The Goal for this presentation is to define the concepts behind “Zero-Trust” models; demonstrate how the theory has developed and changed over time; present how the Zero-Trust theory is used; provide lessons learned from the challenges and problems implementing “Zero-Trust” concepts; share some use cases demonstrating the success and failures applying the Zero-Trust theory.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
An in depth understanding in the application of the zero-trust security model and problems in implementation - slideshare
1. AN IN-DEPTH UNDERSTANDING IN THE
APPLICATION OF THE “ZERO-TRUST”
SECURITY MODEL AND PROBLEMS IN
IMPLEMENTATION
By Chip Justice, Ph.D Student Cybersecurity, MBA, CISSP, PMP, Lean Six Sigma Blackbelt
2. AGENDA/OUTLINE
2
• Presentation Goals
• Who Can you Trust
• Trust is Easily Lost
• Improve the UX for Stronger Security
• Know our Adversary for Better Security
• Good Cybersecurity: Pay Now or Pay Later
• Implementing a Good ZTA
• Conclusion
• References
3. THE GOAL FOR TODAY’S
PRESENTATION
3
• Define the concepts behind “Zero-Trust” models
• Demonstrate how the theory has developed and changed over time
• Present how the Zero-Trust theory is used
• Provide lessons learned from the challenges and problems
implementing “Zero-Trust” concepts;
• Share some use cases demonstrating the success and failures
applying the Zero-Trust theory.
4. WHO CAN YOU TRUST
TRUST NOONE
TRUST NOTHING
4
“Trust, but verify (Russian: Доверяй, но проверяй; Doveryai, no proveryai) is a Russian proverb. The
phrase became internationally known in English when used by President Ronald Reagan on several
occasions in the context of nuclear disarmament discussions with the Soviet Union.”
In the words of President Ronald
Regan
“Trust but Verify”
(Wikipedia, 2019 - https://en.wikipedia.org/wiki/Trust,_but_verify
5. TRUST IS EASILY LOST
“90% of people — most of whom identify themselves as morally upstanding —
will act dishonestly to benefit themselves if they believe they won’t get caught.”
Why?
“Anonymity means no long-term cost (or impact) will be exacted.” …“it turns out
increasing status and power go hand in hand with decreasing honesty and
reliability.”
5
(DeSteno, David, 2014).
6. IMPROVE THE UX FOR STRONGER
SECURITY
6
Cyber practitioners are not only ensuring the
solution is secure and confidential, available and built
with integrity; these experts provide another valuable
service to the organization, they ensure a high level of
quality can be expected from the product or service.
7. KNOW YOUR ADVERSARY FOR
BETTER SECURITY
The OODA Loop is highly valued model, one known quite well to militaries,
governments and the cybersecurity community
7
OODA Loop is a process for observing, identifying and analyzing how a person thinks, (re)acts and responds to stimuli. This process
can be invaluable and has a number of applications and use cases which are not limited to offensive and defensive cyber postures
(Infosec Institute, 2019)
8. GOOD CYBERSECURITY: PAY NOW
OR PAY LATER
NASA JPL - JPL a bad actor steal
“approximately 500 megabytes of data
from one of its major mission systems”
(NASA Office of the Inspector General (OIG), 2019)
8
To implement a Zero-Trust solution is not an overnight or easy task.
Implementing a Zero-Trust Architecture (ZTA) would likely be “incremental, starting with a standard set of identity
checks for applications and services that could gradually be integrated into common mechanisms for authentication
and authorization across” (DelBene, K, Medin, M, & Murray, R, 2019).
9. IMPLEMENTING A GOOD ZTA
9
Traditional Network Security Architecture
(Barth & Gilman, n.d.)
Zero-Trust Architecture (ZTA) (Barth & Gilman, n.d.)
Choose ZTA
over
Traditional
(1) Verify the user [authentication, part 1]
(2) Verify the device [authentication, part 2]
(3) Verify access privileges [authorization]
(DelBene, K et al., 2019)
10. CONCLUSION
Implementing a ‘Zero-Trust’ solution is not quick or essay
Cybersecurity practitioners will need to communicate effectively
with people and in particular, their organization’s executive ranks
if the practitioner is to be successful.
Know your enemy. - Sun Tzu, ‘Art of War’
Although your executive structure is not your enemy, in the days
of “Zero-Trust”, everyone is the enemy until proven otherwise,
just ask the NSA.
10
11. REFERENCE PAGE
• Barth, D., & Gilman, E. (n.d.). Zero Trust Networks. Unknown: O’Reilly. Retrieved from https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/ch01.html
• DeCusatis, C., Liengtiraphan, P., Sager, A., & Pinelli, M. (Eds.). (2016). 2016 IEEE International Conference on Smart Cloud: Implementing Zero Trust Cloud Networks with Transport Access
Control and First Packet Authentication. Unknown: IEEE. http://dx.doi.org/10.1109/SmartCloud.2016.22
• DelBene, K, Medin, M, & Murray, R. (2019). The Road to Zero Trust (Security) (Defense Innovation Board Report). Retrieved from Department Of Defense website:
https://media.defense.gov/2019/Jul/09/2002155219/-1/-1/0/DIB_THE_ROAD_TO_ZERO_TRUST_(SECURITY)_07.08.2019.PDF
• DeSteno, David. (2014). Who Can You Trust? Harvard Business Review. Retrieved from https://hbr.org/2014/03/who-can-you-trust
• Eidle, D., Ni, S., DeCusatis, C., & Sager, A. (2017). Autonomic security for zero trust networks. 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication
Conference (UEMCON), Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), 2017 IEEE 8th Annual, 288.
http://dx.doi.org/10.1109/UEMCON.2017.8249053
• Infosec Institute. (2019). OODA and Cybersecurity. Retrieved from http://2019
• Lewicki, Roy J., Tomlinson, Edward C., & Gillespie, Nicole. (2006). Models of Interpersonal Trust Development: Theoretical Approaches, Empirical Evidence, and Future Directions. Journal
of Management, 32, 991–1022. http://dx.doi.org/10.1177/0149206306294405
• Nakashima, C., & Gregg, A. (2018, Jan 02). NSA’s top talent is leaving because of low pay, slumping morale and unpopular reorganization. Washington Pos. Retrieved from
https://www.washingtonpost.com/world/national-security/the-nsas-top-talent-is-leaving-because-of-low-pay-and-battered-morale/2018/01/02/ff19f0c6-ec04-11e7-9f92-
10a2203f6c8d_story.html
• NASA Office of the Inspector General (OIG). (2019). Cybersecurity Management and Oversight at the Jep Propulsion Laboratory (IG-19-022 report). Pasadena, CA: NASA. Retrieved from
https://search-credoreference-com.proxy1.ncu.edu/content/entry/macdiplom/office_of_inspector_general/0
• User Experience (UX) Design. (n.d.). Retrieved from Interactive Design Foundation website: https://www.interaction-design.org/literature/topics/ux-design
• Zero Trust Cybersecurity Current Trends (April 18, 2019). (2019). Retrieved from American Council for Technology-Industry Advisory Council (ACT-IAC) website:
https://www.actiac.org/zero-trust-cybersecurity-current-trends
11
Hinweis der Redaktion
“The answers aren’t obvious. If you choose to trust new clients, contractors, or collaborators, you make yourself vulnerable: Your outcomes, financial and otherwise, now depend on their fidelity. But if you insist on verifying each claim and accounting for every detail before a deal is signed, you’ll slow the process and increase costs, potentially putting yourself at a disadvantage“ (DeSteno, David, 2014).
Researchers have recorded time and again, “90% of people — most of whom identify themselves as morally upstanding — will act dishonestly to benefit themselves if they believe they won’t get caught. Why? Anonymity means no long-term cost (or impact) will be exacted.“ (DeSteno, David, 2014).
What this means to Security practitioners is we need to help the Executive ranks understand the value and impact time will have to their organization should a cyberattack take place which will directly and adversely impact the loss of revenue and time due to the cybersecurity breach each and every organization is facing today. However, we cannot run to the Executive structure and say ‘follow the security process’ if the process is slow or cumbersome to the end-user who is only concerned about their ‘user experience’ (UX).
The Interative Process of UX Design Model has three focus areas in which cybersecurity should be addressed; User Research, Design, and Build (User Experience (UX) Design, n.d.). Within the User Research area, Cyber practitioners ensure security questions and concerns are identified and validated before moving to designing the solution. When organizations Design a solution, Cyber practitioners should be leveraged to bake-in security into the functionality of the solution. Once Designed, Cyber practitioners should continue to be part of the solution and validate the application has been built based upon user requirements as defined within the research and design specifications. In performing this iterative process, Cyber practitioners are not only ensuring the solution is secure and confidential, available and built with integrity; these experts provide another valuable service to the organization, they ensure a high level of quality can be expected from the product or service.
The OODA Loop was created by Colonel John Boyd, a former Air Force pilot, to aid in the development of US military strategy. Boyd initially created the OODA loop for ‘dog fight’ with the adversary. The pilot would rapidly observe and analyze an adversary’s behaviors using the OODA decision-making process could gain an advantage in air-to-air combat. Accepting the chaos associated with rapid analysis and working more rapidly than the opponent allows a decision-maker to appear unpredictable and cause chaos in the adversary’s decision-making ability. The OODA loop is a four-stage process for decision-making: observe, orient, decide and act and the individual should cycle through these phases rapidly and frequently as part of their analysis and decision-making process. (Infosec Institute, 2019)
Cybersecurity practitioners can leverage the OODA Loop to Observe the executive and see how they react to various situations and determine when is the best time to approach the Executive to discuss and present the challenge to overcome. In the second phase of the OODA, the cybersecurity practitioner Orients the Executive to determine their point of view and identify opportunities for success and failure. In the next phase, the cybersecurity practitioner Decides on the course of action to be taken and what goals are to be met or achieved and communicate this information to the Executive. The last step in the OODA Loop is to Act and once the decision is made, it is time to implement the plan. As the model states, this is a Loop, and the process is completed again and again.
Unfortunately, when organizations take a “Zero-Trust” approach with their staff, it will impact morel. Something the NSA wishes they would have had in place pre-Snowden. Unfortunately, they have moved to this model, and it is hurting morale (Nakashima & Gregg, 2018). Having the right amount of trust of your people is imperative. To do so, the organization needs to ask three questions: “How has trust been defined and measured? At what level does trust begin? and What causes the level of trust to change over time (i.e., how does trust grow and decline)?” The information gathered should be measured over time and used to define and calibrate the complex elements of the trust constructs (Lewicki, Roy J., Tomlinson, Edward C., & Gillespie, Nicole, 2006).