This document discusses moving beyond zero trust security models to a more comprehensive security driven networking approach. It advocates for integrating security across network, cloud, and edge infrastructure to gain visibility and control over all access and data flows. A security fabric is proposed that uses automation, open APIs, and behavioral analytics to consistently enforce security policies and rapidly respond to threats across hybrid digital environments. This is argued to provide organizations with a reasonable level of due care to prevent breaches and meet compliance standards.

1. Moving Beyond Zero Trust
Jonathan Nguyen-Duy
VP Global Field CISO Team

2. 2
• Hybrid - The New Normal
• More than Zero Trust
• Security Driven Networking
• Reasonable Level of Care
• Summary
AGENDA

3. 3
THE STATE OF ENTERPRISE SECURITY
FUNCTIONAL
OPERATIONAL SILOS
LACK OF VISIBILITY EVOLVING
NATURE OF THREATS
SECURITY TEAMS LACK THE MANPOWER, EXPERTISE, TOOLS AND PROCESSES
+
SECURITY SHOULD NOT BE A DIY EXERCISE

4. 4
© Fortinet Inc. All Rights Reserved. 4
Secure-Driven Networking

5. 5
© Fortinet Inc. All Rights Reserved. 5
Hybrid Network Compute becoming the standard
Secure remote device access & securing cloud resources
DATA CENTER
COMPUTE
CLOUD
COMPUTE
EDGE
COMPUTE
Endpoints
Mainframe VirtualizedServers
IaaS
PaaS
SaaS
Endpoints
IoT
OT
Cloud
5G
Edge
Transport
Client-Server
Web Client

6. 6

7. 7
© Fortinet Inc. All Rights Reserved. 7
Differing Trust Levels create Edges Everywhere
Challenge is speed and scale
WAN EDGE
SD-WAN
ACCESS EDGE
SD-Branch
COMPUTE EDGE
Cloud and 5G
SD-WAN WoC
Security Orchestration Security Switch
WiFi NAC
Security Cloud
5GIdentity
Security
OT EDGE
Cyber-Physical

8. 8
Fundamental Failures in Data Breaches
§ Lessons from 12,000+ breaches:
» Failure to prioritize funding for cyber security -
lowest among peer group
» Lacked effective leadership and managerial
structure to implement reliable IT security policies
» Failure to implement critical basic security
measures, like two-factor authentication,
segmentation, awareness training, etc.
» Networks were “insecurely architected” and
running significant amounts of legacy
infrastructure - not integrated
» IT security program struggled to meet many
compliance requirements
» Lack of visibility, awareness & control

9. 9
A Reasonable Level of Due Care
Standard by which we’ll be judged...
§ due care Noun
… the care that a reasonable person would exercise under the
circumstances; the standard for determining legal duty
§ Equifax breach 143M affected “entirely preventable”
» Exploit of known Apache Strut vulnerability
» Breached in May-July but notified public in September 2017
» Exfiltration possible due to expired security certificate
» 2018 two credit freeze websites used expired certificates
» Default passwords “admin”
» Reasonable?
Critically, the Court found that, given the foreseeable risk of a data
breach, Equifax owed consumers an independent legal duty of care
to take reasonable measures to safeguard their personal
information in Equifax’s custody.

10. 10
Achieving a Reasonable Level of Due Care
Much more than zero trust...
§ Networking and Security as first Consideration
» Compliance is not enough
» Hybrid digital infrastructure & security as one
» Distributed segmentation & virtualization
» Outcome-based solutions - Business intent
§ Segmentation & Zero Trust Principles
» Identify, verify & authenticate
» Validate need to access (apps & ports)
» Log & monitor everything
» Integrated, automated response
» Backup per SLAs
» Encrypt as practical
§ Behavioral based detection & AI
§ Broad, integrated & automated

11. 11
Security Fabric Requirements
Beyond Products & Platforms
Open Ecosystem
Network
Security
Network Security
Device, Access, and
Application Security
Multi-Cloud Security
Network
Operations
Security Operations
Multi-Cloud
Security
Endpoint/Device
Protection
Secure
Access
Application
Security
Fabric
APIs
Fabric
Connectors
Security
Operations
INTEGRATED
AI-driven breach prevention across
devices, networks, and applications
AUTOMATED
Operations, orchestration,
and response
BROAD
Visibility of the entire
digital attack surface

12. 12
Where Who What When
Access Visibility: Endpoints, Users & Applications
DALLAS
AUSTIN
HOUSTON
VPN

13. 13
Control: Dynamic Network Access
Adaptive Trust
Identify
User
Assign
Network Access
Assess
Risk
Identify
Device
No
Access
Guest
Access
Restricted
Access
Unrestricted
Access
Rogue
IOT
Managed
IOT
Tolerated IOT
Managed
Assets
Critical
Assets

14. 14
Branch
Access and
off-load
UCPE
3G/4G/5G
wireless
Transport
/ SDWAN
DC /
Private Cloud
Consumer
Access and
off-load
DC /
Cloud Services
Security Driven Networking
Consistent Security
§ Consistent and compliant policy
and visibility across physical,
virtual, cloud
§ Secure VPN connectivity from
private to public clouds
§ Segment applications and data
between clouds in hybrid and
multi-cloud environments
End-to-End Segmentation
§ Deploy into flat open
networks w/o disruption
§ Fine-grained policy based
on users/apps/data
§ Increased throughput for
inspecting east-west traffic
Automatically Scale Protection
§ Auto-scale inspection capacity
across cluster
§ Auto-provision rules to new
workloads
§ Orchestrate physical and virtual
service insertion

15. 15