Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Trust Networks: In Theory and In Practice

Zero Trust Networks: In Theory and In Practice

Presented at BSides Las Vegas 2017: http://sched.co/BNEw

The world is changing, but our network security models are having trouble keeping up. In a time where remote work is regular and cloud mobility is paramount, the perimeter security model is showing its age -- badly.

We deal with VPN tunnel overhead and management. We spend millions on fault-tolerant perimeter firewalls. We carefully manage all entry and exit points on the network, yet still we see ever-worsening breaches year over year. The Zero Trust model aims to solve these problems.

Zero Trust networks are built with security at the forefront. No packet is trusted without cryptographic signatures. Policy is constructed using software and user identity rather than IP addresses. Physical location and network topology no longer matter. The Zero Trust model is very different, indeed.

In this talk, we'll discuss the philosophy and origin of the Zero Trust model, what it brings to the table, and how to think about building one.

Doug Barth

July 25, 2017
Tweet

More Decks by Doug Barth

Other Decks in Technology

Transcript

  1. 7/25/17 @evan2645 @dougbarth DC-A DC-B DC-C C* C* C* Zero

    Trust: Building Systems in Untrusted Networks
  2. 7/25/17 @evan2645 @dougbarth Emergent Properties All Flows Authenticated and Encrypted

    All Flows Asserted as Authorized No Inherent Value in IP Address Zero Trust: Building Systems in Untrusted Networks
  3. 7/25/17 @evan2645 @dougbarth Emergent Properties No Centralized Firewalls No Network

    Gateways No Private Network Zero Trust: Building Systems in Untrusted Networks
  4. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  5. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Config Mgmt Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  6. 7/25/17 @evan2645 @dougbarth Control Plane Services Zero Trust: Building Systems

    in Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  7. 7/25/17 @evan2645 @dougbarth PagerDuty Chef Cookbook for Initial Implementation Maturation

    brought Specialization Zero Trust: Building Systems in Untrusted Networks
  8. 7/25/17 @evan2645 @dougbarth PagerDuty Chef Cookbook for Initial Implementation Maturation

    brought Specialization Topology-Manager Zero Trust: Building Systems in Untrusted Networks
  9. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  10. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Authorized User
  11. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory Authorized User
  12. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User
  13. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User
  14. 7/25/17 @evan2645 @dougbarth Topology-Manager Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Provisioner Device Inventory User Inventory Config Mgmt Authorized User
  15. 7/25/17 @evan2645 @dougbarth Topology-Manager No Trust In Network Compute Can

    Be Bootstrapped Anywhere Zero Trust: Building Systems in Untrusted Networks
  16. 7/25/17 @evan2645 @dougbarth Topology-Manager No Trust In Network Compute Can

    Be Bootstrapped Anywhere All Flows Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  17. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Zero Trust: Building Systems in Untrusted Networks
  18. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Perimeter + Remote Access Untenable Zero Trust: Building Systems in Untrusted Networks
  19. 7/25/17 @evan2645 @dougbarth Google Large Network, Large Perimeter Many Remote

    Employees Perimeter + Remote Access Untenable BeyondCorp Zero Trust: Building Systems in Untrusted Networks
  20. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client
  21. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Enforcement
  22. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement
  23. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane SSO User Inventory
  24. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane SSO Device Inventory User Inventory
  25. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory
  26. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free Zero Trust: Building Systems in Untrusted Networks
  27. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  28. 7/25/17 @evan2645 @dougbarth BeyondCorp No Trust In Network Users Safely

    Roam Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  29. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine
  30. 7/25/17 @evan2645 @dougbarth BeyondCorp Zero Trust: Building Systems in Untrusted

    Networks Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Score Score
  31. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data Device Data
  32. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data sFlow Device Data
  33. 7/25/17 @evan2645 @dougbarth Mature Zero Trust Zero Trust: Building Systems

    in Untrusted Networks Trust Engine User Data sFlow Accounting Device Data
  34. 7/25/17 @evan2645 @dougbarth Just The Facts Industry Moving Towards Deep

    Authn/Authz Industry Converging on Zero Trust Model More Secure, More Operable Keep an Eye Out! Zero Trust: Building Systems in Untrusted Networks