A review of the zero-trust model, what it means to implement and feasibility

1. JONATHAN SINCLAIR
Architecting Trust in the Digital
Landscape, or lack thereof

2.  Ponemon 2016:
 From 874 incidents 568 were caused by employee or contractor negligence
 Companies investing upwards of $4 million to mitigate these threats
 Verizon Data Breach Investigations report 2017:
 Those involved in breaches: 25% from internal actors
 2016 IBM Cyber Security Intelligence Index:
 60% of all attacks were carried out by insiders
Zero trust model

3.  US House of Representatives Committee recommends Zero-trust model to federal
agencies
 Forrester Report coins the term Zero-trust model and suggests focus on data-driven
network design
 VMWare: Time to build a Zero-Trust network
 Trust, but verify (Russian proverb made famous by Roland Reagan in reference to nuclear
disarmament)
Zero trust model cont.

4. Trust No One

5.  Build in four-eyes
 Role based access
 Divide and Conquer
 Modular segregation of duties
 No perimeter is the perimeter
 Jump hosts, Privileged Access Workstations (PAWs)
Architectural Complexities

6.  Logically segment subnets
 Control routing behavior
 Enable Forced Tunneling
 Use Virtual network appliances
 Deploy DMZs for security zoning
 Avoid exposure to the Internet with dedicated WAN links
 Optimize uptime and performance
 Use global load balancing
 Disable RDP Access to Azure Virtual Machines
 Enable Azure Security Center
 Extend your datacenter into Azure
Security Best-Practices (Azure)

7.  Lock away master keys
 Create individual groups
 Define policies to govern access permission's
 Grant least privilege
 Four-eye approval for granting access levels
 Configure strong password policies
 Enable MFA
 Delegate roles instead of sharing
 Automate on-boarding, off-boarding procedures
User Access Controls

8.  Ensure security policy compliance
 Encrypt Data
 Limit Access to information
 Classify information assets (PII relevancy)
 Privacy by design
GDPR and Privacy Best Practices

9.  Develop protection mechanisms on the data itself and ensure
it’s transient
 Format-Preserving Encryption
 Secure Stateless Tokenization
Data-centric security

10. NIST Reference Architecture
AWS Reference Architecture(s)
Azure Reference Architecture(s)
Mosiac of Reference Architectures

11.  To big to be agile?
 Old vs. new mindset:
 DevOp’s design (integrated with Sec and Priv Op’s)
 SDN’s,
 Agile API connectivity
 Container technology
 Cloud scalability
 Federated global access
The Enterprise: A Sleeping Dinosaur

12. Security Design (the white slide)

13.  Re-build your architectures under the Zero-trust mindset
 Fire or re-train existing staff-base
 Tear up existing infrastructure (dept-by-dept) and start again, or build out and replace
 Hire security, privacy and engineering staff, remove infrastructure, maintenance
 Re-architect for data-centric security design
 Leverage generic best-practice cloud provided architectures and automatic deployment
Where does the model leave us?

14. Pause…..!
Everyone agree?

15. Is this really feasible?

16. Who trusts who?
 Do you trust your vendors?
 Do you trust your co-workers (internal or external)?
 Do you trust your IT?
Choice or necessity?

17. But wait!
“Complexity is the worst enemy of security” -- Schneier

18. Conflicting positions
Outsource, but trust
No choice
Complicated architectures
Not simple
Zero-trust model
Incredibly hard to implement, hinders productivity, transparency, time to market etc.

19. Security unicorn to the rescue

20. Chains of trust.. everywhere

21. Block-chain and the power of everyone

22. The new trust chain
 Now you have a distributed ledger
 Powered by your group
 (Can remain corporate, but being public offers the most advantages, but now you have to be
transparent)
 Can track tampering across platforms
 Transparency

23. Combined with more chains

24. Hardware-to-Software
Secure enclaves: Intel’s SGX: ARM Trustzone

25. Chains of trust can be established
 Chain your hardware key-chain
 TPM is making a come back
 Chain your data
 With transactional and distributed ledger
 Control your ID’s
 Trust: “At the heart of everything is identity” - Russinovich

26. Track and Monitor everything!
 Really?
 Show me the money calls your Splunk agent …
 Craziness raises it’s head again
 SIEM data storage on average = 6, 9 or 12 months
 Statistics on data breach detections:
 ~4, 6 months globally
 ~ 15 months in EMEA
 APT detection (Stuxnet)?
 Compromises usually identified by external source

27. Track and Monitor everything!
 HPE Recognised this issue long before anyone else: but will we ever see the fruits of the research
labour: “The Machine”
 Data Rich but insight poor
 Design a machine that scales
 Exponential data explosion
 Datacentre energy consumption > UK, forecast to grow
 Memory-driven computing

28. Concluding remarks

29. Do I think this will work?
At every iteration no one talks about simplification
More intricate architecture to support simplicity
Every abstraction reveals another attack surface
The onion bites back: Row hammer, Spectre, SgxSpectre, Meltdown, etc.
Zero-trust model simply isn’t workable when business demands
lightning response times and agility
Company loyalty dead in an outsourced world
Apple (backup) , Google (MFA) and China?

30. There is always hope – there must be hope!
 Aragorn: "What is your name?“
 Háleth: "Háleth, son of Háma, my lord.“
 Háleth: "The men are saying that we will not live out the night. They say that it is
hopeless.“
 Aragorn: "There is always hope."

31. We live in a world of faith not trust!
 Reiterating Dan Geer’s Cybersecurity requirements (BH 2014)
1. Mandatory reporting
2. Net neutrality
3. Source code liability
4. Strike back
5. Resiliency
6. Vulnerability finding
7. Right to Be Forgotten
8. Internet voting
9. Abandonment (open src)
10. Convergence (physical and cyber)
11. In-souring (JS)
12. Quantum technologies (JS)