SlideShare a Scribd company logo

OSMC 2019 | Zero Trusted Networks – why Perimeter Security is dead by Jochen Kressin

NETWAYS
NETWAYS

In the days of microservices, cloud, Saas and Paas, perimeter security, albeit still widely used, is not sufficient anymore. Inside attacks have become more prominent than outside attacks, posing a huge risk to your network and data. The Zero Trusted Networks approach treats all hosts and components as if they were internet-facing and considers the entire network to be compromised and hostile.

Software
1 of 35
Download to read offline
SEARCH GUARD ZERO TRUSTED NETWORKS © 2018 floragunn GmbH - All Rights Reserved OR: WHY PERIMETER SECURITY IS DEAD
© 2018 floragunn GmbH - All Rights Reserved ABOUT ME Jochen Kressin, Co-Founder of floragunn GmbH Makers of Search Guard Enterprise Security Suite (and Alerting) for the Elastic Stack Founded 2012 Main office: Berlin, Germany Partner offices: Seattle, New York, Miami, Bordeaux, Mexico 01.
© 2018 floragunn GmbH - All Rights Reserved WHY THIS TOPIC? I talk a lot to customers that are using Elasticsearch Most of them store sensitive data inside Elasticsearch Personally identifiable information: User- or customer data Financial information: Transaction data Healthcare information: Patient data Elasticsearch does not /did not offer security out-of-the-box Natural question: How do you secure Elasticsearch? Answers are scary … 02.
© 2018 floragunn GmbH - All Rights Reserved ANSWERS 03. Evil Internet Sensitive Data Elasticsearch “It’s unprotected” Elasticsearch “Firewall” Elasticsearch “VPN and Firewall”
© 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY 04. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
© 2018 floragunn GmbH - All Rights Reserved ASSUMPTIONS Traffic from the outside cannot be trusted Traffic inside the perimeter can be trusted Access to the perimeter can be controlled Consequences VPNs, firewalls and loadbalancers are sufficient At any point in time, we know who has access to the data Traffic inside the VPN does not need to be encrypted end-to-end Performance is more important than encryption Security breaches will be detected 05.
© 2018 floragunn GmbH - All Rights Reserved MAIN QUESTION 06. Does perimeter security (still) work? If it works, why do we still suffer from security breaches and data loss?
© 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Exactis [1] Close to 340 million personal records leaked Phone number, home address, number, age and gender of children “It seems like this is a database with pretty much every U.S. citizen in it” Elasticsearch cluster publicly accessible Perimeter not secured at all [1] https://www.pymnts.com/legal/2018/exactis-data-breach-class-action-lawsuit/ 07.
© 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Apple [1] Customer data stolen from Apple internal database By 22 companies working as distributors in China Sold on Chinese black market for 7 million USD Access to internal data granted for business partners Attacker inside the Perimeter [1] https://www.nytimes.com/2017/06/09/business/china-apple-personal-data-sold.html 08.
© 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Best Western [1] Customer booking details leaked Autoclerk, a hotel reservations system exposed 179 GB of data Data of external client platforms exposed as well Name, date of birth, home adress, travel dates Unsecured Elasticsearch cluster hosted on AWS One platform, multiple client data How is perimeter defined? [1] https://siliconangle.com/2019/10/21/customer-data-best-western-hotels-exposed-massive-data-breach/ 09.
© 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Yves Rocher [1] Data of 2.5 million Canadian customers of Yves Rocher exposed 6 million orders exposed Names, home adress, phone number, email Internal data: Store traffic, turnover, orde volumes Unsecured Elasticsearch cluster set up / operated (?) by Aliznet “The data breach impacts Aliznet’s clients who placed their trust in the company to protect their sensitive information. One concern is that Aliznet may have other unsecured databases and applications that haven’t been discovered yet. That means other clients of Aliznet may be at risk.” [1] https://threatpost.com/data-leak-impacts-millions/147908/ 10.
© 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ OneLogin [1] Password and identity management platform Attacker obtained keys for AWS hosted platform “from an intermediate host” “Attacker may have obtained the ability to decrypt some information” Customers have been advised to … … change all passwords, create new OAuth tokens, create new certificates One stolen key to rule them all [1] https://www.zdnet.com/article/onelogin-security-chief-new-details-data-breach/ 11.
© 2018 floragunn GmbH - All Rights Reserved FIRST REACTION 12. Dumb admins are too stupid to protect sensitive data Really? Perimeter security is broken
© 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Access control Partners, distributors, freelancers, part-time contractors etc. These are all potential inside threats Locations Remote offices Remote workers Devices Laptops, smartphone, tablets Bring your own device 13.
© 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Cloud computing Cloud storage Microservices SaaS / PaaS / IaaS Containerization Docker, Kubernetes etc. How to apply IP-based security? Decentralized systems / clusters Internet of things 14.
© 2018 floragunn GmbH - All Rights Reserved WHERE IS THE PERIMETER NOW? 15. Office Internet Aynwhere Cloud Storage SaaS PaaS Elasticsearch Datacenter
© 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY REVISITED 16. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
© 2018 floragunn GmbH - All Rights Reserved ZERO TRUSTED NETWORK 17. Office Internet Elasticsearch Aynwhere Datacenter Cloud Storage SaaS Cloud Storage “Untrusted”
© 2018 floragunn GmbH - All Rights Reserved FACT CHECK Companies do not have full control anymore Explosion of devices and locations Data and services are moving to the cloud Internet of Things Inside attacks are ever increasing 60% of attacks originated from the inside (IBM study 2016) Attacks via social engineering Angry employees, partners, freelancers etc. Lines between inside and outside are blurry at best 18.
© 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT No traffic can be trusted Regardless where it originates Regardless from which device No IP / port / application can be trusted Cloud, containers, IoT Traditional firewall approach flawed No user can be trusted Beware of inside attacks Outside personell 19.
© 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT Move security to where the data lives No unsecured services Not even in a VPN No unencrypted traffic, anywhere Not even in a VPN Assume attackers are already in your network Never trust, always verify Apply least privilege strategies Inspect and log all traffic 20.
© 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: CLIENT ACCESS 21. Internet / Office / … HTTPS Data Lake Elasticsearch HTTP Proxy / Loadbalancer Terminates TLS
© 2018 floragunn GmbH - All Rights Reserved ACCESS CONTROL OUTSIDE DATASTORE 22. Internet / Office / … HTTPS Data Lake Elasticsearch HTTPS Proxy TLS Passthrough Implements ACL URL based Index Alias Wildcard index names Date math index names Bulk API Multi Get / Multi Searc https://sgssl-0.example.com:9200/mydata-*/_search https://sgssl-0.example.com:9200/mydata/_search
© 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: INTER-CLUSTER 23. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Internet / Office / … HTTPS Proxy / Loadbalancer TLS Passthrough HTTPS
© 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: INTER-CLUSTER 24. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Elasticsearch Evil Node Data Replication Data Replication
© 2018 floragunn GmbH - All Rights Reserved NO AUDIT LOGGING / MONITORING 25. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Evil Employee https://sgssl-0.example.com:9200/logs/_search What data has been accessed? When has it been accessed? Who has accessed it?
© 2018 floragunn GmbH - All Rights Reserved LEAST PRIVILEGES 26. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Evil Employee https://sgssl-0.example.com:9200/*/_search What data has been accessed? When has it been accessed? Who has accessed it?
© 2018 floragunn GmbH - All Rights Reserved APPROACHES Identify the protect surface most critical data, assets, applications and services (DAAS) Map the transaction flows interdependencies between the DAAS, infrastructure, services and users Build a Zero Trust architecture move controls as close to protect surface as possible Create Zero Trust policy Least privileges approach Monitor and maintain 27.
© 2018 floragunn GmbH - All Rights Reserved THE MICRO-PERIMETER “Move controls as close to protect surface as possible” as close to the data and services as possible every device, every data source effectively creating a “Micro-Perimeter” Micro-Permieter moves with the protect surface 28.
© 2018 floragunn GmbH - All Rights Reserved 29. Micro Perimeters Elasticsearch THE MICRO-PERIMETER Elasticsearch Perimeter
© 2018 floragunn GmbH - All Rights Reserved CHALLENGES It’s a concept, not a blueprint Everybody is talking about ZTN, but here is no agreed-upon general definition Paradigm shift No single technical solution Diverse infrastructures, diverse technologies, no one size fits all Processes matter Least privileges approach Costly But: Data breaches more costly 30.
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH 31. Any location Any device HTTPS Validate certificates Hostname verification DNS Lookups Authentication Certificate revocation TLS Role-based access control Least privilege approach No defaults RBAC Document-level Field-level Filtering Anonymization Data Audit Logs Track access Monitor anomalies Alerting Data Lake Elasticsearch
© 2018 floragunn GmbH - All Rights Reserved MAIN TAKEAWAY 32. Trust no one Assume the attacker is already in your network
SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved send us a message: 34
© 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.

Recommended

Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
IBM Sverige
 
GDPR is Here. Now What?
GDPR is Here. Now What?GDPR is Here. Now What?
GDPR is Here. Now What?
Forcepoint LLC
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
IBM Security
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
Allot Communications
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 

Recommended

Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
IBM Sverige
 
GDPR is Here. Now What?
GDPR is Here. Now What?GDPR is Here. Now What?
GDPR is Here. Now What?
Forcepoint LLC
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
IBM Security
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
Allot Communications
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies ahead
IBM Security
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
Forcepoint LLC
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
Harry Gunns
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
Digital Transformation EXPO Event Series
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
Eryk Budi Pratama
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the CloudTop 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Forcepoint LLC
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
Bitglass
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Security in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than everSecurity in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than ever
EC-Council
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
Imperva
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
Bomgar
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
IBM Security
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & Vendors
Bomgar
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is dead
Jochen Kressin
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 

More Related Content

What's hot

Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies ahead
IBM Security
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
Forcepoint LLC
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
Harry Gunns
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
Digital Transformation EXPO Event Series
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
Eryk Budi Pratama
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the CloudTop 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Forcepoint LLC
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
Bitglass
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Security in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than everSecurity in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than ever
EC-Council
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
Imperva
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
Bomgar
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
IBM Security
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & Vendors
Bomgar
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 

What's hot (20)

Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies ahead
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the CloudTop 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
CCA study group
CCA study groupCCA study group
CCA study group
 
CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
Security in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than everSecurity in the Cognitive Era: Why it matters more than ever
Security in the Cognitive Era: Why it matters more than ever
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
The Four Pitfalls of Privilege: Defend Critical Accounts & Systems Against Cy...
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & Vendors
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 

Similar to OSMC 2019 | Zero Trusted Networks – why Perimeter Security is dead by Jochen Kressin

Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is dead
Jochen Kressin
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSOThe Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
Symphony.com
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Global Business Events
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
Forcepoint LLC
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2
Stephanie Vanroelen
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
Barry Shteiman
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Adam Levithan
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
Dean Iacovelli
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
DefCamp
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2
Relayware
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
- Mark - Fullbright
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 

Similar to OSMC 2019 | Zero Trusted Networks – why Perimeter Security is dead by Jochen Kressin (20)

Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is dead
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSOThe Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
The Silicon Valley Security Debate: Demo by Symphony’s CTO and CSO
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCUnderstanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
Web Isolation 101: Securing Web Apps against data exfiltration and shielding ...
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 

Recently uploaded

Beginner's Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024Beginner's Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
michniczscribd
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
mohitd6
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
Maitrey Patel
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 

Recently uploaded (20)

Beginner's Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024Beginner's Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
ppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptxppt on the brain chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 

OSMC 2019 | Zero Trusted Networks – why Perimeter Security is dead by Jochen Kressin

  • 1. SEARCH GUARD ZERO TRUSTED NETWORKS © 2018 floragunn GmbH - All Rights Reserved OR: WHY PERIMETER SECURITY IS DEAD
  • 2. © 2018 floragunn GmbH - All Rights Reserved ABOUT ME Jochen Kressin, Co-Founder of floragunn GmbH Makers of Search Guard Enterprise Security Suite (and Alerting) for the Elastic Stack Founded 2012 Main office: Berlin, Germany Partner offices: Seattle, New York, Miami, Bordeaux, Mexico 01.
  • 3. © 2018 floragunn GmbH - All Rights Reserved WHY THIS TOPIC? I talk a lot to customers that are using Elasticsearch Most of them store sensitive data inside Elasticsearch Personally identifiable information: User- or customer data Financial information: Transaction data Healthcare information: Patient data Elasticsearch does not /did not offer security out-of-the-box Natural question: How do you secure Elasticsearch? Answers are scary … 02.
  • 4. © 2018 floragunn GmbH - All Rights Reserved ANSWERS 03. Evil Internet Sensitive Data Elasticsearch “It’s unprotected” Elasticsearch “Firewall” Elasticsearch “VPN and Firewall”
  • 5. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY 04. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
  • 6. © 2018 floragunn GmbH - All Rights Reserved ASSUMPTIONS Traffic from the outside cannot be trusted Traffic inside the perimeter can be trusted Access to the perimeter can be controlled Consequences VPNs, firewalls and loadbalancers are sufficient At any point in time, we know who has access to the data Traffic inside the VPN does not need to be encrypted end-to-end Performance is more important than encryption Security breaches will be detected 05.
  • 7. © 2018 floragunn GmbH - All Rights Reserved MAIN QUESTION 06. Does perimeter security (still) work? If it works, why do we still suffer from security breaches and data loss?
  • 8. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Exactis [1] Close to 340 million personal records leaked Phone number, home address, number, age and gender of children “It seems like this is a database with pretty much every U.S. citizen in it” Elasticsearch cluster publicly accessible Perimeter not secured at all [1] https://www.pymnts.com/legal/2018/exactis-data-breach-class-action-lawsuit/ 07.
  • 9. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Apple [1] Customer data stolen from Apple internal database By 22 companies working as distributors in China Sold on Chinese black market for 7 million USD Access to internal data granted for business partners Attacker inside the Perimeter [1] https://www.nytimes.com/2017/06/09/business/china-apple-personal-data-sold.html 08.
  • 10. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Best Western [1] Customer booking details leaked Autoclerk, a hotel reservations system exposed 179 GB of data Data of external client platforms exposed as well Name, date of birth, home adress, travel dates Unsecured Elasticsearch cluster hosted on AWS One platform, multiple client data How is perimeter defined? [1] https://siliconangle.com/2019/10/21/customer-data-best-western-hotels-exposed-massive-data-breach/ 09.
  • 11. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ Yves Rocher [1] Data of 2.5 million Canadian customers of Yves Rocher exposed 6 million orders exposed Names, home adress, phone number, email Internal data: Store traffic, turnover, orde volumes Unsecured Elasticsearch cluster set up / operated (?) by Aliznet “The data breach impacts Aliznet’s clients who placed their trust in the company to protect their sensitive information. One concern is that Aliznet may have other unsecured databases and applications that haven’t been discovered yet. That means other clients of Aliznet may be at risk.” [1] https://threatpost.com/data-leak-impacts-millions/147908/ 10.
  • 12. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Data breach @ OneLogin [1] Password and identity management platform Attacker obtained keys for AWS hosted platform “from an intermediate host” “Attacker may have obtained the ability to decrypt some information” Customers have been advised to … … change all passwords, create new OAuth tokens, create new certificates One stolen key to rule them all [1] https://www.zdnet.com/article/onelogin-security-chief-new-details-data-breach/ 11.
  • 13. © 2018 floragunn GmbH - All Rights Reserved FIRST REACTION 12. Dumb admins are too stupid to protect sensitive data Really? Perimeter security is broken
  • 14. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Access control Partners, distributors, freelancers, part-time contractors etc. These are all potential inside threats Locations Remote offices Remote workers Devices Laptops, smartphone, tablets Bring your own device 13.
  • 15. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Cloud computing Cloud storage Microservices SaaS / PaaS / IaaS Containerization Docker, Kubernetes etc. How to apply IP-based security? Decentralized systems / clusters Internet of things 14.
  • 16. © 2018 floragunn GmbH - All Rights Reserved WHERE IS THE PERIMETER NOW? 15. Office Internet Aynwhere Cloud Storage SaaS PaaS Elasticsearch Datacenter
  • 17. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY REVISITED 16. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
  • 18. © 2018 floragunn GmbH - All Rights Reserved ZERO TRUSTED NETWORK 17. Office Internet Elasticsearch Aynwhere Datacenter Cloud Storage SaaS Cloud Storage “Untrusted”
  • 19. © 2018 floragunn GmbH - All Rights Reserved FACT CHECK Companies do not have full control anymore Explosion of devices and locations Data and services are moving to the cloud Internet of Things Inside attacks are ever increasing 60% of attacks originated from the inside (IBM study 2016) Attacks via social engineering Angry employees, partners, freelancers etc. Lines between inside and outside are blurry at best 18.
  • 20. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT No traffic can be trusted Regardless where it originates Regardless from which device No IP / port / application can be trusted Cloud, containers, IoT Traditional firewall approach flawed No user can be trusted Beware of inside attacks Outside personell 19.
  • 21. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT Move security to where the data lives No unsecured services Not even in a VPN No unencrypted traffic, anywhere Not even in a VPN Assume attackers are already in your network Never trust, always verify Apply least privilege strategies Inspect and log all traffic 20.
  • 22. © 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: CLIENT ACCESS 21. Internet / Office / … HTTPS Data Lake Elasticsearch HTTP Proxy / Loadbalancer Terminates TLS
  • 23. © 2018 floragunn GmbH - All Rights Reserved ACCESS CONTROL OUTSIDE DATASTORE 22. Internet / Office / … HTTPS Data Lake Elasticsearch HTTPS Proxy TLS Passthrough Implements ACL URL based Index Alias Wildcard index names Date math index names Bulk API Multi Get / Multi Searc https://sgssl-0.example.com:9200/mydata-*/_search https://sgssl-0.example.com:9200/mydata/_search
  • 24. © 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: INTER-CLUSTER 23. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Internet / Office / … HTTPS Proxy / Loadbalancer TLS Passthrough HTTPS
  • 25. © 2018 floragunn GmbH - All Rights Reserved UNENCRYPTED TRAFFIC: INTER-CLUSTER 24. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Elasticsearch Evil Node Data Replication Data Replication
  • 26. © 2018 floragunn GmbH - All Rights Reserved NO AUDIT LOGGING / MONITORING 25. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Evil Employee https://sgssl-0.example.com:9200/logs/_search What data has been accessed? When has it been accessed? Who has accessed it?
  • 27. © 2018 floragunn GmbH - All Rights Reserved LEAST PRIVILEGES 26. Node 1 Elasticsearch Elasticsearch Elasticsearch Node 2 Node 3 Evil Employee https://sgssl-0.example.com:9200/*/_search What data has been accessed? When has it been accessed? Who has accessed it?
  • 28. © 2018 floragunn GmbH - All Rights Reserved APPROACHES Identify the protect surface most critical data, assets, applications and services (DAAS) Map the transaction flows interdependencies between the DAAS, infrastructure, services and users Build a Zero Trust architecture move controls as close to protect surface as possible Create Zero Trust policy Least privileges approach Monitor and maintain 27.
  • 29. © 2018 floragunn GmbH - All Rights Reserved THE MICRO-PERIMETER “Move controls as close to protect surface as possible” as close to the data and services as possible every device, every data source effectively creating a “Micro-Perimeter” Micro-Permieter moves with the protect surface 28.
  • 30. © 2018 floragunn GmbH - All Rights Reserved 29. Micro Perimeters Elasticsearch THE MICRO-PERIMETER Elasticsearch Perimeter
  • 31. © 2018 floragunn GmbH - All Rights Reserved CHALLENGES It’s a concept, not a blueprint Everybody is talking about ZTN, but here is no agreed-upon general definition Paradigm shift No single technical solution Diverse infrastructures, diverse technologies, no one size fits all Processes matter Least privileges approach Costly But: Data breaches more costly 30.
  • 32. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH 31. Any location Any device HTTPS Validate certificates Hostname verification DNS Lookups Authentication Certificate revocation TLS Role-based access control Least privilege approach No defaults RBAC Document-level Field-level Filtering Anonymization Data Audit Logs Track access Monitor anomalies Alerting Data Lake Elasticsearch
  • 33. © 2018 floragunn GmbH - All Rights Reserved MAIN TAKEAWAY 32. Trust no one Assume the attacker is already in your network
  • 34. SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved send us a message: 34
  • 35. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.