SlideShare a Scribd company logo

Zero trust model for cloud computing.pptx

Download as PPTX, PDF
K
kkhhusshi

Zero trust model for cloud computing

Technology
1 of 8
PUBLIC Zero Trust Assessment for Telco Cloud Computing Case Study
PUBLIC Overview Telco cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
PUBLIC Need for Cyber Risk Assessment/ Possible Cyber Security Risks The adaption of new technologies such as SDN (Software Defined Networks), APIs (Application Programming Interfaces), and DevOps increases the number of connected devices and services, thereby expanding the attack surface, potentially exposing the Telco Cloud to more cyberattacks. A typical telco cloud infrastructure can be shown as below diagram: cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
PUBLIC Based on architecture, I see possible below risk domains which need to have a cybersecurity risk control measures in place for a robust telco cloud infrastructure. • Internal IT domains (e.g., corporate apps, e-mail, web browsing, social media) • Support systems (e.g., OSS/BSS, Management and Network Orchestration (MANO) systems) • Customer-facing domains (e.g., channel portals, websites, call centres) • Network domains (e.g., VNFs, servers, routing, transport, base stations, IoT devices) Or broadly speaking, the risk domains in telco cloud architecture can be classified into 4 domains: Users, systems, data and assets. Need for Cyber Risk Assessment/ Possible Cyber Security Risks
PUBLIC Approach Zero Trust Concept Zero Trust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. A zero Trust architecture is best visualized as seven pillars that are measured across 4 maturity levels and integrated across an enterprise. This can be illustrated in figure aside. Zero Trust Optimal Maturity Governance Identity Observability Devices Networks Applications Data Automation Fig: Zero Trust Pillars
PUBLIC Pillars of ZT ZT Maturity Level Traditional Initial Advanced Optimal Identity • On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single- factor authentication (SFA) in most enterprises • Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist. • IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA • Identities authenticated using MFA for initial access and then continually validated throughout the user’s session Device • Device compliance with limited visibility and manual asset management • All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes • Most devices have compliance enforcement mechanisms with automated methods employed to track assets • Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments Network • Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted • Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized. • Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted • A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted Application • Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses • Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users, • Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls • Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies Data • Data at rest stored on-premises unencrypted, with inconsistent manual data categorization • Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies. • Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data • All data at rest encrypted and data categorization enhanced by machine learning Observability • Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity • Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape. • Most data and logs are inventoried, with manual analysis of aggregated user activity • All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA). Analytics and Automation • The organization relies on manual administration of systems, networks, devices, and application environmental changes • Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach. • Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state • Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models Zero Trust Pillars and Associated Maturity Level Matrix:
PUBLIC Conclusions (1/2): The ZT Assessment of a telco cloud network/infrastructure can be summarized in below parameters.  Identity and Access Management : Provides enhanced Identity Governance  Identity should be used as key component of policy creation.  Access Policies should be based on identity and assigned attributes.  Multi-Factor Authentication  Network Segmentation or Micro-segmentation: Breaking a network into smaller isolated segments and restricting access between them which limits the impact and reduces the attack surface.  Pushing and executing unified access control policies based on micro-segmentation.  Achieving adaptive dynamic access control based on the trust evaluation of traffic characteristics and context.  Using label systems or virtual IPs to define business traffic, establishing an identity centric dynamic access control model.
PUBLIC Conclusions (2/2):  Data Protection: Using encryption and other security measures to protect sensitive user data. This includes protecting data at rest, in transit and in use.  Continuous Monitoring and Analytics : This involves use of real time threat detection and response capabilities to identity and mitigate. Use of machine learning and behavioural analytics and other advanced techniques, automation of configuration audit and compliance validation task for network resource.  Policy Enforcement : This involves Policy and controls to govern access to data and resource. It includes access control and application security.

Recommended

talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptxKENNEDYDONATO1
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 

Recommended

talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptxKENNEDYDONATO1
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityPyingkodi Maran
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platformRachata Watthanawong
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affairGeorge Delikouras
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxikirkton
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsTom Kopko
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
OTechs Cloud computing security
OTechs Cloud computing securityOTechs Cloud computing security
OTechs Cloud computing securityOsman Suliman
 
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...IRJET Journal
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessMoving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessEnterprise Management Associates
 
IRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data StorageIRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data StorageIRJET Journal
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxericbrooks84875
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution OverviewCisco Service Provider
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataGreat Wide Open
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Presentation Wsta
Presentation WstaPresentation Wsta
Presentation Wstawill4468
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 

More Related Content

Similar to Zero trust model for cloud computing.pptx

How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxikirkton
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsTom Kopko
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
OTechs Cloud computing security
OTechs Cloud computing securityOTechs Cloud computing security
OTechs Cloud computing securityOsman Suliman
 
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...IRJET Journal
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessMoving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessEnterprise Management Associates
 
IRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data StorageIRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data StorageIRJET Journal
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxericbrooks84875
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataGreat Wide Open
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Presentation Wsta
Presentation WstaPresentation Wsta
Presentation Wstawill4468
 

Similar to Zero trust model for cloud computing.pptx (20)

Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platform
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docx
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
 
OTechs Cloud computing security
OTechs Cloud computing securityOTechs Cloud computing security
OTechs Cloud computing security
 
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessMoving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
 
IRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data StorageIRJET- Attribute based Access Control for Cloud Data Storage
IRJET- Attribute based Access Control for Cloud Data Storage
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Presentation Wsta
Presentation WstaPresentation Wsta
Presentation Wsta
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Zero trust model for cloud computing.pptx

  • 1. PUBLIC Zero Trust Assessment for Telco Cloud Computing Case Study
  • 2. PUBLIC Overview Telco cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
  • 3. PUBLIC Need for Cyber Risk Assessment/ Possible Cyber Security Risks The adaption of new technologies such as SDN (Software Defined Networks), APIs (Application Programming Interfaces), and DevOps increases the number of connected devices and services, thereby expanding the attack surface, potentially exposing the Telco Cloud to more cyberattacks. A typical telco cloud infrastructure can be shown as below diagram: cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
  • 4. PUBLIC Based on architecture, I see possible below risk domains which need to have a cybersecurity risk control measures in place for a robust telco cloud infrastructure. • Internal IT domains (e.g., corporate apps, e-mail, web browsing, social media) • Support systems (e.g., OSS/BSS, Management and Network Orchestration (MANO) systems) • Customer-facing domains (e.g., channel portals, websites, call centres) • Network domains (e.g., VNFs, servers, routing, transport, base stations, IoT devices) Or broadly speaking, the risk domains in telco cloud architecture can be classified into 4 domains: Users, systems, data and assets. Need for Cyber Risk Assessment/ Possible Cyber Security Risks
  • 5. PUBLIC Approach Zero Trust Concept Zero Trust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. A zero Trust architecture is best visualized as seven pillars that are measured across 4 maturity levels and integrated across an enterprise. This can be illustrated in figure aside. Zero Trust Optimal Maturity Governance Identity Observability Devices Networks Applications Data Automation Fig: Zero Trust Pillars
  • 6. PUBLIC Pillars of ZT ZT Maturity Level Traditional Initial Advanced Optimal Identity • On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single- factor authentication (SFA) in most enterprises • Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist. • IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA • Identities authenticated using MFA for initial access and then continually validated throughout the user’s session Device • Device compliance with limited visibility and manual asset management • All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes • Most devices have compliance enforcement mechanisms with automated methods employed to track assets • Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments Network • Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted • Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized. • Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted • A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted Application • Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses • Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users, • Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls • Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies Data • Data at rest stored on-premises unencrypted, with inconsistent manual data categorization • Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies. • Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data • All data at rest encrypted and data categorization enhanced by machine learning Observability • Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity • Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape. • Most data and logs are inventoried, with manual analysis of aggregated user activity • All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA). Analytics and Automation • The organization relies on manual administration of systems, networks, devices, and application environmental changes • Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach. • Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state • Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models Zero Trust Pillars and Associated Maturity Level Matrix:
  • 7. PUBLIC Conclusions (1/2): The ZT Assessment of a telco cloud network/infrastructure can be summarized in below parameters.  Identity and Access Management : Provides enhanced Identity Governance  Identity should be used as key component of policy creation.  Access Policies should be based on identity and assigned attributes.  Multi-Factor Authentication  Network Segmentation or Micro-segmentation: Breaking a network into smaller isolated segments and restricting access between them which limits the impact and reduces the attack surface.  Pushing and executing unified access control policies based on micro-segmentation.  Achieving adaptive dynamic access control based on the trust evaluation of traffic characteristics and context.  Using label systems or virtual IPs to define business traffic, establishing an identity centric dynamic access control model.
  • 8. PUBLIC Conclusions (2/2):  Data Protection: Using encryption and other security measures to protect sensitive user data. This includes protecting data at rest, in transit and in use.  Continuous Monitoring and Analytics : This involves use of real time threat detection and response capabilities to identity and mitigate. Use of machine learning and behavioural analytics and other advanced techniques, automation of configuration audit and compliance validation task for network resource.  Policy Enforcement : This involves Policy and controls to govern access to data and resource. It includes access control and application security.