Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Trust Networks: In Theory and In Practice

Doug Barth
July 25, 2017
Technology
1
390

Zero Trust Networks: In Theory and In Practice

Presented at BSides Las Vegas 2017: http://sched.co/BNEw

The world is changing, but our network security models are having trouble keeping up. In a time where remote work is regular and cloud mobility is paramount, the perimeter security model is showing its age -- badly.

We deal with VPN tunnel overhead and management. We spend millions on fault-tolerant perimeter firewalls. We carefully manage all entry and exit points on the network, yet still we see ever-worsening breaches year over year. The Zero Trust model aims to solve these problems.

Zero Trust networks are built with security at the forefront. No packet is trusted without cryptographic signatures. Policy is constructed using software and user identity rather than IP addresses. Physical location and network topology no longer matter. The Zero Trust model is very different, indeed.

In this talk, we'll discuss the philosophy and origin of the Zero Trust model, what it brings to the table, and how to think about building one.

Doug Barth

July 25, 2017
Tweet

More Decks by Doug Barth

See All by Doug Barth
Culture from Chaos
dougbarth
0
82
IPsec mesh network: Perfect for the cloud?
dougbarth
1
1.4k
Failure Friday: Start Injecting Failure Today! (DevOpsDays Austin 2015)
dougbarth
0
520
Making PagerDuty More Reliable Using XtraDB Cluster
dougbarth
0
190
Ensuring Success During Disaster - SRECon 2015
dougbarth
0
210
Minimum Viable Ops
dougbarth
0
74
Policy as Code
dougbarth
1
280
Living without scheduled maintenance
dougbarth
2
1.1k
Failure Friday: Start Injecting Failure Today!
dougbarth
0
120

Other Decks in Technology

See All in Technology
オブザーバビリティの Primary Signals
onk
PRO
0
550
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
2
710
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
5.3k
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
430
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
110
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
On Your Data を超えていく!
hirotomotaguchi
2
120
キャラクター制御のためのプロンプト術 for LINE Bot
uezo
0
530
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
110
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
740
NgRx Signal Store
rainerhahnekamp
0
130

Featured

See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Making Projects Easy
brettharned
108
5.5k
Producing Creativity
orderedlist
PRO
336
39k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
Side Projects
sachag
451
41k
Thoughts on Productivity
jonyablonski
57
3.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4.4k
For a Future-Friendly Web
brad_frost
171
8.9k
A better future with KSS
kneath
231
16k
Building Adaptive Systems
keathley
30
1.9k
Designing the Hi-DPI Web
ddemaree
276
33k

Transcript

  1. Evan Gilman, Doug Barth @evan2645 @dougbarth Zero Trust Networks

  2. 7/25/17 @evan2645 @dougbarth About Us Zero Trust: Building Systems in

    Untrusted Networks

  3. 7/25/17 @evan2645 @dougbarth DC-A DC-B DC-C C* C* C* Zero

    Trust: Building Systems in Untrusted Networks

  4. @evan2645 @dougbarth iptables

  5. @evan2645 @dougbarth

  6. @evan2645 @dougbarth IPsec VPN

  7. 7/25/17 @evan2645 @dougbarth DC-A DC-B DC-C Zero Trust: Building Systems

    in Untrusted Networks VPN VPN VPN

  8. @evan2645 @dougbarth IPsec VPN

  9. 7/25/17 @evan2645 @dougbarth DC-A DC-B DC-C Zero Trust: Building Systems

    in Untrusted Networks VPN VPN VPN

  10. 7/25/17 @evan2645 @dougbarth DC-A DC-B DC-C Zero Trust: Building Systems

    in Untrusted Networks

  11. 7/25/17 @evan2645 @dougbarth Emergent Properties All Flows Authenticated and Encrypted

    All Flows Asserted as Authorized No Inherent Value in IP Address Zero Trust: Building Systems in Untrusted Networks

  12. 7/25/17 @evan2645 @dougbarth Emergent Properties No Centralized Firewalls No Network

    Gateways No Private Network Zero Trust: Building Systems in Untrusted Networks

  13. @evan2645 @dougbarth BeyondCorp

  14. @evan2645 @dougbarth Zero Trust Philosophy: No Trust In Network

  15. @evan2645 @dougbarth Zero Trust Philosophy: Every Flow Is Expected

  16. @evan2645 @dougbarth Zero Trust Philosophy: Symbolic Policy

  17. @evan2645 @dougbarth Zero Trust Philosophy: Network Agent

  18. @evan2645 @dougbarth Zero Trust Philosophy: Automate!

  19. @evan2645 @dougbarth Visibility

  20. @evan2645 @dougbarth Start Early

  21. @evan2645 @dougbarth Manifestation

  22. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  23. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Config Mgmt Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  24. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  25. @evan2645 @dougbarth Examples

  26. @evan2645 @dougbarth Server-Side

  27. 7/25/17 @evan2645 @dougbarth PagerDuty Chef Cookbook for Initial Implementation Zero

    Trust: Building Systems in Untrusted Networks

  28. 7/25/17 @evan2645 @dougbarth PagerDuty Chef Cookbook for Initial Implementation Maturation

    brought Specialization Zero Trust: Building Systems in Untrusted Networks

  29. 7/25/17 @evan2645 @dougbarth PagerDuty Chef Cookbook for Initial Implementation Maturation

    brought Specialization Topology-Manager Zero Trust: Building Systems in Untrusted Networks

  30. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  31. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane

  32. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Authorized User

  33. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Authorized User

  34. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory Authorized User

  35. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  36. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  37. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Config Mgmt Authorized User

  38. 7/25/17 @evan2645 @dougbarth Topology-Manager No Trust In Network Zero Trust:

    Building Systems in Untrusted Networks

  39. 7/25/17 @evan2645 @dougbarth Topology-Manager No Trust In Network Compute Can

    Be Bootstrapped Anywhere Zero Trust: Building Systems in Untrusted Networks

  40. 7/25/17 @evan2645 @dougbarth Topology-Manager No Trust In Network Compute Can

    Be Bootstrapped Anywhere All Flows Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  41. @evan2645 @dougbarth Client-Side

  42. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Zero Trust:

    Building Systems in Untrusted Networks

  43. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Zero Trust: Building Systems in Untrusted Networks

  44. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Perimeter + Remote Access Untenable Zero Trust: Building Systems in Untrusted Networks

  45. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Perimeter + Remote Access Untenable BeyondCorp Zero Trust: Building Systems in Untrusted Networks

  46. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Corp. Client

  47. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Corp. Client

  48. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client

  49. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Enforcement

  50. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement

  51. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane User Inventory

  52. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane SSO User Inventory

  53. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane SSO Device Inventory User Inventory

  54. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory

  55. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Zero Trust:

    Building Systems in Untrusted Networks

  56. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free Zero Trust: Building Systems in Untrusted Networks

  57. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  58. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  59. @evan2645 @dougbarth Mature Zero Trust

  60. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine

  61. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Score Score

  62. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data Device Data

  63. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data sFlow Device Data

  64. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data sFlow Accounting Device Data

  65. @evan2645 @dougbarth UX is Important

  66. @evan2645 @dougbarth Earth is Calling…

  67. @evan2645 @dougbarth Current State

  68. @evan2645 @dougbarth

  69. @evan2645 @dougbarth

  70. @evan2645 @dougbarth

  71. 7/25/17 @evan2645 @dougbarth Just The Facts Industry Moving Towards Deep

    Authn/Authz Industry Converging on Zero Trust Model More Secure, More Operable Keep an Eye Out! Zero Trust: Building Systems in Untrusted Networks

  72. Evan Gilman, Doug Barth @evan2645 @dougbarth Zero Trust Networks