As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this?
Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same.
In the end, certain recommendations will be shared with the participants as a takeaway from my own experiences while working towards implementing the Zero Trust.
(SACON) Vandana Verma - Living In A World of Zero Trust
1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Life in the world of Zero Trust
Vandana Verma Sehgal
Infosecvandana
2. SACON 2020
WHO AM I
● OWASP Global Board
● Speaker/Trainer at Defcon(AppSec Village), Asst. Trainer
at Black Hat, OWASP AppSec Conferences and others
● Member of Review Board at Grace Hopper, BSides Ahmedabad,
● Global AppSec, etc.
● Diversity Initiatives:
○ InfoSec Girls, OWASP WiA, WoSec
○ Free Trainings at Conferences
○ Webinars, Personal Mentoring, etc.
7. SACON 2020
Traditional Security Model
Access
control lists
(ACLs)
Role-based
access
controls
(RBAC)
Principles of
least
privilege
Zero Trust
model
8. SACON 2020
History
• First in 2010 by John Kindervag
• Late Google as a part of their “Beyond Corp”
• Means different for different people
9. SACON 2020
Why Zero Trust?
• Cybersecurity Ventures predicts “cybercrime will cost the world $6 trillion annually
by 2021, up from $3 trillion in 2015”
• Ponemon Institute and sponsored by IBM- Data Breach Study found that the global
average cost of a data breach is $3.62 million.
• “More than 40% of companies have more than a quarter of their employees
working remotely. More than 25% have more than 40% of their employees working
remotely.”
• Additionally, “More than 67% of workers use their own devices at work.”
• Beyond that, “80% of all BYOD is completely unmanaged.”
10. SACON 2020
Gartner
Zero-trust network access “provides
adaptive, identity-aware, precision
access” and “enables digital
ecosystems to work without
exposing services directly to the
internet.”
12. SACON 2020
Zero Trust Model By Forrester
Ø Ensure all resources are accessed securely
regardless of location
Ø Adopt a Principle of least privilege strategy
and strictly enforce Access Control.
Ø Inspect and perform logging all traffic.
13. SACON 2020
Never Trust, Always Verify
•Never trust the client
•Never Trust the server
•Never Trust the network
25. SACON 2020
Attacker Response to ZTA
“The best offense is a good defense”
https://securityboulevard.com/2019/10/countdown-to-zero-why-zero-trust-is-in-
the-spotlight/
27. SACON 2020
Zero Trust security is no longer just a concept. It has become an
essential security strategy that helps organizations protect their
valuable data in a “perimeter-everywhere” world.
28. SACON 2020
"Trust is a dangerous vulnerability that can be
exploited” - John Kindervag
30. SACON 2020
Deploying Trusting Zero
• Identify the protect surface
• Identify roles and assign people to a single role
• Map the transaction flows
• Build a Zero Trust architecture
• Create Zero Trust policy
• Monitor and maintain, inspect and log the traffic based on your behaviour
analytics