19

Can we say?……. Identity is new security perimeter

Slide 20

Slide 20

Zero Trust Architecture

Slide 21

Slide 21

https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/assets/ztnw_0102.png

Slide 22

Slide 22

Src: Forrester

Slide 23

Slide 23

Least Privilege

Slide 24

Slide 24

Isolate the Network Infrastructure

Slide 25

Slide 25

Protect Corporate Applications also

Slide 26

Slide 26

Put Identity, Authentication, and Authorization in Place Before Providing Access

Slide 27

Slide 27

Provide Application-Only Access to the users, Not the Network Access

Slide 28

Slide 28

Categorize Data

Slide 29

Slide 29

Use Advanced Threat Protection

Slide 30

Slide 30

Monitor Internet-Bound Traffic and Activity

Slide 31

Slide 31

Logging and Monitoring

Slide 32

Slide 32

Perfect fit for the Cloud

Slide 33

Slide 33

Zero trust is Not a product but a “perspective”

Slide 34

Slide 34

Key Takeaways

Slide 35

Slide 35

Do you agree?…………… The new security perimeter is identity

Slide 36

Slide 36

Zero Now an essential a “perimeter-everywhere” world. Trust security is no longer just a concept.

Slide 37

Slide 37

“Trust is a dangerous vulnerability that can be exploited” - John Kindervag

Slide 38

Slide 38

Reach Me!! ● Twitter: @InfosecVandana ● LinkedIn: vandana-verma

Slide 39

Slide 39

References • https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture • https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/ • https://ldapwiki.com/wiki/Zero%20Trust • https://www.youtube.com/watch?v=-Why_ZjJUhg • https://www.forbes.com/sites/louiscolumbus/2019/02/07/digital-transformations-missing-link-is-zerotrust/#6be166fe727f • https://www.akamai.com/us/en/multimedia/documents/white-paper/how-to-guide-zero-trust-securitytransformation.pdf • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf • https://heimdalsecurity.com/blog/what-is-the-zero-trust-model/

Slide 40

Slide 40

Thank you!