As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this? Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same. In the end, certain recommendations will be shared with the participants as a takeaway from my own experiences while working towards implementing the Zero Trust.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Life in the world of Zero Trust
Vandana Verma Sehgal
Infosecvandana

2. SACON 2020
WHO AM I
● OWASP Global Board
● Speaker/Trainer at Defcon(AppSec Village), Asst. Trainer
at Black Hat, OWASP AppSec Conferences and others
● Member of Review Board at Grace Hopper, BSides Ahmedabad,
● Global AppSec, etc.
● Diversity Initiatives:
○ InfoSec Girls, OWASP WiA, WoSec
○ Free Trainings at Conferences
○ Webinars, Personal Mentoring, etc.

3. SACON 2020

4. SACON 2020

5. SACON 2020
Digital Transformation

6. SACON 2020
Traditional Security Model

7. SACON 2020
Traditional Security Model
Access
control lists
(ACLs)
Role-based
access
controls
(RBAC)
Principles of
least
privilege
Zero Trust
model

8. SACON 2020
History
• First in 2010 by John Kindervag
• Late Google as a part of their “Beyond Corp”
• Means different for different people

9. SACON 2020
Why Zero Trust?
• Cybersecurity Ventures predicts “cybercrime will cost the world $6 trillion annually
by 2021, up from $3 trillion in 2015”
• Ponemon Institute and sponsored by IBM- Data Breach Study found that the global
average cost of a data breach is $3.62 million.
• “More than 40% of companies have more than a quarter of their employees
working remotely. More than 25% have more than 40% of their employees working
remotely.”
• Additionally, “More than 67% of workers use their own devices at work.”
• Beyond that, “80% of all BYOD is completely unmanaged.”

10. SACON 2020
Gartner
Zero-trust network access “provides
adaptive, identity-aware, precision
access” and “enables digital
ecosystems to work without
exposing services directly to the
internet.”

11. SACON 2020
Forrester estimates “80% of data breaches are
caused by privileged access abuse”

12. SACON 2020
Zero Trust Model By Forrester
Ø Ensure all resources are accessed securely
regardless of location
Ø Adopt a Principle of least privilege strategy
and strictly enforce Access Control.
Ø Inspect and perform logging all traffic.

13. SACON 2020
Never Trust, Always Verify
•Never trust the client
•Never Trust the server
•Never Trust the network

14. SACON 2020
Zero Trust
Architecture

15. SACON 2020https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/ch01.html

16. SACON 2020https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/assets/ztnw_0102.png

17. SACON 2020
Provide Users With Application-Only Access,
Not Network Access

18. SACON 2020
Isolate Your Network Infrastructure From the
Public Internet

19. SACON 2020
Enable WAF to Protect Corporate Applications

20. SACON 2020
Put Identity, Authentication, and Authorization in Place
Before Providing Access

21. SACON 2020
Use Advanced Threat Protection to Defend Against
Phishing, Zero-Day Malware, and DNS-Based Data
Exfiltration

22. SACON 2020
Monitor Internet-Bound Traffic and Activity

23. SACON 2020
Support Integration with Security Information and Event Management
(SIEM) and Orchestration Through RESTful APIs

24. SACON 2020
Applied in the Cloud

25. SACON 2020
Attacker Response to ZTA
“The best offense is a good defense”
https://securityboulevard.com/2019/10/countdown-to-zero-why-zero-trust-is-in-
the-spotlight/

26. SACON 2020
Key Takeaways

27. SACON 2020
Zero Trust security is no longer just a concept. It has become an
essential security strategy that helps organizations protect their
valuable data in a “perimeter-everywhere” world.

28. SACON 2020
"Trust is a dangerous vulnerability that can be
exploited” - John Kindervag

29. SACON 2020
The new security perimeter is identity

30. SACON 2020
Deploying Trusting Zero
• Identify the protect surface
• Identify roles and assign people to a single role
• Map the transaction flows
• Build a Zero Trust architecture
• Create Zero Trust policy
• Monitor and maintain, inspect and log the traffic based on your behaviour
analytics

31. SACON 2020
Reach Me!!
● Twitter: @InfosecVandana
● LinkedIn: vandana-verma
● Email: vandana.infosec@gmail.com

32. SACON 2020
• https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
• https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf
• https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
• https://ldapwiki.com/wiki/Zero%20Trust
• https://www.youtube.com/watch?v=-Why_ZjJUhg
• https://www.forbes.com/sites/louiscolumbus/2019/02/07/digital-transformations-missing-link-is-zero-
trust/#6be166fe727f
• https://www.akamai.com/us/en/multimedia/documents/white-paper/how-to-guide-zero-trust-security-
transformation.pdf
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf
• https://www.youtube.com/watch?v=1D5mg9an19o
References

33. SACON 2020
Thank you!