Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality


Published on

Zero Trust Architecture rethinks strategies to secure corporate assets. ZTA may allow us to create more enduring security architectures, with less entropy vs. today's security architectures. However, lack of enabling standards is causing confusion about what ZTA is and vendor hype isn't helping either. This session will describe the current state of ZTA, and standards initiatives that may help bring clarity and reduce barriers to adoption.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur Zero Trust Architecture 1 Jim Hietala, VP Business Development & Security The Open Group
  2. 2. SACON Agenda • Zero Trust Origins • Zero Trust Architecture • What is ZTA??? • Status in the market • Gaps & issues • Zero Trust Architecture Standards Opportunities • About The Open Group, Security Initiatives • Summary 2
  3. 3. SACON !3 Full de-perimeterised working Full Internet-based Collaboration Consumerisation 
 [Cheap IP based devices] Limited Internet-based Collaboration External Working
 VPN based External collaboration 
 [Private connections] Internet Connectivity
 Web, e-Mail, Telnet, FTP Connectivity for
 Internet e-Mail Connected LANs
 interoperating protocols Local Area Networks
 Islands by technology Stand-alone Computing 
 [Mainframe, Mini, PC’s] Time Connectivity Drivers: Low cost and 
 feature rich devices Drivers: B2B & B2C integration, flexibility, M&A Drivers: Cost, flexibility, 
 faster working Today (2008) Drivers: Outsourcing and 
 off-shoring Effective breakdown of perimeter Zero Trust Origins…De-perimeterization Timeline
  4. 4. SACON De-Perimeterization Flipped Security Architecture On Its Head… ➢ Perimeter security control effectiveness today is suspect at best ➢ Need to move security controls closer to the data ➢ Distinction between insiders & outsiders, employees, contractors, consultants, suppliers has disappeared ➢ Cloud native, mobile, BYOD, IoT, IIoT exacerbate this
  5. 5. SACON Bolted-on or Built-in? ➢ Security has historically tended to be bolted-on (reactive, after the fact) more often than built-in (proactive, designed in up front) ➢ Vulnerabilities can exist in the gaps between disparate security controls ➢ Bolted-on security architectures can be brittle and subject to entropy as threats change 5 Fallen Star, UCSD, Jacobs Engineering Building
  6. 6. SACON Extending De-perimeterization Thinking > Zero Trust Architecture • New zero-trust security models (e.g. BeyondCorp security model described by Google) • Assumes no trust, assumes no inside/outside of a defined perimeter • Focus is on identity and access control policy enforcement for all computing devices, segmenting networks, and less reliance on perimeter security systems • Cloud and IoT deployment models make these new trust models and security architectures even more critical 6
  7. 7. SACON ZTA Origins 7 Jericho Forum De- perimeterization, trust, data centric security 2005-2014 Kindervag, Forester coins Zero Trust 2010 Google releases Beyondcorp papers 2014 Gartner coins "Lean Trust" 2018
  8. 8. SACON Foundational Jericho Forum Guidance Publication Key Points Jericho Forum Commandments V1.2 (W124, 2007) “5. All devices must be capable of maintaining their security policy on an untrusted network” “6. All people, processes and technology must have declared and transparent levels of trust for any transaction to take place” “7. Mutual trust assurance levels must be determinable” ”8. Access to data should be controlled by security attributes of the data itself” “Conclusion: De-perimeterization has happened, is happening, and is inevitable, central protection is decreasing in effectiveness” Jericho Forum Identity Commandments (W125, 2011) Establishes core identity concepts, identity attributes, entitlement management and resource access rules 8
  9. 9. SACON Publication Key Points Trust Ecosystem- G141,2014 Broad look at trust in online systems, proposes a trust taxonomy and components 9 Foundational Jericho Forum Guidance
  10. 10. SACON Foundational Security Forum Guidance Publication Key Points The Need for Data Principles (W143, 2014) Data-Centric Security, including data lifecycle, data sensitivity Open Enterprise Security Architecture (O- ESA, G112) Security architecture principles, including Design for Malice, and policy driven security architecture with policy management, policy decision points, and policy enforcement points. Axioms for the Practice of Security Architecture (G192, 2019) Describes 20 axioms or principles critical to security architecture, including business risk-driven security, trust, resilience, security by design, least privilege, device sovereignty, context, managing access, and others. 10
  11. 11. SACON Google BeyondCorp 11
  12. 12. SACON Google BeyondCorp Components • Device Inventory Service - A system that continuously collects, processes, and publishes changes about the state of known devices. • Trust Inferer - A system that continuously analyzes and annotates device state to determine the maximum trust tier for accessing resources. • Resources - The applications, services, and infrastructure that are subject to access control by the system. • Access Control Engine - A centralized policy enforcement service that provides authorization decisions in real time. • Access Policy - A programmatic representation of the resources, trust tiers, and other predicates that must be satisfied for successful auth. • Gateways - SSH servers, web proxies, and 802.1x-enabled wireless networks that perform authorization actions. 12
  13. 13. SACON Zero Trust Architecture Defined • NIST: “Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.” • Zero Trust Networks (O’Reilly, Gilman & Barth): “a collection of design patterns and considerations which, when heeded, can produce systems that are resilient to the vast majority of modern- day attack vectors. In this model, nothing is taken for granted, and every single access request is rigorously checked and proven to be authorized.” 13NIST SP800-207 (draft, September, 2019)
  14. 14. SACON Zero Trust Networks (Gilman & Barth) • Authorization decisions require: • Enforcement • Policy engine • Trust engine- the system in a zero trust network that performs risk analysis against a particular request or action. This is a new concept/component in security architectures. • Data stores- may be inventories, e.g. user database, or historical., e.g. audit/accounting DB 14
  15. 15. SACON Two Broad Solution Categories • External to Internal (North – South, client-service/VPN replacement/SDP focus) • Internal to Internal (East – West, network microsegmentation focus) • Mapping individual vendors into these solution categories is a challenge 15
  16. 16. SACON Zero Trust Guiding Principles • Verify explicitly. • Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. • Use least privileged access. • Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk- based adaptive polices, and data protection to protect both data and productivity. • Assume breach. • Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses. 16 Microsoft, Zero Trust Maturity Model
  17. 17. SACON Tenets of Zero Trust Architecture • All data sources and computing services are considered resources. • All communication is secure regardless of network location. • Access to individual enterprise resources is granted on a per-connection basis. • Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes. • The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible. • User authentication is dynamic and strictly enforced before access is allowed. 17 Draft NIST Special Pub 800-27
  18. 18. SACON How ZTA Improves Security • General improvements offered by ZTA: • Granular perimeters limit lateral movement within networks, limit these threat vectors • Assumption that networks are untrusted and that threats exist at all times necessitates more robust controls • ZTA improves employee experience by enabling mobile and cloud use • Use of data to drive security decision-making (risk, threats, security posture and identity) enhances security 18
  19. 19. SACON ZTA Vendor Marketing • ZTA is at risk of being diluted as viable security architecture by vendors claiming to provide zero trust capabilities • At a guess, there are now 50+ vendors from both of the solution categories claiming to provide zero trust • This isn’t helpful to end users, particularly when vendors have a dubious claim re. actually delivering zero trust capabilities… 19
  20. 20. SACON Security Technical Debt & ZTA • Requires significant upfront investment • After reducing security technical debt owing to upfront investment, ZTA should help keep security technical debt lower going forward 20
  21. 21. SACON Practical Challenges • There isn’t a standard definition of what ZTA is • Without an accepted standard definition, vendors are using and abusing the term in the market • Many organizations have bought in to network-based security controls at the expense of planned security architecture…ZTA requires mindset and approach change. • Zero Trust Policy is not standardized (no standard exists for how to express policies, hence all are custom) • General lack of standards for ZTA solution components Making them interoperable, and making policies portable/reusable) • Fully realized, ZTA will require significant upfront investment 21
  22. 22. SACON Adoption 22 Cybersecurity Insiders 2020 Zero Trust Progress Report surve reprinted with permission
  23. 23. SACON ZTA Potential Benefits • Make security architectures less “brittle” • Reduce entropy of a security architecture • Minimize security technical debt over time • Minimize lateral movement within networks by attackers • Better model to address the changes in threats seen over the past 10 years, as well as those in the future 23
  24. 24. SACON ZTA Outside of Enterprise IT • Zero trust is useful (essential) outside of enterprise IT (connected vehicles, IIoT and OT environments) • New standards initiative, Open Group OSDU platform for oil and gas, is embracing zero trust (perimeters aren’t effective, identities are everything to security) 24
  25. 25. SACON ZTA Standards Opportunities 25 • Create standard frameworks and models and ZTA guidance to bring clarity to what is/isn’t Zero Trust Architecture, and how to architect for ZTA • Enable a rich set of attributes that may be used in trust decisions • Coalesce early standards interest and efforts to facilitate an ecosystem of open and compatible zero trust components • Zero trust algorithm • Open source components (PEP, PIP, PDP, PAP) and reference implementations
  26. 26. SACON ZTA Standards Landscape 26 • NIST Zero Trust Architecture, provides high level architectural overview (SP800-207 draft) • Cloud Security Alliance (Software Defined Perimeter framework) • IETF (XMPP-Grid threat exchange) • Open Source projects including Open Policy Agent, SPIFFE (open source identity framework), SPIRE (open source toolchain supporting SPIFFE in a variety of environments)
  27. 27. SACON ZTA Standards Gaps 27 • Lack of a common accepted framework or standard model • Lack of consistent terms for ZTA design, planning • Systemic gaps in ZTA • Lack of procurement guidance • Lack of open, standardized interfaces between ZTA components (proprietary APIs will inhibit adoption)
  28. 28. SACON Security Forum ZTA Project 28 • Builds on foundational work done by the Jericho Forum 2005-2014 on de-perimeterization and data-centric security • Includes some of the key contributors to the Jericho Forum • Joint project between the Security Forum, Architecture Forum, and the SABSA Institute • Involvement from IBM, Microsoft, Boeing, NASA, DXC, Raytheon, Woodside Energy, Accenture, and other large IT Customer and Supplier organizations
  29. 29. SACON ZTA Project Planned Deliverables: 29 • Survey of CISOs on ZTA plans, challenges • Landscape white paper • Guiding Principles of Zero Trust whitepaper • Reference Architecture and Model whitepaper • Trust algorithm
  30. 30. SACON Where We Can Use Help 30 » Providing responses to our ZTA surveys (CISO’s, end users, vendors) » Contributing content for the ZTA Landscape White Paper » Contributing to the Trust Algorithm project
  31. 31. SACON How to Get Involved 31 » For end user organizations, vendors, and governments: – Become members and gain access to all Security Forum projects, including Security Architecture, Zero Trust Architectures, and Risk Management/Open FAIR – For membership information, contact Chris Parnell at » For highly qualified/experienced individuals with significant contributions to make: – Individual contributor role and IP agreement to enable contributions
  32. 32. SACON Why Get Involved 32 • Learn from ZTA and security thought- leaders • Acquire knowledge and approaches that you can bring back to you organization and use in your day job • Tackle common problems in a shared contribution, collaborative environment • Gain recognition as an author, reviewer, translator or editor of industry best-practices
  33. 33. SACON About The Open Group Programs Strategy Platform Mission Vision Our Vision: Boundaryless Information Flow™ achieved through global interoperability in a secure, reliable and timely manner » A global consortium that enables the achievement of business objectives through the development of open, vendor-neutral technology standards and certifications » With more than 740 member organizations. We have a diverse membership that spans all sectors of the IT community - customers, systems and solutions suppliers, tool vendors, integrators and consultants, as well as academics and researchers
  34. 34. SACON The Open Group 34 » Enable all organizations that use information technology to do things better, faster, and cheaper » Enable all suppliers of information technology products and services to gain business benefit » Enable every individual that we meet to develop their skills and capabilities Everything we do, is intended to …
  35. 35. SACON The Open Group is ... 35 Australia Belgium Brazil Canada China Colombia Czech Republic Denmark Finland France Germany Hong Kong India Ireland Israel Italy Japan Korea Luxembourg Malaysia 740+ Member Organizations in 40 Countries Staff and local partners in 12 Countries Mexico Netherlands New Zealand Nigeria Norway Philippines Poland Portugal Qatar Saudi Arabia Singapore South Africa Spain Sweden Switzerland Taiwan Turkey UK United Arab Emirates USA Vietnam
  36. 36. SACON The Open Group Programs Enterprise Architecture Security Risk Analysis Security Architecture Managing Supply Chain Risk Airborne Communications Standards & Certification Managing the Business of IT Managing the Emerging Platform Certification Products & Processes Professional Certification ‘T’ Shaped People Open Trusted Technology Forum 
 Supply chain security UNIX Platform base Standard evolution Product certification Open Platform 3.0® Agile EA
  37. 37. SACON Making Standards Work® 37 Customer/ Vendor needs Forum or Work Group Standards process Certification process Market adoption Collaborate with other consortia & standards bodies
  38. 38. SACON Security at The Open Group • Forums: • Certifications: 38
  39. 39. SACON Guide: Integrating Security & Risk in a TOGAF Enterprise Architectu 39 Created in collaboration with the SABSA Institute Guide is available in our bookstore now. (https:// Brings needed updates to security and risk thinking in TOGAF & EA.
  40. 40. SACON Summary 40 • Zero Trust Architecture brings significant benefits to enterprises • Standards work is still needed, and opportunities exist to get engaged in The Open Group Security Forum’s ZTA work