Idea of Zero Trust
Frameworks e.g. NIST framework
Building a Zero Trust Architecture
Building Tech stack for transition to Zero Trust Architecture
Building Tech stack for directly implementing Zero Trust Architecture
2. Build Tangible Community Goods
Through Sharing & Collaboration
Frameworks, Checklists, Playbooks..
3. CISO Platform Vision
•Build tangible community goods
•What our community has achieved:
• 300+ check-lists, frameworks & playbooks
• Platform for comparing security products
• Task force initiatives to solve specific industry problems
• Kid’s cyber safety initiatives
4. Today’s Goal: Build a Tangible
Community Good
Deliverable: Documented Discussion on Playbook for Zeroing-In on Zero Trust
Security
Key Discussion Points:
■ Idea of Zero Trust
■ Frameworks e.g. NIST framework
■ Building a Zero Trust Architecture
■ Building Tech stack for transition to Zero Trust Architecture
■ Building Tech stack for directly implementing Zero Trust Architecture
5. Zero Trust Agenda
■ What is zero trust?
■ Scope, Applicability, Use Cases
■ Readiness Assessment
■ Reference Architecture: Tech Stack
6. What is zero trust? Why?
■ Security model that assumes no trust in any of the elements in the
architecture
■ “Trust but verify” to “Don’t trust always verify”
■ NIST Definition
– “Zero trust (ZT) is the term for an evolving set of cybersecurity
paradigms that move network defenses from static, network-based
perimeters to focus on users, assets, and resources. A zero trust
architecture (ZTA) uses zero trust principles to plan enterprise
infrastructure and workflows. Zero trust assumes there is no implicit
trust granted to assets or user accounts based solely on their physical
or network location (i.e., local area networks versus the internet).
Authentication and authorization (both user and device) are discrete
functions performed before a session to an enterprise resource is
established. “
7. Scope, Applicability, Use Cases
■ Seamless user experience
– If implemented right, Zero trust models can create seamless user
experience
■ Performance
– Zero trust may increase computational load and may decrease
performance. However a balance can be achieved through proper
design
■ Minimize risk posture
■ Consistent security posture
■ Scalability and extensibility of common security model across all users and
systems
8. Constituents of Tech Stack
■ Tech Stack: There can be multiple elements in the tech stack. Following are
some of the components discussed:
– Network Segmentation/Micro segmentation Tool
– Network Monitoring & Visibility
– Cloud workload protection
– Trust Verifier or Access Control
10. Reference Architecture
■ Google Beyond Corp
– One of the pioneers of Zero Trust Network Architecture
– https://research.google/pubs/pub43231/
■ NIST Draft Architecture: NIST 800-207
– NIST recently published a draft reference architecture model
– https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207
-draft2.pdf
11. Reference Architecture - Contd...
■ Approach
– Create asset and entity list & compliance requirements
– Create access policies
– Validate / Threat modelling.. using kill chain
– Use any of the above models to build the architecture