Uploaded bykkhhusshi
PPTX, PDF66 views

Zero trust model for cloud computing.pptx

The document discusses the need for a zero trust assessment of a telco cloud infrastructure due to increased security risks from expanded attack surfaces. It describes the pillars of a zero trust approach - identity, devices, networks, applications, data, and observability - and different maturity levels. A zero trust assessment would evaluate identity and access management, network segmentation, data protection, continuous monitoring and analytics, and policy enforcement to enhance the security of a telco cloud.

Embed presentation

Download to read offline
PUBLIC Zero Trust Assessment for Telco Cloud Computing Case Study
PUBLIC Overview Telco cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
PUBLIC Need for Cyber Risk Assessment/ Possible Cyber Security Risks The adaption of new technologies such as SDN (Software Defined Networks), APIs (Application Programming Interfaces), and DevOps increases the number of connected devices and services, thereby expanding the attack surface, potentially exposing the Telco Cloud to more cyberattacks. A typical telco cloud infrastructure can be shown as below diagram: cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
PUBLIC Based on architecture, I see possible below risk domains which need to have a cybersecurity risk control measures in place for a robust telco cloud infrastructure. • Internal IT domains (e.g., corporate apps, e-mail, web browsing, social media) • Support systems (e.g., OSS/BSS, Management and Network Orchestration (MANO) systems) • Customer-facing domains (e.g., channel portals, websites, call centres) • Network domains (e.g., VNFs, servers, routing, transport, base stations, IoT devices) Or broadly speaking, the risk domains in telco cloud architecture can be classified into 4 domains: Users, systems, data and assets. Need for Cyber Risk Assessment/ Possible Cyber Security Risks
PUBLIC Approach Zero Trust Concept Zero Trust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. A zero Trust architecture is best visualized as seven pillars that are measured across 4 maturity levels and integrated across an enterprise. This can be illustrated in figure aside. Zero Trust Optimal Maturity Governance Identity Observability Devices Networks Applications Data Automation Fig: Zero Trust Pillars
PUBLIC Pillars of ZT ZT Maturity Level Traditional Initial Advanced Optimal Identity • On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single- factor authentication (SFA) in most enterprises • Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist. • IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA • Identities authenticated using MFA for initial access and then continually validated throughout the user’s session Device • Device compliance with limited visibility and manual asset management • All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes • Most devices have compliance enforcement mechanisms with automated methods employed to track assets • Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments Network • Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted • Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized. • Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted • A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted Application • Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses • Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users, • Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls • Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies Data • Data at rest stored on-premises unencrypted, with inconsistent manual data categorization • Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies. • Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data • All data at rest encrypted and data categorization enhanced by machine learning Observability • Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity • Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape. • Most data and logs are inventoried, with manual analysis of aggregated user activity • All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA). Analytics and Automation • The organization relies on manual administration of systems, networks, devices, and application environmental changes • Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach. • Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state • Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models Zero Trust Pillars and Associated Maturity Level Matrix:
PUBLIC Conclusions (1/2): The ZT Assessment of a telco cloud network/infrastructure can be summarized in below parameters.  Identity and Access Management : Provides enhanced Identity Governance  Identity should be used as key component of policy creation.  Access Policies should be based on identity and assigned attributes.  Multi-Factor Authentication  Network Segmentation or Micro-segmentation: Breaking a network into smaller isolated segments and restricting access between them which limits the impact and reduces the attack surface.  Pushing and executing unified access control policies based on micro-segmentation.  Achieving adaptive dynamic access control based on the trust evaluation of traffic characteristics and context.  Using label systems or virtual IPs to define business traffic, establishing an identity centric dynamic access control model.
PUBLIC Conclusions (2/2):  Data Protection: Using encryption and other security measures to protect sensitive user data. This includes protecting data at rest, in transit and in use.  Continuous Monitoring and Analytics : This involves use of real time threat detection and response capabilities to identity and mitigate. Use of machine learning and behavioural analytics and other advanced techniques, automation of configuration audit and compliance validation task for network resource.  Policy Enforcement : This involves Policy and controls to govern access to data and resource. It includes access control and application security.

More Related Content

DOCX
Market Guide for Zero Trust Network AccessPublished 29 Apri.docx
byendawalling
 
DOCX
Market Guide for Zero Trust Network AccessPublished 29 Apri.docx
byalfredacavx97
 
PPTX
Zero Trust: Redefining Security in the Digital Age
byArnold Antoo
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
PDF
A new Frontier in Cybersecurity - ZTNA.pdf
byBert Blevins
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
PDF
Fortinet ZTNA - Um contexto de sua Implementação
bymjssbahia
 
PPTX
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 
Market Guide for Zero Trust Network AccessPublished 29 Apri.docx
byendawalling
 
Market Guide for Zero Trust Network AccessPublished 29 Apri.docx
byalfredacavx97
 
Zero Trust: Redefining Security in the Digital Age
byArnold Antoo
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
A new Frontier in Cybersecurity - ZTNA.pdf
byBert Blevins
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
Fortinet ZTNA - Um contexto de sua Implementação
bymjssbahia
 
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 

Similar to Zero trust model for cloud computing.pptx

PDF
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
PPTX
The Importance of Zero Trust Security in Modern.pptx
byissahakukuwerej
 
PPTX
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
byCristian Garcia G.
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
PDF
Zero Trust Networks Evan Gilman Doug Barth
byxovaniparpov15
 
PDF
Zero Trust Networks Evan Gilman Doug Barth
byburacakerina41
 
PPTX
Zero Trust Network Access
byEr. Ajay Sirsat
 
PDF
Fortifying Cybersecurity_ The Imperative of Zero Trust Network Access
byNitel USA
 
PDF
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
byEnterprise Management Associates
 
PPSX
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
PPTX
Zero Trust and Data Security
byCareer Communications Group
 
PDF
Why Zero Trust Yields Maximum Security
byPriyanka Aash
 
PPTX
Securing your Cloud Deployment
byHrusostomos Vicatos
 
PPTX
Network and Security Reference Architecture For Driving Workstyle Transformation
byMatsuo Sawahashi
 
PDF
Nitel USA_ Enhancing Data Security with Zero Trust Network Access.pdf
byNitel USA
 
PDF
How Zero Trust Makes the Mission Simple & Secure
byscoopnewsgroup
 
PDF
The End of the Fortress: The new Approach to Cybersecurity
byMarc Nader
 
PDF
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
PDF
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
byIvanti
 
PDF
Zero Trust Network Security- A Modern Approach to Cyber Defense (1).pdf
byjvinay0898
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
The Importance of Zero Trust Security in Modern.pptx
byissahakukuwerej
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
byCristian Garcia G.
 
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
Zero Trust Networks Evan Gilman Doug Barth
byxovaniparpov15
 
Zero Trust Networks Evan Gilman Doug Barth
byburacakerina41
 
Zero Trust Network Access
byEr. Ajay Sirsat
 
Fortifying Cybersecurity_ The Imperative of Zero Trust Network Access
byNitel USA
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
byEnterprise Management Associates
 
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
Zero Trust and Data Security
byCareer Communications Group
 
Why Zero Trust Yields Maximum Security
byPriyanka Aash
 
Securing your Cloud Deployment
byHrusostomos Vicatos
 
Network and Security Reference Architecture For Driving Workstyle Transformation
byMatsuo Sawahashi
 
Nitel USA_ Enhancing Data Security with Zero Trust Network Access.pdf
byNitel USA
 
How Zero Trust Makes the Mission Simple & Secure
byscoopnewsgroup
 
The End of the Fortress: The new Approach to Cybersecurity
byMarc Nader
 
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
byIvanti
 
Zero Trust Network Security- A Modern Approach to Cyber Defense (1).pdf
byjvinay0898
 

Recently uploaded

PPTX
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
AI_Architecture_for_Chatbots_Corporate.pptx
bywrksmith9
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Full course that Prymehat uploads for you
byOhenebaManu1
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
January Patch Tuesday
byIvanti
 
PDF
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
AI_Architecture_for_Chatbots_Corporate.pptx
bywrksmith9
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Full course that Prymehat uploads for you
byOhenebaManu1
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
January Patch Tuesday
byIvanti
 
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 

Zero trust model for cloud computing.pptx

  • 1.
    PUBLIC Zero Trust Assessment forTelco Cloud Computing Case Study
  • 2.
    PUBLIC Overview Telco cloud computingis a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
  • 3.
    PUBLIC Need for CyberRisk Assessment/ Possible Cyber Security Risks The adaption of new technologies such as SDN (Software Defined Networks), APIs (Application Programming Interfaces), and DevOps increases the number of connected devices and services, thereby expanding the attack surface, potentially exposing the Telco Cloud to more cyberattacks. A typical telco cloud infrastructure can be shown as below diagram: cloud computing is a term used to describe the cloud-based services and infrastructure provided by telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud architecture can be a double-edged sword.
  • 4.
    PUBLIC Based on architecture,I see possible below risk domains which need to have a cybersecurity risk control measures in place for a robust telco cloud infrastructure. • Internal IT domains (e.g., corporate apps, e-mail, web browsing, social media) • Support systems (e.g., OSS/BSS, Management and Network Orchestration (MANO) systems) • Customer-facing domains (e.g., channel portals, websites, call centres) • Network domains (e.g., VNFs, servers, routing, transport, base stations, IoT devices) Or broadly speaking, the risk domains in telco cloud architecture can be classified into 4 domains: Users, systems, data and assets. Need for Cyber Risk Assessment/ Possible Cyber Security Risks
  • 5.
    PUBLIC Approach Zero Trust Concept ZeroTrust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. A zero Trust architecture is best visualized as seven pillars that are measured across 4 maturity levels and integrated across an enterprise. This can be illustrated in figure aside. Zero Trust Optimal Maturity Governance Identity Observability Devices Networks Applications Data Automation Fig: Zero Trust Pillars
  • 6.
    PUBLIC Pillars of ZT ZTMaturity Level Traditional Initial Advanced Optimal Identity • On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single- factor authentication (SFA) in most enterprises • Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist. • IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA • Identities authenticated using MFA for initial access and then continually validated throughout the user’s session Device • Device compliance with limited visibility and manual asset management • All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes • Most devices have compliance enforcement mechanisms with automated methods employed to track assets • Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments Network • Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted • Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized. • Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted • A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted Application • Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses • Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users, • Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls • Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies Data • Data at rest stored on-premises unencrypted, with inconsistent manual data categorization • Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies. • Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data • All data at rest encrypted and data categorization enhanced by machine learning Observability • Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity • Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape. • Most data and logs are inventoried, with manual analysis of aggregated user activity • All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA). Analytics and Automation • The organization relies on manual administration of systems, networks, devices, and application environmental changes • Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach. • Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state • Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models Zero Trust Pillars and Associated Maturity Level Matrix:
  • 7.
    PUBLIC Conclusions (1/2): The ZTAssessment of a telco cloud network/infrastructure can be summarized in below parameters.  Identity and Access Management : Provides enhanced Identity Governance  Identity should be used as key component of policy creation.  Access Policies should be based on identity and assigned attributes.  Multi-Factor Authentication  Network Segmentation or Micro-segmentation: Breaking a network into smaller isolated segments and restricting access between them which limits the impact and reduces the attack surface.  Pushing and executing unified access control policies based on micro-segmentation.  Achieving adaptive dynamic access control based on the trust evaluation of traffic characteristics and context.  Using label systems or virtual IPs to define business traffic, establishing an identity centric dynamic access control model.
  • 8.
    PUBLIC Conclusions (2/2):  DataProtection: Using encryption and other security measures to protect sensitive user data. This includes protecting data at rest, in transit and in use.  Continuous Monitoring and Analytics : This involves use of real time threat detection and response capabilities to identity and mitigate. Use of machine learning and behavioural analytics and other advanced techniques, automation of configuration audit and compliance validation task for network resource.  Policy Enforcement : This involves Policy and controls to govern access to data and resource. It includes access control and application security.