As security threats continue to evolve and increase, companies need to also adapt their approach to IT security. One important concept that is gaining in popularity and adoption is zero trust security. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
Zero Trust means moving beyond a perimeter security strategy. As companies offer customers and business partners new digital experiences and processes, networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. This dynamic is impacting IBM i customers and zero trust security is an important element of a modern security strategy.
Join us for this webcast to hear about:
• Understanding zero trust security concepts
• Zero trust security in the real world
• Zero trust security for IBM i environments
2. Housekeeping
Webinar Audio
• Today’s webcast audio is streamed through your
computer speakers
• If you need technical assistance with the web interface
or audio, please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the
presentation using the Q&A box. If we don't get to your
question, we will follow-up via email
Recording and slides
• This webinar is being recorded. You will receive an email
following the webinar with a link to the recording and
slides
3. Agenda
• Overview of Zero Trust
• Comparing The Different Models
• Zero Trust In Practice
• NIST Lab
• Cisco Case Study
• Zero Trust for IBM i
3
4. Some Background: Zero Trust 101
4
• Zero trust is a set of principles used when designing, implementing and operating an infrastructure
• Want to reduce implicit trust between enterprise system
Untrusted Zone Implicit Trust Zone Resource
(System, Data or
Application)
Policy Decision/
Enforcement Point
(PDP/PEP)
2005: Jericho Forum
De-perimeterization
2010: Forrester coins
“Zero Trust”
2014: Google releases
“BeyondCorp” papers
2018: Gartnercoins
“Lean Trust”
2019: NIST releases
draft SP 800-207
6. A System of Systems
NIST SP 800-207 Definition of Terms
6
Zero Trust functional Components
• PE: Policy Engine - "The Brains"
• PA: Policy Administrator - "The Executor"
• PEP: Policy Enforcement Point - "The Guard"
• PIP: Policy Information Points* - "The Advisors"
* Added in 2020
7. NIST’s Wholistic
“System of Systems”
7
Pros Cons Enterprise policy is overarching
management
• Satisfies security officers by securing
access to IBM i systems and data
• Significantly reduces the time
and cost of achieving regulatory
compliance
• Enables implementation of security
best practices
• Quickly detects security incidents so
you can efficiently remediate them
• Has low impact on system
performance
• Interoperability challenges
• Need centralized logs/SIEM
• May be difficult to diagnose issues
• Multiple Policy Engines
• Multiple Policy Enforcement Points
each covering a portion of Zero Trust
• ICAM: Identity & Credential Access
Management
• Endpoint Protection
• Network Monitoring, etc.
17. Cisco Goes From Zero to Hero in Five Months
17
Network Gateway Replaces VPN
• One ZTA To Rule Them All
Advanced MFA & Certs
• Posture Checks
• Certificate Checks
• No (Well… Fewer) Passwords
Certificate Management
• Device Certs
• User Certs
• Index of What is Associated
with What
18. One Design Concept To Rule Them All
18
Network Gateway Replaces VPN
• One ZTA To Rule Them All
Advanced MFA & Certs
• Posture Checks
• Certificate Checks
• No (Well… Fewer) Passwords
Certificate Management
• Device Certs
• User Certs
• Index of What is Associated
with What
19. Network Gateway versus VPN?
19
Network Gateway Replaces VPN
• One ZTA To Rule Them All
Advanced MFA & Certs
• Posture Checks
• Certificate Checks
• No (Well… Fewer) Passwords
Certificate Management
• Device Certs
• User Certs
• Index of What is Associated
with What
21. The NIST Laundry List
What Did Cisco Actually Do?
21
Endpoint security
• Application protection
• Device compliance
• Vulnerability / Threat mitigation
• Host intrusion protection system
• Host firewall
• Malware protection
• Encryption in transit
• Encryption at rest
• Networking monitoring
• Endpoint monitoring
• Threat intelligence
• User behavior
• Correlation and analytics
engine
Key
PE: Policy Engine - "The Brains"
PA: Policy Administrator - "The Executor"
PEP: Policy Enforcement Point - "The Guard"
PIP: Policy Information Points* - "The Advisors"
Security analytics ICAM
Data security ZT Core components (PE, PA, PEP)
• Data confidentiality
• Data integrity
• Data availability
• Enhanced identity governance (EIG)
• Software defined permeter (SDP)
• Micro-segmentation
• Identity management
• Access & credential
management
• Federation
• Identity governance
A Bit Of This A Bit Of This A Bit Of This
Mostly This
22. NIST Terminology Applied To Cisco
22
Policy Engine
The Brains
Policy
Information
The Advisors
Policy
Administration
The Executor
Policy
Enforcement
The Brawn
Policy
Administration
& Enforcement
24. WEB INFRASTRUCTURE
- Internet Backbone
- Cloud
- Firewalls, Routers, Etc.
- Windows, Linux, Unix, SQL
ENDPOINTS
- PC’s
- Smartphones
- Internet of Things:
smartcars, smartgrid, etc.
What We Talk About
When We Talk About Zero Trust
24
BIG IRON LEGACY
- IBM i
- Mainframe
- AIX
The Zero Trust Conversation Occurs Mostly Here
25. WEB INFRASTRUCTURE
- Internet Backbone
- Cloud
- Firewalls, Routers, Etc.
- Windows, Linux, Unix, SQL
ENDPOINTS
- PC’s
- Smartphones
- Internet of Things:
smartcars, smartgrid, etc.
These Are No Longer Backend Systems
No More Perimeter: It’s Zero Trust
25
MODERNIZED
HYBRID CLOUD
- IBM i
- Mainframe
- AIX
26. AS/400: Legacy of Over Trust
26
Single Vendor Architecture PC’s… and The Internet!
The Green Screen Was A Castle
• Application Development
Platform
• No PC’s
• No Internet
• Hardware upgradeable without
changing the
underlying applications
• The AS/400 was a self-enclosed
castle
• Access Control design was
completely
self-contained
• It’s on the menu or it’s not
Either You’re On The Menu or
You’re Off The Menu
• IBM adds Access Control for 3rd
party solutions
• A lot of default settings still assume
too much trust
• Open Protocols of the Internet
assume trust
• IBM i is great… but most of the
enterprise runs on Linux, Windows
and in the cloud
• IBM i security tools need to integrate
with other enterprise tools
• SIEM
• Identity Management
• MFA
• Etc.
27. Zero Trust For IBM i
27 Critical: Leverage Other Enterprise Solutions
Exit Points
Access Control
Network Segmentation
Endpoint Risk Telemetry
Privileged Access Policy
Active
Directory
???
Advanced
MFA
Azure, Okta, RSA,
Duo, Etc.
User & Device
Certs
SIEM
SOAR
Policy
Compliance
Splunk,
Qradar, Etc.
Phantom,
ServiceNow,
AI/ML
Some Single Point Of Truth
Out There Somewhere
In The Cloud Perhaps?
Radius
28. Zero Trust For IBM i
28 Critical: Leverage Other Enterprise Solutions
Exit Points
Access Control
Network Segmentation
Endpoint Risk Telemetry
Privileged Access Policy
Active
Directory
???
Advanced
MFA
Azure, Okta, RSA,
Duo, Etc.
User & Device
Certs
SIEM
SOAR
Policy
Compliance
Splunk,
Qradar, Etc.
Phantom,
ServiceNow,
AI/ML
Some Single Point Of Truth
Out There Somewhere
In The Cloud Perhaps?
Radius
29. Zero Trust For IBM i – Example #1
Encryption Key Management for Hybrid IBM i Cloud
29
Single Point of Trust for Encryption Keys
IBM i OS Level
Field Encryption
using FIELDPROC
3rd Party Key
Manager
Cloud
Workloads
Key Management
Server
30. Zero Trust For IBM i – Example #1
Encryption Key Management for Hybrid IBM i Cloud
30
Single Point of Trust for Encryption Keys
IBM i OS Level
Field Encryption
using FIELDPROC
3rd Party Key
Manager
Cloud
Workloads
Key Management
Server
Forrester Research
Data-Centric ZTX
31. Zero Trust For IBM i – Example #2
Privileged Access: After Hours Fire Call
31
Developer
After Hours
SysAdmin
Network
Gateway
Identity
Management
Radius MFA
Server
Network
Segmentation
IBM i Privileged
Access Manager
Trust Is Earned Not Assumed
ServiceNow
ITOM Ticket
32. Zero Trust For IBM i – Example #2
Privileged Access: After Hours Fire Call
32
Developer
After Hours
SysAdmin
Network
Gateway
Identity
Management
Radius MFA
Server
Network
Segmentation
IBM i Privileged
Access Manager
Trust Is Earned Not Assumed
After Hours Access Requires
A Validated Ticket
ServiceNow
ITOM Ticket