SlideShare a Scribd company logo

zero trust - how to build zero trust.pdf

A
AliAlwesabi

zero trust - how to build zero trust

Technology
1 of 18
Download to read offline
#RSAC SESSION ID: Zero Trust Security
Topics Covered Understand what Zero Trust is and why it is important. What comprises a Zero Trust network and how to create architecture Conditions and Controls Understand how identity, device health Benefits of Zero Trust Discover how to apply these conditions to line of business SaaS apps or on-premises web apps.
TRADITIONAL MODEL Trusted Zone Untrusted Zone
The challenge with perimeter-based networks…
It was a walled garden (castle/moat approach) Perimeter-based networks operate on the assumption that all systems (and users) within a network can be trusted. Not able to accommodate modern work styles such as Bring Your Own Device (BYOD) and Bring Your Own Cloud (BYOC) Attacker can compromise single endpoint within trusted boundary and quickly expand foothold across entire network.
Users cannot be trusted! (Neither can the network!) https://enterprise.verizon.com/resources/reports/dbir/ 28% of attacks involved inside actors¹ 4% Of end-users will click on anything¹ 17% Of breaches had errors as casual events¹
What is a Zero Trust network? Eliminates the concept of trust based on network location within a perimeter. Leverages device and user trust claims to get access to data and resources. John Kindervag www.paloaltonetworks.com/resources/videos/zero-trust
What comprises a Zero Trust network? Identity provider to keep track of users and user-related information. Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.) Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins Access proxy that utilizes the above signals to grant or deny access to an organizational resource Anomaly detection and machine learning
Example: Basic components of a Zero Trust network model
Designing a Zero Trust architecture
Approach: Start with asking questions Who are your users? What apps are they trying to access? How are they doing it? Why are they doing it that way? What conditions are required to access a corporate resource? What controls are required based on the condition?
Consider an approach based on set of conditions What is the user’s role and group membership? What is the device health and compliance state? What is the SaaS, on-prem or mobile app being accessed? What is the user’s physical location? What is the time of sign-in? What is the sign-in risk of the user’s identity? (i.e. probability it isn’t authorized by the identity owner) What is the user risk? (i.e. probability a bad actor has compromised the account?
Followed by a set of controls (if/then statement) Allow/deny access Require MFA Force password reset Control session access to the app (i.e. allow read but not download, etc)
Device Health Conditions Determine the machine risk level (i.e. is it compromised by malware, Pass-the-Hash (PtH), etc) Determine the system integrity and posture (i.e. hardware-rooted boot- time and runtime checks) Integrity checks: – Drivers – Kernel – Firmware – Peripheral firmware – Antimalware driver code Verify boot state of machine Compliance policy checks (i.e. is an OS security setting missing/not configured?) Integrity at system start-up Integrity as system is running Validate integrity as OS is running
Identity Conditions What is the user’s risk level? Is the sign in coming from: – A known botnet IP address? – An anonymous IP address? – Unauthorized browser? (i.e. Tor) – An unfamiliar location? – Impossible travel to atypical locations? Is the sign in suspicious? – High number of failed attempts across multiple accounts over a short period of time – Matches traffic patterns of IP addresses used by attackers Are the user’s credentials (username/password pair) leaked? – Up for sale on the dark web / black sites
Zero Trust based on conditional access controls
Benefits of a Zero Trust model Allow conditional access to certain resources while restricting access to high-value resources on managed/compliant devices. Prevent network access and lateral movement using stolen credentials and compromised device. Enables users to be more productive by working however they want, where they want, when they want. Identity is everything, make it the control plane. Consider an “if-this-then-that” automated approach to Zero Trust. Zero Trust can enable new business outcomes that were not possible before.
Thank You!

Recommended

Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Security Testing
Security TestingSecurity Testing
Security Testing
ISsoft
 
P3 m2
P3 m2P3 m2
P3 m2
Matthew Horrigan
 
The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!
Caroline Johnson
 
Network Security
Network SecurityNetwork Security
Network Security
United Nations Development Program
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
AnonymousDevil2
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
Јаѓќеѕн Јажѕшаф
 

Recommended

Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Security Testing
Security TestingSecurity Testing
Security Testing
ISsoft
 
P3 m2
P3 m2P3 m2
P3 m2
Matthew Horrigan
 
The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!
Caroline Johnson
 
Network Security
Network SecurityNetwork Security
Network Security
United Nations Development Program
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
AnonymousDevil2
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
Јаѓќеѕн Јажѕшаф
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptx
ArjayBalberan1
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
martinvoelk
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
Zara Nawaz
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
Kabul Education University
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
InstaSafe Technologies
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
JenetSilence
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Karen Oliver
 
“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security
Ahmed Banafa
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and Operators
ArmonDadgar
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
AliAlwesabi
 

More Related Content

Similar to zero trust - how to build zero trust.pdf

Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Karen Oliver
 

Similar to zero trust - how to build zero trust.pdf (20)

Application security
Application securityApplication security
Application security
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptx
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and Operators
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 

More from AliAlwesabi

More from AliAlwesabi (18)

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdf
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdf
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasures
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurity
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router Security
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS SecurityDNS Security Issues NES 554 for DNS Security
DNS Security Issues NES 554 for DNS Security
 
Intrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfIntrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdf
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networks
 

Recently uploaded

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 

Recently uploaded (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 

zero trust - how to build zero trust.pdf

  • 2. Topics Covered Understand what Zero Trust is and why it is important. What comprises a Zero Trust network and how to create architecture Conditions and Controls Understand how identity, device health Benefits of Zero Trust Discover how to apply these conditions to line of business SaaS apps or on-premises web apps.
  • 4. The challenge with perimeter-based networks…
  • 5. It was a walled garden (castle/moat approach) Perimeter-based networks operate on the assumption that all systems (and users) within a network can be trusted. Not able to accommodate modern work styles such as Bring Your Own Device (BYOD) and Bring Your Own Cloud (BYOC) Attacker can compromise single endpoint within trusted boundary and quickly expand foothold across entire network.
  • 6. Users cannot be trusted! (Neither can the network!) https://enterprise.verizon.com/resources/reports/dbir/ 28% of attacks involved inside actors¹ 4% Of end-users will click on anything¹ 17% Of breaches had errors as casual events¹
  • 7. What is a Zero Trust network? Eliminates the concept of trust based on network location within a perimeter. Leverages device and user trust claims to get access to data and resources. John Kindervag www.paloaltonetworks.com/resources/videos/zero-trust
  • 8. What comprises a Zero Trust network? Identity provider to keep track of users and user-related information. Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.) Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins Access proxy that utilizes the above signals to grant or deny access to an organizational resource Anomaly detection and machine learning
  • 9. Example: Basic components of a Zero Trust network model
  • 10. Designing a Zero Trust architecture
  • 11. Approach: Start with asking questions Who are your users? What apps are they trying to access? How are they doing it? Why are they doing it that way? What conditions are required to access a corporate resource? What controls are required based on the condition?
  • 12. Consider an approach based on set of conditions What is the user’s role and group membership? What is the device health and compliance state? What is the SaaS, on-prem or mobile app being accessed? What is the user’s physical location? What is the time of sign-in? What is the sign-in risk of the user’s identity? (i.e. probability it isn’t authorized by the identity owner) What is the user risk? (i.e. probability a bad actor has compromised the account?
  • 13. Followed by a set of controls (if/then statement) Allow/deny access Require MFA Force password reset Control session access to the app (i.e. allow read but not download, etc)
  • 14. Device Health Conditions Determine the machine risk level (i.e. is it compromised by malware, Pass-the-Hash (PtH), etc) Determine the system integrity and posture (i.e. hardware-rooted boot- time and runtime checks) Integrity checks: – Drivers – Kernel – Firmware – Peripheral firmware – Antimalware driver code Verify boot state of machine Compliance policy checks (i.e. is an OS security setting missing/not configured?) Integrity at system start-up Integrity as system is running Validate integrity as OS is running
  • 15. Identity Conditions What is the user’s risk level? Is the sign in coming from: – A known botnet IP address? – An anonymous IP address? – Unauthorized browser? (i.e. Tor) – An unfamiliar location? – Impossible travel to atypical locations? Is the sign in suspicious? – High number of failed attempts across multiple accounts over a short period of time – Matches traffic patterns of IP addresses used by attackers Are the user’s credentials (username/password pair) leaked? – Up for sale on the dark web / black sites
  • 16. Zero Trust based on conditional access controls
  • 17. Benefits of a Zero Trust model Allow conditional access to certain resources while restricting access to high-value resources on managed/compliant devices. Prevent network access and lateral movement using stolen credentials and compromised device. Enables users to be more productive by working however they want, where they want, when they want. Identity is everything, make it the control plane. Consider an “if-this-then-that” automated approach to Zero Trust. Zero Trust can enable new business outcomes that were not possible before.