The document outlines the Zero Trust security model, emphasizing its necessity in modern hybrid and multi-cloud environments, moving away from outdated perimeter security principles. It describes how Zero Trust enhances security by eliminating 'default trust' and focuses on user-centric access control, supporting various devices and operating systems. Additionally, it highlights the model's adaptability, cost-effectiveness, and the need for organization-wide understanding and implementation.

1. Why Zero Trust Yields
Maximum Security
Questions about Zero Trust Every Executive
Should Be Asking

2. 2
Greg Touhill, CISSP, CISM
• President, Appgate Federal
• First Federal CISO of the US
government
• Director, National Cybersecurity and
Communications Integration Center
• Retired USAF Brigadier General
• Carnegie Mellon University, Heinz
College faculty
• ISACA Board of Directors
• Splunk and Intel Federal Advisory
Boards

3. 3
What is the Zero Trust
Security Model?
• Reinvents security for a hybrid, multi-cloud world
• Moves beyond outdated perimeter security model
• Eliminates “default trust” that leads to attacks
from within the network
• Designed to address internal and external threats
• Makes security continuous and adaptive

4. 4
Does it Work Everywhere I Need It?
Our data is everywhere
• On-premises, Hybrid Cloud, Co-located
datacenters, SaaS platforms, etc.
I need a Zero Trust solution that works
everywhere my I am:
• Office/Mobile/Home
I need a Zero Trust solution that works on any
device and operating system
• E.g. Windows, Linux, Unix, iOS, MacOS,
Android, etc.
I need a Zero Trust that protects my IT, OT, ICS,
and IoT
I need a single Zero Trust solution that
simplifies my security

5. 5
Why Zero Trust?
• IT Changed. Security Didn’t.
• The perimeter is dead
• Security built around networks,
not users, is failing
• Inherent over-entitlement
• Broad attack surface
• Costs continue to soar
• Complexity impedes agility
• Attackers have the advantage

6. 6
Do We Have a Zero Trust Mindset?
• Zero Trust is a strategy
• Our team understands why it is
important
• It applies wherever our data
resides
• It is embraced by the entire
organization
• It enhances our business and its
strategic & operational
objectives
Frederick the Great:
“He who defends
everything defends
nothing”

7. 7
Where is Our Data?
• On-premises
• Private Cloud
• Hybrid Cloud
• Mobile Devices
• 3rd Party venues
• Operating Systems
• Windows/Linux/Unix/MacOS/iOS/
Android
• ICS/IoT/OT
Your Data
Lives
Everywhere!

8. 8
How is Data Access Controlled?
• Focus on the user, not the IP
address
• Integrate with IDAM, RBAC,
and directory services
• Strong authentication,
authorization controls, & policy
compliance
• Business and risk-context aware
Role and Group
Operating System
Location
Time of Day
Network
Device Posture
External Systems

9. 9
How is This Better than What We Have?
• Live Entitlements replace
dangerously vulnerable
Static Rules
• Dynamic and context
sensitive
• Extensible and scriptable
• Continuously monitored

10. 10
How Does this
Better Protect Us?
• Secure encrypted
communication
• Connects user to only
authorized resources
• Eliminates problem of
lateral movement
• Access adjusted in real
time as necessary
• Support for hybrid IT
with multi-tunnel
capability

11. 11
Is it easy-to-use?
• Complexity is the bane of security
• ZT Solutions that add complexity add risk
Touhill’s Rule #12: Users learn in 5
mins, operators master in 5 days
• Don’t buy any ZT solution that doesn’t help
you retire old technology
Touhill’s Rule #17: Buy one, retire
three
• If it isn’t easy for the user and the operator,
it does not get used, or used correctly

12. 12
Do We Understand Our Data?
• Data is an asset of great value
• Understand your high value
assets (aka Key Cyber Terrain)
• Define who owns and controls
your data
• Define who should be granted
access to your data
• Define the conditions that
govern access to data
• Only make your data visible to
those authorized to see it
Sun Tzu: “Know your enemy and know
yourself and in a thousand battles you
will not be defeated.”

13. 13
What Performance Should I Expect?
Implementing Zero Trust should
increase your effectiveness,
efficiency, and security
• Reduced manpower
• Reduced training
• Reduced s/w & h/w costs
• High-speed network performance
o e.g. Cloud private access @
8Gbps

14. 14
What Are the Costs and Benefits?
Zero Trust solutions should reduce your
costs while improving performance
Be a smart consumer
• Check references
• Compare costs, schedule,
performance, and security
• Test against use cases
Have a plan
• Start small, think big, and scale fast!

15. 15
Can Zero Trust Grow With Us?
Your Zero Trust solution needs to
be “extensible”
• Designed to allow the addition
of new capabilities and
functionality.
It needs to easily, quickly and
economically scale as you grow
• Minimal use of hardware
appliances
• Maximum use of software-
defined capabilities Time
Value

16. Government certifications require independent third-party
testing and demonstrate capabilities, performance, supply chain
risk controls, configuration management, and other controls
16
Is it Certified?
Products that are certified by rigorous
standards and testing reduce your risk
exposure
Ask about certifications from:
o Government testing
o International standards
• e.g. Common Criteria
o Major OEM organizations
C O N T I N U O U S
D I A G N O S I S
A N D
M I T I G A T I O N
P R O G R A M
A P P R O V E D
P R O D U C T
C O M M O N
C R I T E R I A
C E R T I F I E D
O N L Y S D P
O F F E R I N G
F E D E R A L
I N F O R M A T I O N
P R O C E S S I N G
S T A N D A R D
C E R T I F I E D
P R O D U C T
FIPS
140-2
A D V A N C E D
T E C H N O L O G Y
P A R T N E R
S E C U R I T Y
C O M P E T E N C Y

17. 17
Who Else Has Adopted Zero Trust?
Numerous public and private
sector entities are on the Zero
Trust journey
Size does not matter!
The Zero Trust security
strategy applies to all
organizations, in all sectors

18. 18
Where do I Learn More?
Forrester Research
• Independent leader in Zero Trust
research
• Authors “The Zero Trust Wave”
• Lead researcher: Dr. Chase
Cunningham
• “Dr. Zero Trust”
Gartner
• Created their new “Service Access
Service Edge” (SASE) model that
includes ZTNA
• “Magic Quadrant”
• Lead researcher: Neil MacDonald
Appgate (www.appgate.com)
B R O A D E S T
F E A T U R E S E T
S O F T W A R E -
D E F I N E D
P E R I M E T E R
////////////////////
G A R T N E R P E E R
I N S I G H T S :
4 . 8 O F 5 S T A R S
L E A D E R
Z E R O - T R U S T
E X T E N D E D
E C O S Y S T E M S

19. Questions?

20. 20
Appgate SDP
Software-Defined Perimeter
Identity-
Centric
Live
Entitlements
Segment
of One