Federal Zero Trust Summit 2020

View Slide

How Zero Trust
Makes the Mission
Simpler & Secure
Dug Song, Duo Security

View Slide

© 2020 Cisco and/or its affiliates. All rights reserved.
2010
A Decade of Data Breaches

View Slide

CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
2010

View Slide

RSA Breach & Impact
2011

View Slide

2014
If an adversary has the credentials of
a user on the network, then they can
access data even if it's encrypted, just
as the users on the network have to
access data, and that did occur in this
case.
So encryption in this instance would
not have protected this data.

View Slide

2015
In the next 30 days we know there
is a set of things we can do that
will fairly dramatically improve our
security profile... like two-factor
authentication, patching,
minimizing the number of
system administrators that you
have and so on.
Tony Scott’s 30-day Cyber Sprint

View Slide

Google on Nation’s Cybersecurity Priorities
✓ Strong Authentication
✓ Up-to-Date Devices
✓ End-to-End Encryption

View Slide

✓ Strong Authentication
✓ Up-to-Date Devices
✘ Encryption?
THANKS OBAMA
2016

View Slide

View Slide

People Technology
Security

View Slide

View Slide

2013

View Slide

2016

View Slide

BeyondCorp (2014) 800-207: Zero Trust Architecture (2019) Zero Trust Architecture (2019)
Connecting from a
particular network must
not determine which
services you can access
All communication is secure regardless of network location Don’t trust the network, including the local network
Access to services is
granted based on what we
know about you and your
device
Access to resources is determined by policy, including the
observable state of user identity and the requesting system, and
may include other behavioral attributes
Create a single strong user identity
Create a strong device identity
Know the health of your devices and services
Set policies according to value of the service or data
All access to services
must be authenticated,
authorized, and encrypted
All data sources and computing services are considered
resources
Know your architecture including users, devices, and
services
Access to individual enterprise resources is granted on a
per-connection basis
Control access to your services and data
Choose services designed for zero trust
User authentication is dynamic and strictly enforced before
access is allowed
Authenticate everywhere
The enterprise ensures all owned and associated systems are in
the most secure state possible and monitors systems to ensure
that they remain in the most secure state possible
Focus your monitoring on devices and services

View Slide

Securing the enterprise
User and device access Application and workload access Network access
Workforce Workload Workplace
SaaS &
Public cloud
Access happens everywhere – how do you get visibility
and ensure secure, trusted access?

View Slide

User and device access
Zero Trust for the Workforce
What to do: How to do it:
Verify users’ identities Multifactor Authentication
Enforce access policies
for every app
Adaptive & role-based access control
Gain device visibility
and establish trust
Endpoint health & security posture

View Slide

Application and workload access
Zero Trust for the Workload
Gain visibility into what’s
running and what’s critical
Identify workload dependencies
Contain breaches and
minimize lateral movement Application segmentation
Alert or block communication
if policy is violated
Continuous monitoring & response

View Slide

Zero Trust for the Workplace Network access
Discover and classify users, devices
and apps on your network
Network authentication,
profiling authorization
Grant the right level of network
access based on user and
device context
Network segmentation
Contain infected endpoints and
restrict network access
Continuous monitoring
and responding to threats

View Slide

Workforce
Duo
Workload
Tetration
Workplace
SD-Access
Security
ensured
today and for
the future with
Zero Trust

View Slide

Cisco is
a leader
in Zero Trust
The Forrester Wave™: Zero Trust eXtended Ecosystem
Platform Providers, Q4 2019
Tools And Technology: The Zero Trust Security Playbook
October 29, 2019
The Forrester Wave™ is copyrighted by Forrester Research, Inc.
Forrester and Forrester Wave are trademarks of Forrester Research, Inc.
The Forrester Wave is a graphical representation of Forrester's call on a
market and is plotted using a detailed spreadsheet with exposed scores,
weightings, and comments. Forrester does not endorse any vendor,
product, or service depicted in the Forrester Wave. Information is based
on best available resources. Opinions reflect judgment at the time and are
subject to change.

View Slide

View Slide

Compliance as a by-product of Zero Trust
Compliance CJIS FFIEC GBLA GDPR HIPAA
NIST
800-53
NIST
800-171
NERC PCI DSS
Details Criminal
Justice
Information
Services
v5.6
Federal
Financial
Institutions
Examination
Council
Version Sept
2016
Gramm-Leach
-Bliley Act
FIL-22-2001
EU General
Data Protection
Regulation
Regulation (EU)
2016/679
Health
Insurance
Portability and
Accountability
Act
CFR 45
revised Oct 1,
2007
National
Institute of
Standards and
Technology
800-53 r4
National
Institute of
Standards and
Technology
800-171
June 2015
includes
updates as of
01-14-2016
North American
Electric
Reliability
Corporation
v5 Critical
Infrastructure
Protection
Reliability Stds
Payment Card
Industry Data
Security
Standard
v3.2
Where Duo
Can Help
Section:
5.5.2.3
5.5.6.1
5.5.6.2
5.6.2.1
5.6.2.1.3
5.6.2.2
5.6.3.2
5.10.4.1
5.10.4.4
5.13.7.1
5.13.7.2
Title:
II.C.5
II.C.
II.C.7(a)
II.C.7(e)
II.C.10(d)
II.C.13(e)
II.C.15(b)
II.C.15(c)
II.C.15(d)
II.D
III.C
Title:
V Subtitle A
Section 501(3)
Article 5 Section
1(f), 2
Article 24
Section 1
Article 32
Section 1(b), 2
Standard:
164.308(a)(1)
164.308.(a)(4)1
64.312(d)
Control:
IA-2
IA-3
IA-5
IA-6
SC-7
SC-11
Control:
3.1.1, 3.1.1,
3.1.3, 3.1.7,
3.1.11, 3.1.12,
3.1.14, 3.1.15,
3.1.18, 3.1.20,
3.3.1, 3.3.2,
3.3.8, 3.4.1,
3.4.2, 3.5.2,
3.5.3, 3.7.5
CIP-005
Table R2 Part
2.3
CIP-007-6
Table R5 5.1
CIP-010-2
Table R2 2.1
Requirements:
6.2
7.1-7.2
8.3.1
8.3.2

View Slide

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
28 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
28
Measuring the
benefits
Strategic User Trust (Survey) C Quarterly survey + trend
Risk Overall Risk level E Based upon organisation risk calculation;
mitigation impact
Risk Register issue
mitigation
E Impact on specific items
Audit and compliance E/D Impact on specific items
Impact on application risk E Based upon application risk profile and
assessment
Management FTE usage A/B Numeric
Implementation efficiencyA/B Project Time and cost vs projected
Operational Coverage % A Numeric
Incident Reduction E Numeric
Inactive Accounts D Number of users that are not longer
active employees
Inactive Devices D Number of devices that are no longer in
inventory
Inventory Clarification D Device numeric - unknown devices
Device status
- O/S D Percentage against status
- Browser D Percentage against status
Phishing response levels E Report back from phishing tool - trended
Application coverage A/B Percentage vs all applications
A. Ease of Implementation
B. Ease of Use
C. Ease of Integration
D. Enhanced Visibility
E. Risk Reduction
F. Organisational Security Culture

View Slide

Federal Zero Trust Summit 2020

Federal Zero Trust Summit 2020

Dug Song

More Decks by Dug Song

Other Decks in Technology

Featured

Transcript