Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Federal Zero Trust Summit 2020

Dug Song
February 01, 2020

Federal Zero Trust Summit 2020

Keynote for our Federal Zero Trust Summit in DC, February 2020 - opening for US CIO Suzette Kent :-)

Dug Song

February 01, 2020
Tweet

More Decks by Dug Song

Other Decks in Technology

Transcript

  1. How Zero Trust
    Makes the Mission
    Simpler & Secure
    Dug Song, Duo Security

    View full-size slide

  2. © 2020 Cisco and/or its affiliates. All rights reserved.
    2010
    A Decade of Data Breaches

    View full-size slide

  3. CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
    2010

    View full-size slide

  4. © 2020 Cisco and/or its affiliates. All rights reserved.
    RSA Breach & Impact
    2011

    View full-size slide

  5. © 2020 Cisco and/or its affiliates. All rights reserved.
    2014
    If an adversary has the credentials of
    a user on the network, then they can
    access data even if it's encrypted, just
    as the users on the network have to
    access data, and that did occur in this
    case.
    So encryption in this instance would
    not have protected this data.

    View full-size slide

  6. © 2020 Cisco and/or its affiliates. All rights reserved.
    2015
    In the next 30 days we know there
    is a set of things we can do that
    will fairly dramatically improve our
    security profile... like two-factor
    authentication, patching,
    minimizing the number of
    system administrators that you
    have and so on.
    Tony Scott’s 30-day Cyber Sprint

    View full-size slide

  7. © 2020 Cisco and/or its affiliates. All rights reserved.
    Google on Nation’s Cybersecurity Priorities
    ✓ Strong Authentication
    ✓ Up-to-Date Devices
    ✓ End-to-End Encryption

    View full-size slide

  8. © 2020 Cisco and/or its affiliates. All rights reserved.
    ✓ Strong Authentication
    ✓ Up-to-Date Devices
    ✘ Encryption?
    THANKS OBAMA
    2016

    View full-size slide

  9. © 2020 Cisco and/or its affiliates. All rights reserved.
    People Technology
    Security

    View full-size slide

  10. © 2020 Cisco and/or its affiliates. All rights reserved.

    View full-size slide

  11. © 2020 Cisco and/or its affiliates. All rights reserved.

    View full-size slide

  12. © 2020 Cisco and/or its affiliates. All rights reserved.
    2013

    View full-size slide

  13. © 2020 Cisco and/or its affiliates. All rights reserved.
    2016

    View full-size slide

  14. © 2020 Cisco and/or its affiliates. All rights reserved.
    BeyondCorp (2014) 800-207: Zero Trust Architecture (2019) Zero Trust Architecture (2019)
    Connecting from a
    particular network must
    not determine which
    services you can access
    All communication is secure regardless of network location Don’t trust the network, including the local network
    Access to services is
    granted based on what we
    know about you and your
    device
    Access to resources is determined by policy, including the
    observable state of user identity and the requesting system, and
    may include other behavioral attributes
    Create a single strong user identity
    Create a strong device identity
    Know the health of your devices and services
    Set policies according to value of the service or data
    All access to services
    must be authenticated,
    authorized, and encrypted
    All data sources and computing services are considered
    resources
    Know your architecture including users, devices, and
    services
    Access to individual enterprise resources is granted on a
    per-connection basis
    Control access to your services and data
    Choose services designed for zero trust
    User authentication is dynamic and strictly enforced before
    access is allowed
    Authenticate everywhere
    The enterprise ensures all owned and associated systems are in
    the most secure state possible and monitors systems to ensure
    that they remain in the most secure state possible
    Focus your monitoring on devices and services

    View full-size slide

  15. © 2020 Cisco and/or its affiliates. All rights reserved.
    Securing the enterprise
    User and device access Application and workload access Network access
    Workforce Workload Workplace
    SaaS &
    Public cloud
    Access happens everywhere – how do you get visibility
    and ensure secure, trusted access?

    View full-size slide

  16. © 2020 Cisco and/or its affiliates. All rights reserved.
    User and device access
    Zero Trust for the Workforce
    What to do: How to do it:
    Verify users’ identities Multifactor Authentication
    Enforce access policies
    for every app
    Adaptive & role-based access control
    Gain device visibility
    and establish trust
    Endpoint health & security posture

    View full-size slide

  17. © 2020 Cisco and/or its affiliates. All rights reserved.
    Application and workload access
    Zero Trust for the Workload
    What to do: How to do it:
    Gain visibility into what’s
    running and what’s critical
    Identify workload dependencies
    Contain breaches and
    minimize lateral movement Application segmentation
    Alert or block communication
    if policy is violated
    Continuous monitoring & response

    View full-size slide

  18. © 2020 Cisco and/or its affiliates. All rights reserved.
    Zero Trust for the Workplace Network access
    What to do: How to do it:
    Discover and classify users, devices
    and apps on your network
    Network authentication,
    profiling authorization
    Grant the right level of network
    access based on user and
    device context
    Network segmentation
    Contain infected endpoints and
    restrict network access
    Continuous monitoring
    and responding to threats

    View full-size slide

  19. © 2020 Cisco and/or its affiliates. All rights reserved.
    Workforce
    Duo
    Workload
    Tetration
    Workplace
    SD-Access
    Security
    ensured
    today and for
    the future with
    Zero Trust

    View full-size slide

  20. © 2020 Cisco and/or its affiliates. All rights reserved.
    Cisco is
    a leader
    in Zero Trust
    The Forrester Wave™: Zero Trust eXtended Ecosystem
    Platform Providers, Q4 2019
    Tools And Technology: The Zero Trust Security Playbook
    October 29, 2019
    The Forrester Wave™ is copyrighted by Forrester Research, Inc.
    Forrester and Forrester Wave are trademarks of Forrester Research, Inc.
    The Forrester Wave is a graphical representation of Forrester's call on a
    market and is plotted using a detailed spreadsheet with exposed scores,
    weightings, and comments. Forrester does not endorse any vendor,
    product, or service depicted in the Forrester Wave. Information is based
    on best available resources. Opinions reflect judgment at the time and are
    subject to change.

    View full-size slide

  21. © 2020 Cisco and/or its affiliates. All rights reserved.
    Compliance as a by-product of Zero Trust
    Compliance CJIS FFIEC GBLA GDPR HIPAA
    NIST
    800-53
    NIST
    800-171
    NERC PCI DSS
    Details Criminal
    Justice
    Information
    Services
    v5.6
    Federal
    Financial
    Institutions
    Examination
    Council
    Version Sept
    2016
    Gramm-Leach
    -Bliley Act
    FIL-22-2001
    EU General
    Data Protection
    Regulation
    Regulation (EU)
    2016/679
    Health
    Insurance
    Portability and
    Accountability
    Act
    CFR 45
    revised Oct 1,
    2007
    National
    Institute of
    Standards and
    Technology
    800-53 r4
    National
    Institute of
    Standards and
    Technology
    800-171
    June 2015
    includes
    updates as of
    01-14-2016
    North American
    Electric
    Reliability
    Corporation
    v5 Critical
    Infrastructure
    Protection
    Reliability Stds
    Payment Card
    Industry Data
    Security
    Standard
    v3.2
    Where Duo
    Can Help
    Section:
    5.5.2.3
    5.5.6.1
    5.5.6.2
    5.6.2.1
    5.6.2.1.3
    5.6.2.2
    5.6.3.2
    5.10.4.1
    5.10.4.4
    5.13.7.1
    5.13.7.2
    Title:
    II.C.5
    II.C.
    II.C.7(a)
    II.C.7(e)
    II.C.10(d)
    II.C.13(e)
    II.C.15(b)
    II.C.15(c)
    II.C.15(d)
    II.D
    III.C
    Title:
    V Subtitle A
    Section 501(3)
    Article 5 Section
    1(f), 2
    Article 24
    Section 1
    Article 32
    Section 1(b), 2
    Standard:
    164.308(a)(1)
    164.308.(a)(4)1
    64.312(d)
    Control:
    IA-2
    IA-3
    IA-5
    IA-6
    SC-7
    SC-11
    Control:
    3.1.1, 3.1.1,
    3.1.3, 3.1.7,
    3.1.11, 3.1.12,
    3.1.14, 3.1.15,
    3.1.18, 3.1.20,
    3.3.1, 3.3.2,
    3.3.8, 3.4.1,
    3.4.2, 3.5.2,
    3.5.3, 3.7.5
    CIP-005
    Table R2 Part
    2.3
    CIP-007-6
    Table R5 5.1
    CIP-010-2
    Table R2 2.1
    Requirements:
    6.2
    7.1-7.2
    8.3.1
    8.3.2

    View full-size slide

  22. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
    28 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
    28
    Measuring the
    benefits
    Strategic User Trust (Survey) C Quarterly survey + trend
    Risk Overall Risk level E Based upon organisation risk calculation;
    mitigation impact
    Risk Register issue
    mitigation
    E Impact on specific items
    Audit and compliance E/D Impact on specific items
    Impact on application risk E Based upon application risk profile and
    assessment
    Management FTE usage A/B Numeric
    Implementation efficiencyA/B Project Time and cost vs projected
    Operational Coverage % A Numeric
    Incident Reduction E Numeric
    Inactive Accounts D Number of users that are not longer
    active employees
    Inactive Devices D Number of devices that are no longer in
    inventory
    Inventory Clarification D Device numeric - unknown devices
    Device status
    - O/S D Percentage against status
    - Browser D Percentage against status
    Phishing response levels E Report back from phishing tool - trended
    Application coverage A/B Percentage vs all applications
    A. Ease of Implementation
    B. Ease of Use
    C. Ease of Integration
    D. Enhanced Visibility
    E. Risk Reduction
    F. Organisational Security Culture

    View full-size slide