Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Moving Beyond Zero Trust

713 views

Published on

Jonathan Nguyen-Duy, VP, Global Field CISO Team, Fortinet
Security Transformation Summit 2019

Published in: Government & Nonprofit
  • Login to see the comments

Moving Beyond Zero Trust

  1. 1. Moving Beyond Zero Trust Jonathan Nguyen-Duy VP Global Field CISO Team
  2. 2. 2 • Hybrid - The New Normal • More than Zero Trust • Security Driven Networking • Reasonable Level of Care • Summary AGENDA
  3. 3. 3 THE STATE OF ENTERPRISE SECURITY FUNCTIONAL OPERATIONAL SILOS LACK OF VISIBILITY EVOLVING NATURE OF THREATS SECURITY TEAMS LACK THE MANPOWER, EXPERTISE, TOOLS AND PROCESSES + SECURITY SHOULD NOT BE A DIY EXERCISE
  4. 4. 4 © Fortinet Inc. All Rights Reserved. 4 Secure-Driven Networking
  5. 5. 5 © Fortinet Inc. All Rights Reserved. 5 Hybrid Network Compute becoming the standard Secure remote device access & securing cloud resources DATA CENTER COMPUTE CLOUD COMPUTE EDGE COMPUTE Endpoints Mainframe VirtualizedServers IaaS PaaS SaaS Endpoints IoT OT Cloud 5G Edge Transport Client-Server Web Client
  6. 6. 6
  7. 7. 7 © Fortinet Inc. All Rights Reserved. 7 Differing Trust Levels create Edges Everywhere Challenge is speed and scale WAN EDGE SD-WAN ACCESS EDGE SD-Branch COMPUTE EDGE Cloud and 5G SD-WAN WoC Security Orchestration Security Switch WiFi NAC Security Cloud 5GIdentity Security OT EDGE Cyber-Physical
  8. 8. 8 Fundamental Failures in Data Breaches § Lessons from 12,000+ breaches: » Failure to prioritize funding for cyber security - lowest among peer group » Lacked effective leadership and managerial structure to implement reliable IT security policies » Failure to implement critical basic security measures, like two-factor authentication, segmentation, awareness training, etc. » Networks were “insecurely architected” and running significant amounts of legacy infrastructure - not integrated » IT security program struggled to meet many compliance requirements » Lack of visibility, awareness & control
  9. 9. 9 A Reasonable Level of Due Care Standard by which we’ll be judged... § due care Noun … the care that a reasonable person would exercise under the circumstances; the standard for determining legal duty § Equifax breach 143M affected “entirely preventable” » Exploit of known Apache Strut vulnerability » Breached in May-July but notified public in September 2017 » Exfiltration possible due to expired security certificate » 2018 two credit freeze websites used expired certificates » Default passwords “admin” » Reasonable? Critically, the Court found that, given the foreseeable risk of a data breach, Equifax owed consumers an independent legal duty of care to take reasonable measures to safeguard their personal information in Equifax’s custody.
  10. 10. 10 Achieving a Reasonable Level of Due Care Much more than zero trust... § Networking and Security as first Consideration » Compliance is not enough » Hybrid digital infrastructure & security as one » Distributed segmentation & virtualization » Outcome-based solutions - Business intent § Segmentation & Zero Trust Principles » Identify, verify & authenticate » Validate need to access (apps & ports) » Log & monitor everything » Integrated, automated response » Backup per SLAs » Encrypt as practical § Behavioral based detection & AI § Broad, integrated & automated
  11. 11. 11 Security Fabric Requirements Beyond Products & Platforms Open Ecosystem Network Security Network Security Device, Access, and Application Security Multi-Cloud Security Network Operations Security Operations Multi-Cloud Security Endpoint/Device Protection Secure Access Application Security Fabric APIs Fabric Connectors Security Operations INTEGRATED AI-driven breach prevention across devices, networks, and applications AUTOMATED Operations, orchestration, and response BROAD Visibility of the entire digital attack surface
  12. 12. 12 Where Who What When Access Visibility: Endpoints, Users & Applications DALLAS AUSTIN HOUSTON VPN
  13. 13. 13 Control: Dynamic Network Access Adaptive Trust Identify User Assign Network Access Assess Risk Identify Device No Access Guest Access Restricted Access Unrestricted Access Rogue IOT Managed IOT Tolerated IOT Managed Assets Critical Assets
  14. 14. 14 Branch Access and off-load UCPE 3G/4G/5G wireless Transport / SDWAN DC / Private Cloud Consumer Access and off-load DC / Cloud Services Security Driven Networking Consistent Security § Consistent and compliant policy and visibility across physical, virtual, cloud § Secure VPN connectivity from private to public clouds § Segment applications and data between clouds in hybrid and multi-cloud environments End-to-End Segmentation § Deploy into flat open networks w/o disruption § Fine-grained policy based on users/apps/data § Increased throughput for inspecting east-west traffic Automatically Scale Protection § Auto-scale inspection capacity across cluster § Auto-provision rules to new workloads § Orchestrate physical and virtual service insertion
  15. 15. 15

×