CyCraft Proprietary and Confidential Information
Zero Trust
C.K. Chen
CyCraft Proprietary and Confidential Information
Outline
•
•
• NIST SP 1800-35
Acknowledge - Birdman
CyCraft Proprietary and Confidential Information
Cyber Defense Matrix & ZT
Zero trust here
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
攻擊落地容易成功,攻擊者不可避免會進到內網機器
從實際案例觀察到的,內網安全是⼤部分企業最脆弱的⼀點,攻擊者進
內網後,有極⾼機率可以拿下整個Domain
WFH
Partnership
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
2009 Google BeyondCorp
2010 年由 Forrester 研究員 John Kindervag提出,以資料為中
⼼(data-centric)、由內⽽外設計網路架構
2020 年 8 ⽉ NIST 發布 NIST SP 800-207
2022 年 6 ⽉ NIST 發布 NIST SP 1800-35
CyCraft Proprietary and Confidential Information
CyCraft Proprietary and Confidential Information
NIST SP 800-207
由政府單位發布的⽩⽪書,與廠商提出的⽩⽪書比起來,各⽅⾯都比較客觀。
2020年8⽉提出後,已有相當多討論。主要 Zero Trust 廠商也做了與 NIST
SP 800-207 的 Mapping
確定問題範圍與架構
Logical Components of Zero Trust Architecture
Deployment Scenarios/Use Cases
業界參考指引,提出具體的作法,如何漸進⾄ZTA的⽅式
Migrating to a Zero Trust Architecture
Hybrid ZTA and Perimeter-Based Architecture
Steps to Introducing ZTA to a Perimeter-Based Architected Network
CyCraft Proprietary and Confidential Information
NIST SP 1800-35
由 NIST’s National Cybersecurity Center of Excellence
(NCCoE) 發布
與產業界的合作夥伴共同撰寫這份文件
利⽤商業產品實作 ZTA,並確保其可互相操作性(interoperable)、
整合性
在⼀個公開 Spec 的 Lab 環境中,建置 ZTA。並附上安裝整合步
驟。
Still in draft version, and gradually update with time
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Trust will Change !
HITCON - Trust in the Untrusted
World
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Trust will Change !
Assume breach
Network perimeters cannot
be trusted
No persistence trust
Concept Assumption
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Assume breach
Network perimeters cannot
be trusted
No persistence trust
Assumption High Level Method
No implicit trust,
always verify
Centralize & dynamic policy
enforcement
Dynamically reflect
Risk Assessment to Policy
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
ZTA is …
Zero Trust Arch
authentication/authorization
verify session-based
Dynamic Policy
Situation Aware
Policy
E.g.
Important but frequently overlook - visibility
Audit, Investigation, info to improve future authentication
E.g. protect ransomware
CyCraft Proprietary and Confidential Information
Logical Components in NIST SP 800-207
NIST SP 800-207
政策引擎 (PE) – PE 負責根據政策和 CDM 系統與威脅情報
服務的輸入來判斷是否該授予存取權限。
政策管理員 (PA) – PA
負責根據 PE 的決策來
建立或關閉通訊。
政策落實點 (PEP) – PEP 負責准許、監控和終止連線。
https://www.trendmicro.com/zh_tw/w
hat-is/what-is-zero-trust/zero-trust-
architecture.html
CyCraft Proprietary and Confidential Information
Logical Components in NIST SP 1800-
35
PIP
Situation Awareness
PDP
CyCraft Proprietary and Confidential Information
風險評分機制
Dynamic policy
User/Device Security Posture
Situation awareness
Time
Location
Threat
Log
Cyber Threat Intelligence, Device
Monitoring, Threat Hunting
Could be including in Situation
awareness
CyCraft Proprietary and Confidential Information
Zero trust here
Feedback to ZT
Not only Identify & Protect
Zero Trust
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust is Not ….
Zero Trust is Not Trust No One
Zero Trust still trusts on the authentication process, the security of
the policy infra becomes more critical
No implicit trust à Zero (Implicit) Trust
Zero Trust could be “every resource has it's own boundary”
People may confuse that “zero trust arch has no boundary”
r2
r1
r3
Check 1
Check 1
Check 1
Check 2
Check 2
Check 3
user
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust is Not ….
MFA(Multi-Factor Authentication)
MFA is an important component of ZT, but using MFA only is not ZT
Use MFA enter the intranet, and access many resource à Not zero trust
Use MFA with other factor to make decision every request to resource
MFA contextual
Policy
The core concept of ZT is dynamic, live authentication
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
What Zero Trust does not cover
PKI – ZTA Server PKI
E.g. CI/CD
ZTA
ZTA
Endpoint
E.g. USB PEP
PEP
ZTA
CyCraft Proprietary and Confidential Information CyCraft Proprietary and Confidential Information
Zero Trust cannot solve everything
Zero trust cannot prevent social engineering and phishing email
Zero trust cannot protect devices from malware
Zero trust cannot defense zero-day
….
CyCraft Proprietary and Confidential Information
零信任與供應鏈仍是兩個⾯向的問題,
採⽤零信任無法直接解決供應鏈攻擊
但可以緩解橫向移動的部分
Implementing a Zero
Trust Architecture
CyCraft Proprietary and Confidential Information
About NIST SP 1800-35
NIST SP 1800-35 分成四個部分
NIST SP 1800-35 A - Executive Summary
NIST SP 1800-35 B – Approach, Architecture, and Security
Characteristics
NIST SP 1800-35 C – How-To Guides
NIST SP 1800-35 D - Functional Demonstrations
如何利⽤現有產品建置 ZTA
根據不同職務,可以看不同份⼦文件
CyCraft Proprietary and Confidential Information
Challange
導入 ZTA 的困難點
清點資產到資源的層級,並設計符合IT 現有架構的 ZTA
沒有單⼀產品可以完成 ZTA,須整合不同的資安系統
如何選擇、或利⽤已有的資安系統建置 ZTA
如何整合這些資安系統
是否會影響使⽤者體驗以及組織業務流程
CyCraft Proprietary and Confidential Information
ZTA
NIST SP 1800-35 提出以下三種實現 ZTA 的⽅法
Enhanced Identity Governance (EIG)
Micro-Segmentation
Network Infrastructure and Software Defined Perimeters
NIST SP 1800-35 還在草稿階段,⽬前完成針對 EIG 的部分,其
他兩項尚未完成
CyCraft Proprietary and Confidential Information
Enhanced Identity Governance (EIG)
EIG actor (identity) policy
device health access policy
EIG micro-
segmentation Software Defined Perimeters
Zero Trust /
ZTA
CyCraft Proprietary and Confidential Information
ICAM
EIG ICAM ICAM
Identity management
Access and credential management
Federated Identity
Identity governance
Okta Identity Cloud Azure AD
ICAM
CyCraft Proprietary and Confidential Information
Enhanced
Identity
Governance (EIG)
CyCraft Proprietary and Confidential Information
The FIRST Step towards ZTA
jjj
Enhanced
Identity
Governance (EIG)
ICAM PDP, PEP
CyCraft Proprietary and Confidential Information
Physical Architecture of ZTA Lab
NIST SP 1800-35
Lab
EIG
EIG Enterprise 1
Build 1 (E1B1)
EIG Enterprise 3
Build 1 (E3B1)
CyCraft Proprietary and Confidential Information
DigiCert CertCentral TLS Manager
AWS - GitLab,
WordPress
Ivanti Access ZSO,
Ivanti Neurons for
UEM, Lookout MES,
Okta Identity Cloud,
and Tenable.io
Ivanti Tunnel
Ivanti Neurons for Unified
Endpoint Management
(UEM) Platform
E1B1 Products
and Technologies
CyCraft Proprietary and Confidential Information
Successful Access Request in E1B1
Dynamic Access
Policy
Okta, Ivanti
CyCraft Proprietary and Confidential Information
ICAM Information Architecture – New
User Onboarding (E1B1)
Policy
SailPoint, Okta,
Radiant Logic
demo
Policy
Policy
CyCraft Proprietary and Confidential Information
DigiCert CertCentral TLS Manager
Microsoft Azure AD,
Microsoft Defender for
Endpoint, Microsoft
Endpoint Manager,
Microsoft Office 365,
Microsoft Sentinel,
Tenable.io
Guacamole
GitLab
E3B1 Products
and Technologies
CyCraft Proprietary and Confidential Information
Successful Access Request in E3B1
Dynamic Access
Policy
Lookout,
AzureAD, MS AD
CyCraft Proprietary and Confidential Information
NIST SP 1800-35 C
CyCraft Proprietary and Confidential Information
Functionality Demo
NIST SP 1800-35 C
CyCraft Proprietary and Confidential Information
Future Direction
enhanced
identity
governance
MICRO-
Segmentation
software-defined
perimeter
Zero Trust
CyCraft Proprietary and Confidential Information
Summary of NIST SP 1800-35
NIST SP 1800-35 NIST NCCoE ZTA
ZTA
EIG
ZTA
ZTA /
ZTA
CyCraft Proprietary and Confidential Information
DIE ZTA
ZTA AP Infra
à
RSA “Death to CIA! Long live DIE! How the DIE Triad Helps
Us Achieve Resiliency”
Container AP/Resource
D(Distribution) I(Immutable) E(Ephemeral)
ZTA AP/Resource DIE
CyCraft Proprietary and Confidential Information
盤點場域內裝置、使⽤者、資源
分析資源存取路徑,使⽤者如何存取到最後的資源
Dynamic Access Control Policy
/
CyCraft Proprietary and Confidential Information
Take Action
NIST SP 1800-35 ZTA
PEP
EIG ZTA
ZTA
API
Policy
 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記

HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記

  • 1.
    CyCraft Proprietary andConfidential Information Zero Trust C.K. Chen
  • 2.
    CyCraft Proprietary andConfidential Information Outline • • • NIST SP 1800-35 Acknowledge - Birdman
  • 3.
    CyCraft Proprietary andConfidential Information Cyber Defense Matrix & ZT Zero trust here
  • 5.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information 攻擊落地容易成功,攻擊者不可避免會進到內網機器 從實際案例觀察到的,內網安全是⼤部分企業最脆弱的⼀點,攻擊者進 內網後,有極⾼機率可以拿下整個Domain WFH Partnership
  • 6.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information 2009 Google BeyondCorp 2010 年由 Forrester 研究員 John Kindervag提出,以資料為中 ⼼(data-centric)、由內⽽外設計網路架構 2020 年 8 ⽉ NIST 發布 NIST SP 800-207 2022 年 6 ⽉ NIST 發布 NIST SP 1800-35
  • 7.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information NIST SP 800-207 由政府單位發布的⽩⽪書,與廠商提出的⽩⽪書比起來,各⽅⾯都比較客觀。 2020年8⽉提出後,已有相當多討論。主要 Zero Trust 廠商也做了與 NIST SP 800-207 的 Mapping 確定問題範圍與架構 Logical Components of Zero Trust Architecture Deployment Scenarios/Use Cases 業界參考指引,提出具體的作法,如何漸進⾄ZTA的⽅式 Migrating to a Zero Trust Architecture Hybrid ZTA and Perimeter-Based Architecture Steps to Introducing ZTA to a Perimeter-Based Architected Network
  • 8.
    CyCraft Proprietary andConfidential Information NIST SP 1800-35 由 NIST’s National Cybersecurity Center of Excellence (NCCoE) 發布 與產業界的合作夥伴共同撰寫這份文件 利⽤商業產品實作 ZTA,並確保其可互相操作性(interoperable)、 整合性 在⼀個公開 Spec 的 Lab 環境中,建置 ZTA。並附上安裝整合步 驟。 Still in draft version, and gradually update with time
  • 9.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Trust will Change ! HITCON - Trust in the Untrusted World
  • 10.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Trust will Change ! Assume breach Network perimeters cannot be trusted No persistence trust Concept Assumption
  • 11.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Assume breach Network perimeters cannot be trusted No persistence trust Assumption High Level Method No implicit trust, always verify Centralize & dynamic policy enforcement Dynamically reflect Risk Assessment to Policy
  • 12.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information ZTA is … Zero Trust Arch authentication/authorization verify session-based Dynamic Policy Situation Aware Policy E.g. Important but frequently overlook - visibility Audit, Investigation, info to improve future authentication E.g. protect ransomware
  • 13.
    CyCraft Proprietary andConfidential Information Logical Components in NIST SP 800-207 NIST SP 800-207 政策引擎 (PE) – PE 負責根據政策和 CDM 系統與威脅情報 服務的輸入來判斷是否該授予存取權限。 政策管理員 (PA) – PA 負責根據 PE 的決策來 建立或關閉通訊。 政策落實點 (PEP) – PEP 負責准許、監控和終止連線。 https://www.trendmicro.com/zh_tw/w hat-is/what-is-zero-trust/zero-trust- architecture.html
  • 14.
    CyCraft Proprietary andConfidential Information Logical Components in NIST SP 1800- 35 PIP Situation Awareness PDP
  • 15.
    CyCraft Proprietary andConfidential Information 風險評分機制 Dynamic policy User/Device Security Posture Situation awareness Time Location Threat Log Cyber Threat Intelligence, Device Monitoring, Threat Hunting Could be including in Situation awareness
  • 16.
    CyCraft Proprietary andConfidential Information Zero trust here Feedback to ZT Not only Identify & Protect
  • 17.
  • 18.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Zero Trust is Not …. Zero Trust is Not Trust No One Zero Trust still trusts on the authentication process, the security of the policy infra becomes more critical No implicit trust à Zero (Implicit) Trust Zero Trust could be “every resource has it's own boundary” People may confuse that “zero trust arch has no boundary” r2 r1 r3 Check 1 Check 1 Check 1 Check 2 Check 2 Check 3 user
  • 19.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Zero Trust is Not …. MFA(Multi-Factor Authentication) MFA is an important component of ZT, but using MFA only is not ZT Use MFA enter the intranet, and access many resource à Not zero trust Use MFA with other factor to make decision every request to resource MFA contextual Policy The core concept of ZT is dynamic, live authentication
  • 20.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information What Zero Trust does not cover PKI – ZTA Server PKI E.g. CI/CD ZTA ZTA Endpoint E.g. USB PEP PEP ZTA
  • 21.
    CyCraft Proprietary andConfidential Information CyCraft Proprietary and Confidential Information Zero Trust cannot solve everything Zero trust cannot prevent social engineering and phishing email Zero trust cannot protect devices from malware Zero trust cannot defense zero-day ….
  • 22.
    CyCraft Proprietary andConfidential Information 零信任與供應鏈仍是兩個⾯向的問題, 採⽤零信任無法直接解決供應鏈攻擊 但可以緩解橫向移動的部分
  • 23.
  • 24.
    CyCraft Proprietary andConfidential Information About NIST SP 1800-35 NIST SP 1800-35 分成四個部分 NIST SP 1800-35 A - Executive Summary NIST SP 1800-35 B – Approach, Architecture, and Security Characteristics NIST SP 1800-35 C – How-To Guides NIST SP 1800-35 D - Functional Demonstrations 如何利⽤現有產品建置 ZTA 根據不同職務,可以看不同份⼦文件
  • 25.
    CyCraft Proprietary andConfidential Information Challange 導入 ZTA 的困難點 清點資產到資源的層級,並設計符合IT 現有架構的 ZTA 沒有單⼀產品可以完成 ZTA,須整合不同的資安系統 如何選擇、或利⽤已有的資安系統建置 ZTA 如何整合這些資安系統 是否會影響使⽤者體驗以及組織業務流程
  • 26.
    CyCraft Proprietary andConfidential Information ZTA NIST SP 1800-35 提出以下三種實現 ZTA 的⽅法 Enhanced Identity Governance (EIG) Micro-Segmentation Network Infrastructure and Software Defined Perimeters NIST SP 1800-35 還在草稿階段,⽬前完成針對 EIG 的部分,其 他兩項尚未完成
  • 27.
    CyCraft Proprietary andConfidential Information Enhanced Identity Governance (EIG) EIG actor (identity) policy device health access policy EIG micro- segmentation Software Defined Perimeters Zero Trust / ZTA
  • 28.
    CyCraft Proprietary andConfidential Information ICAM EIG ICAM ICAM Identity management Access and credential management Federated Identity Identity governance Okta Identity Cloud Azure AD ICAM
  • 29.
    CyCraft Proprietary andConfidential Information Enhanced Identity Governance (EIG)
  • 30.
    CyCraft Proprietary andConfidential Information The FIRST Step towards ZTA jjj Enhanced Identity Governance (EIG) ICAM PDP, PEP
  • 31.
    CyCraft Proprietary andConfidential Information Physical Architecture of ZTA Lab NIST SP 1800-35 Lab EIG EIG Enterprise 1 Build 1 (E1B1) EIG Enterprise 3 Build 1 (E3B1)
  • 32.
    CyCraft Proprietary andConfidential Information DigiCert CertCentral TLS Manager AWS - GitLab, WordPress Ivanti Access ZSO, Ivanti Neurons for UEM, Lookout MES, Okta Identity Cloud, and Tenable.io Ivanti Tunnel Ivanti Neurons for Unified Endpoint Management (UEM) Platform E1B1 Products and Technologies
  • 33.
    CyCraft Proprietary andConfidential Information Successful Access Request in E1B1 Dynamic Access Policy Okta, Ivanti
  • 34.
    CyCraft Proprietary andConfidential Information ICAM Information Architecture – New User Onboarding (E1B1) Policy SailPoint, Okta, Radiant Logic demo Policy Policy
  • 35.
    CyCraft Proprietary andConfidential Information DigiCert CertCentral TLS Manager Microsoft Azure AD, Microsoft Defender for Endpoint, Microsoft Endpoint Manager, Microsoft Office 365, Microsoft Sentinel, Tenable.io Guacamole GitLab E3B1 Products and Technologies
  • 36.
    CyCraft Proprietary andConfidential Information Successful Access Request in E3B1 Dynamic Access Policy Lookout, AzureAD, MS AD
  • 37.
    CyCraft Proprietary andConfidential Information NIST SP 1800-35 C
  • 38.
    CyCraft Proprietary andConfidential Information Functionality Demo NIST SP 1800-35 C
  • 39.
    CyCraft Proprietary andConfidential Information Future Direction enhanced identity governance MICRO- Segmentation software-defined perimeter Zero Trust
  • 40.
    CyCraft Proprietary andConfidential Information Summary of NIST SP 1800-35 NIST SP 1800-35 NIST NCCoE ZTA ZTA EIG ZTA ZTA / ZTA
  • 41.
    CyCraft Proprietary andConfidential Information DIE ZTA ZTA AP Infra à RSA “Death to CIA! Long live DIE! How the DIE Triad Helps Us Achieve Resiliency” Container AP/Resource D(Distribution) I(Immutable) E(Ephemeral) ZTA AP/Resource DIE
  • 42.
    CyCraft Proprietary andConfidential Information 盤點場域內裝置、使⽤者、資源 分析資源存取路徑,使⽤者如何存取到最後的資源 Dynamic Access Control Policy /
  • 43.
    CyCraft Proprietary andConfidential Information Take Action NIST SP 1800-35 ZTA PEP EIG ZTA ZTA API Policy