SlideShare a Scribd company logo

How Zero Trust Changes Identity & Access

Ivan Dwyer
Ivan Dwyer

Presentation given at the BeyondCorp SF Meetup organized by ScaleFT on Mar 9th 2017. Learn more about BeyondCorp at: www.beyondcorp.com. Learn more about ScaleFT at: www.scaleft.com

Technology
1 of 20
Download to read offline
HOW ZERO TRUST CHANGES IDENTITY & ACCESS BeyondCorpSF Meetup - Mar 9th 2017 Ivan Dwyer - ivan.dwyer@scaleft.com | @fortyfivan
90% of organizations vulnerable to insider threats in 2015 80% of security breaches involve privileged credentials 23 Authentication events per person every day Source: ForresterSource: Technavio Source: NIST Mitigating insider risk is a top priority for every organization
Mission: To have every Google employee work successfully from untrusted networks without use of a VPN 1. Connecting from a particular network must not determine which services you can access 2. Access to services is granted based on what we know about you and your device 3. All access to services must be authenticated, authorized, and encrypted Google really got it right with BeyondCorp
Zero Trust: Google Security for Everyone Else
First we need a new concept of Enterprise Identity
* Insert gross overgeneralization disclaimer here Employees have traditionally been placed into two buckets* Privileged User Non-privileged User IT Function Business Infrastructure Resources Applications Terminal Workflow Web Admin Role Group-based Key or Cert Credential Password Rotation policy Added Layers MFA PAM Product Category IAM
Building a dynamic user and device profile Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? ... Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? ...
Enterprise Identity = You + Your Device at a Point-in-Time
Identity is still King, but Access is the Throne
What do we really want from Access Management? ➔ A unified solution for authentication, authorization, and auditing ➔ A common access policy definition for ABAC & RBAC ➔ The ability to make intelligent access decisions in real-time ➔ A consistent, streamlined workflow for both privileged and non-privileged users ➔ Identity governance decoupled from the system of record ➔ To eliminate the need for network segmentation and static credentials
Revitalizing the AAA Framework Authenticate Authorize Audit Verify Identity is who they say they are Verify Identity is allowed to access the resource Verify Identity is doing no harm (intentional or not)
The basis for a common Access Policy definition ➔ User attributes ➔ Device attributes ➔ Location-based rules ➔ Time-based controls ➔ Groups and roles ➔ Federation capabilities ➔ Resource-specific rules
Access Gateway IdP Why was I denied access? Yes No SSH RDP HTTPS Access Policies MFA Grant? All requests flow through a centralized access gateway Request resource CA Policy Engine
Some questions to ponder ➔ How will all the components integrate with each other? ➔ How to balance coarse-grained policies with fine-grained policies? ➔ Where do the access policies line-up with the shared responsibility principles of IaaS? ➔ What’s the best way to incorporate approval workflows to specific resources? ➔ Can the Identity system of record exist in the cloud? ➔ How to support legacy protocols and specifications consistently? (Should you?) ➔ How to track and monitor all the devices (managed and BYOD) their employees use?
Zero Trust is Security Transformation
The big picture
Zero Trust security measures encourage better overall practices ➔ Keep devices up-to-date with the latest software ➔ Maintain an inventory of employee devices ➔ Monitor all endpoints & log all traffic ➔ Only communicate over fully encrypted channels ➔ Incorporate multi-factor auth ➔ Eliminate static credentials
We will start to see significant market effects ➔ A new category of Cloud Native solution providers are emerging that are disrupting the legacy security companies who focus primarily on strengthening perimeter security ➔ Defined market categories such as IAM and PAM will converge into a single Access Management category that works across privileged and nonprivileged users ➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active Directory start to break through into the enterprise market ➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero Trust model that places less (or no) emphasis on network protection as a security measure
Where does ScaleFT fit in the picture? ScaleFT is the leading Zero Trust Access Management provider Architecture Reviews Platform Implementations Community Efforts We work closely with you to design the right Zero Trust architecture for your organization The ScaleFT platform can be operated as a SaaS or as a dedicated deployment in any cloud environment We are leading the BeyondCorp movement, further educating the market about Zero Trust
THANKS!! Get in touch: ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com

Recommended

Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
Ahmed Banafa
 

Recommended

Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
Ahmed Banafa
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Management Associates
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
Frans Sauermann
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
Okta-Inc
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
AlgoSec
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
AccuKnox
 
Zero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at AdobeZero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at Adobe
Vishwas Manral
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
Priyanka Aash
 
An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...
Max Justice
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
Kyle Watson
 
Data protection on demand in hybrid it
Data protection on demand in hybrid itData protection on demand in hybrid it
Data protection on demand in hybrid it
Hybrid IT Europe
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
Achieving a Serverless Development Experience
Achieving a Serverless Development ExperienceAchieving a Serverless Development Experience
Achieving a Serverless Development Experience
Ivan Dwyer
 
El principio de precaución (ensayo)
El principio de precaución (ensayo)El principio de precaución (ensayo)
El principio de precaución (ensayo)
Wilson Jaramillo
 

More Related Content

What's hot

Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Management Associates
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
Frans Sauermann
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
Kyle Watson
 

What's hot (20)

BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
 
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network...
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
 
Zero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at AdobeZero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at Adobe
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
 
An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
 
Data protection on demand in hybrid it
Data protection on demand in hybrid itData protection on demand in hybrid it
Data protection on demand in hybrid it
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
 

Viewers also liked

Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018 Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
Ashraf ElAdawy
 
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
www.thiiink.com
 
Clubby Media
Clubby MediaClubby Media
Clubby Media
Garbis Can Cabatoglu
 
Olivier Desbarres - FED 25 AND 500 GODFATHERS
Olivier Desbarres - FED 25 AND 500 GODFATHERSOlivier Desbarres - FED 25 AND 500 GODFATHERS
Olivier Desbarres - FED 25 AND 500 GODFATHERS
Olivier Desbarres
 

Viewers also liked (20)

Achieving a Serverless Development Experience
Achieving a Serverless Development ExperienceAchieving a Serverless Development Experience
Achieving a Serverless Development Experience
 
El principio de precaución (ensayo)
El principio de precaución (ensayo)El principio de precaución (ensayo)
El principio de precaución (ensayo)
 
Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018 Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
Trivalent Inacivated Seasonal Influenza Vaccine 2017-2018
 
EL AYUNTAMIENTO PRESENTARÁ ESTE AÑO MÁLAGA COMO CIUDAD PARA INVERTIR EN MÁS D...
EL AYUNTAMIENTO PRESENTARÁ ESTE AÑO MÁLAGA COMO CIUDAD PARA INVERTIR EN MÁS D...EL AYUNTAMIENTO PRESENTARÁ ESTE AÑO MÁLAGA COMO CIUDAD PARA INVERTIR EN MÁS D...
EL AYUNTAMIENTO PRESENTARÁ ESTE AÑO MÁLAGA COMO CIUDAD PARA INVERTIR EN MÁS D...
 
Ensayo carga probatoria
Ensayo carga probatoriaEnsayo carga probatoria
Ensayo carga probatoria
 
德華小知識 #補充鈣質
德華小知識 #補充鈣質德華小知識 #補充鈣質
德華小知識 #補充鈣質
 
Trec
TrecTrec
Trec
 
Le SoTL comme voie de développement professionnel
Le SoTL comme voie de développement professionnelLe SoTL comme voie de développement professionnel
Le SoTL comme voie de développement professionnel
 
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
Prescription For The Planet The Painless Remedy for our Energy & Environmenta...
 
Clubby Media
Clubby MediaClubby Media
Clubby Media
 
Procesadores
Procesadores Procesadores
Procesadores
 
Olivier Desbarres - FED 25 AND 500 GODFATHERS
Olivier Desbarres - FED 25 AND 500 GODFATHERSOlivier Desbarres - FED 25 AND 500 GODFATHERS
Olivier Desbarres - FED 25 AND 500 GODFATHERS
 
How to find customers and grow your tribe
How to find customers and grow your tribeHow to find customers and grow your tribe
How to find customers and grow your tribe
 
Google AMP 1 an après : quel bilan, quelles perspectives ?
Google AMP 1 an après : quel bilan, quelles perspectives ?Google AMP 1 an après : quel bilan, quelles perspectives ?
Google AMP 1 an après : quel bilan, quelles perspectives ?
 
Declaration de Politique Générale du Premier Ministre Nomme Jack Guy Lafontant
Declaration de Politique Générale du Premier Ministre Nomme Jack Guy LafontantDeclaration de Politique Générale du Premier Ministre Nomme Jack Guy Lafontant
Declaration de Politique Générale du Premier Ministre Nomme Jack Guy Lafontant
 
Sunderbans mangrove trees losing capacity to absorb co2 study
Sunderbans mangrove trees losing capacity to absorb co2 studySunderbans mangrove trees losing capacity to absorb co2 study
Sunderbans mangrove trees losing capacity to absorb co2 study
 
Departement d'Etat: Rapport 2017 sur la Strategie de Combat Contre le Trafiqu...
Departement d'Etat: Rapport 2017 sur la Strategie de Combat Contre le Trafiqu...Departement d'Etat: Rapport 2017 sur la Strategie de Combat Contre le Trafiqu...
Departement d'Etat: Rapport 2017 sur la Strategie de Combat Contre le Trafiqu...
 
Tammy A. Namoco
Tammy A. NamocoTammy A. Namoco
Tammy A. Namoco
 
20170309 Webinar oc op presentazione analisi
20170309 Webinar oc op presentazione analisi20170309 Webinar oc op presentazione analisi
20170309 Webinar oc op presentazione analisi
 
20170309 webinar oc op presentazione opencoesione
20170309 webinar oc op presentazione opencoesione20170309 webinar oc op presentazione opencoesione
20170309 webinar oc op presentazione opencoesione
 

Similar to How Zero Trust Changes Identity & Access

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
SafeNet
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Cloud Application Discovery
Cloud Application Discovery Cloud Application Discovery
Cloud Application Discovery
Novosco
 

Similar to How Zero Trust Changes Identity & Access (20)

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
 
Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016Guardian analytics vs. actimize 2016
Guardian analytics vs. actimize 2016
 
GDPR Part 3: Practical Quest
GDPR Part 3: Practical QuestGDPR Part 3: Practical Quest
GDPR Part 3: Practical Quest
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
 
Identity Manager & AirWatch Cloud Mobile App - Infographic
Identity Manager & AirWatch Cloud Mobile App - InfographicIdentity Manager & AirWatch Cloud Mobile App - Infographic
Identity Manager & AirWatch Cloud Mobile App - Infographic
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Cloud Application Discovery
Cloud Application Discovery Cloud Application Discovery
Cloud Application Discovery
 
GRC Dynamics in Securing Cloud
GRC Dynamics in Securing CloudGRC Dynamics in Securing Cloud
GRC Dynamics in Securing Cloud
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM Meetup
 

More from Ivan Dwyer

More from Ivan Dwyer (9)

BeyondCorp Austin Meetup: BeyondCorp Myths Busted
BeyondCorp Austin Meetup: BeyondCorp Myths BustedBeyondCorp Austin Meetup: BeyondCorp Myths Busted
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
 
BeyondCorp Boston Meetup: Closing the Adherence Gap
BeyondCorp Boston Meetup: Closing the Adherence GapBeyondCorp Boston Meetup: Closing the Adherence Gap
BeyondCorp Boston Meetup: Closing the Adherence Gap
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence GapBeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence Gap
 
BeyondCorp SF Meetup: Closing the Adherence Gap
BeyondCorp SF Meetup: Closing the Adherence GapBeyondCorp SF Meetup: Closing the Adherence Gap
BeyondCorp SF Meetup: Closing the Adherence Gap
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Navigating the Cloud Foundry Ecosystem of Ecosystems: An ISV Perspective
Navigating the Cloud Foundry Ecosystem of Ecosystems: An ISV PerspectiveNavigating the Cloud Foundry Ecosystem of Ecosystems: An ISV Perspective
Navigating the Cloud Foundry Ecosystem of Ecosystems: An ISV Perspective
 
API Strategy Austin - App-centric vs Job-centric Microservices
API Strategy Austin - App-centric vs Job-centric MicroservicesAPI Strategy Austin - App-centric vs Job-centric Microservices
API Strategy Austin - App-centric vs Job-centric Microservices
 
Internet of Things: Patterns For Building Real World Applications
Internet of Things: Patterns For Building Real World ApplicationsInternet of Things: Patterns For Building Real World Applications
Internet of Things: Patterns For Building Real World Applications
 
Handling Asynchronous Workloads With OpenShift and Iron.io
Handling Asynchronous Workloads With OpenShift and Iron.ioHandling Asynchronous Workloads With OpenShift and Iron.io
Handling Asynchronous Workloads With OpenShift and Iron.io
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

How Zero Trust Changes Identity & Access

  • 1. HOW ZERO TRUST CHANGES IDENTITY & ACCESS BeyondCorpSF Meetup - Mar 9th 2017 Ivan Dwyer - ivan.dwyer@scaleft.com | @fortyfivan
  • 2. 90% of organizations vulnerable to insider threats in 2015 80% of security breaches involve privileged credentials 23 Authentication events per person every day Source: ForresterSource: Technavio Source: NIST Mitigating insider risk is a top priority for every organization
  • 3. Mission: To have every Google employee work successfully from untrusted networks without use of a VPN 1. Connecting from a particular network must not determine which services you can access 2. Access to services is granted based on what we know about you and your device 3. All access to services must be authenticated, authorized, and encrypted Google really got it right with BeyondCorp
  • 4. Zero Trust: Google Security for Everyone Else
  • 5. First we need a new concept of Enterprise Identity
  • 6. * Insert gross overgeneralization disclaimer here Employees have traditionally been placed into two buckets* Privileged User Non-privileged User IT Function Business Infrastructure Resources Applications Terminal Workflow Web Admin Role Group-based Key or Cert Credential Password Rotation policy Added Layers MFA PAM Product Category IAM
  • 7. Building a dynamic user and device profile Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? ... Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? ...
  • 8. Enterprise Identity = You + Your Device at a Point-in-Time
  • 9. Identity is still King, but Access is the Throne
  • 10. What do we really want from Access Management? ➔ A unified solution for authentication, authorization, and auditing ➔ A common access policy definition for ABAC & RBAC ➔ The ability to make intelligent access decisions in real-time ➔ A consistent, streamlined workflow for both privileged and non-privileged users ➔ Identity governance decoupled from the system of record ➔ To eliminate the need for network segmentation and static credentials
  • 11. Revitalizing the AAA Framework Authenticate Authorize Audit Verify Identity is who they say they are Verify Identity is allowed to access the resource Verify Identity is doing no harm (intentional or not)
  • 12. The basis for a common Access Policy definition ➔ User attributes ➔ Device attributes ➔ Location-based rules ➔ Time-based controls ➔ Groups and roles ➔ Federation capabilities ➔ Resource-specific rules
  • 13. Access Gateway IdP Why was I denied access? Yes No SSH RDP HTTPS Access Policies MFA Grant? All requests flow through a centralized access gateway Request resource CA Policy Engine
  • 14. Some questions to ponder ➔ How will all the components integrate with each other? ➔ How to balance coarse-grained policies with fine-grained policies? ➔ Where do the access policies line-up with the shared responsibility principles of IaaS? ➔ What’s the best way to incorporate approval workflows to specific resources? ➔ Can the Identity system of record exist in the cloud? ➔ How to support legacy protocols and specifications consistently? (Should you?) ➔ How to track and monitor all the devices (managed and BYOD) their employees use?
  • 15. Zero Trust is Security Transformation
  • 17. Zero Trust security measures encourage better overall practices ➔ Keep devices up-to-date with the latest software ➔ Maintain an inventory of employee devices ➔ Monitor all endpoints & log all traffic ➔ Only communicate over fully encrypted channels ➔ Incorporate multi-factor auth ➔ Eliminate static credentials
  • 18. We will start to see significant market effects ➔ A new category of Cloud Native solution providers are emerging that are disrupting the legacy security companies who focus primarily on strengthening perimeter security ➔ Defined market categories such as IAM and PAM will converge into a single Access Management category that works across privileged and nonprivileged users ➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active Directory start to break through into the enterprise market ➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero Trust model that places less (or no) emphasis on network protection as a security measure
  • 19. Where does ScaleFT fit in the picture? ScaleFT is the leading Zero Trust Access Management provider Architecture Reviews Platform Implementations Community Efforts We work closely with you to design the right Zero Trust architecture for your organization The ScaleFT platform can be operated as a SaaS or as a dedicated deployment in any cloud environment We are leading the BeyondCorp movement, further educating the market about Zero Trust
  • 20. THANKS!! Get in touch: ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com