Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in an Age of Zero Trust (2014)

Dug Song
October 01, 2014

Security in an Age of Zero Trust (2014)

Jono's keynote for Internet2's Tech Exchange, October 2014.

Dug Song

October 01, 2014
Tweet

More Decks by Dug Song

Other Decks in Technology

Transcript

  1. Security in an
    Age of Zero Trust
    Jon Oberheide
    CTO, Duo Security, Inc.

    View Slide

  2. Introduction
    ● Who?
    ○ Jon Oberheide
    ○ CTO, Duo Security
    ○ Reformed(?) hacker, self-loathing academic, person
    ● What?
    ○ Some nonsense^Winsight on security trends
    ○ This is a meta-deck, lots of links!

    View Slide

  3. Not-so-surprising trends
    ● Cloud
    ○ 2009: 3% implemented,
    9% planning
    ○ 2013: 36% implemented,
    46% planning
    ● Mobile
    ○ BYOD: > 286M workers
    ○ > 83% chose their own device

    View Slide

  4. Not-so-surprising trends
    http://www.slideshare.net/x509v3/scale-vp-wisegateinvestinginsecurityinnovationaug
    2014gartnercatalyst

    View Slide

  5. Changes in IT environments
    As users go mobile and services go to the cloud, a
    perimeter-less IT model means a loss of control.

    View Slide

  6. IT “evolution”? NO!

    View Slide

  7. What’s new in IT 3.0?
    ● Users
    ○ Access from anywhere, anyhow
    ○ “Zero Trust” environment
    ● Devices
    ○ Mobile proliferation
    ○ BYOD acceptance
    ● Services
    ○ Diminishing perimeter
    ○ IaaS, cloud apps, BYOSaaS

    View Slide

  8. What’s new in IT 3.0?
    ● Users
    ○ Access from anywhere, anyhow
    ○ “Zero Trust” environment
    ● Devices
    ○ Mobile proliferation
    ○ BYOD acceptance
    ● Services
    ○ Diminishing perimeter
    ○ IaaS, cloud apps, BYOSaaS
    HOORAY
    PRODUCTIVITY!

    View Slide

  9. What’s new in Sec 3.0?
    Emergence of mobile threats
    User-targeted attacks
    Phishing, credential theft, etc
    Limited endpoint control
    Security by contract
    Loss of visibility and control
    ● Users
    ○ Access from anywhere, anyhow
    ○ “Zero Trust” environment
    ● Devices
    ○ Mobile proliferation
    ○ BYOD acceptance
    ● Services
    ○ Diminishing perimeter
    ○ IaaS, cloud apps, BYOSaaS

    View Slide

  10. Security challenges in IT 3.0
    A loss of control precludes the deployment of most
    traditional security controls in an IT 3.0 environment.
    Security must move up the stack, just as attackers have.

    View Slide

  11. Where are our current controls?
    ● AV/HIDS
    ● FW/IDS/IPS
    ● DLP
    ● WAF
    ● SIM/SEM
    ● DB/DAM
    ● Data protection
    Behavior
    Users
    Devices
    Applications
    Servers
    Data

    View Slide

  12. Case study: Salesforce on mobile
    How do you protect this
    environment?

    View Slide

  13. What are security
    vendors saying?

    View Slide

  14. Cisco?
    http://www.rsaconference.com/videos/126/the-new-model-of-security

    View Slide

  15. HP?
    http://www.rsaconference.com/events/us14/agenda/sessions/1344/stop-looking-for-t
    he-silver-bullet-start-thinking

    View Slide

  16. Qualys?
    http://www.rsaconference.com/videos/127/the-cloud-security-nightmare-or-our-next-
    great

    View Slide

  17. Symantec?
    http://www.rsaconference.com/videos/125/the-future-of-security

    View Slide

  18. Symantec oops

    View Slide

  19. At a high level
    ● Market speak
    ● Nexus of forces
    ● Product
    positioning
    ● Vendors at 50k ft
    altitude

    View Slide

  20. But I’m afraid of APT!?!

    View Slide

  21. APT?

    View Slide

  22. APT?
    Actually Pretty Tame

    View Slide

  23. APT?
    Average Phishing Technique

    View Slide

  24. Not so advanced
    ● Phishing against HVAC supplier
    ● HVAC -> Target corporate network
    ● Default credentials on internal systems
    ● POS malware written by Russian teenager
    ● Exfiltration over _FTP_

    View Slide

  25. Who’s to blame?
    Target, orrrr...the industry?

    View Slide

  26. Who’s to blame?
    Target, orrrr...the industry?

    View Slide

  27. Who’s to blame?
    Target, orrrr...the industry?

    View Slide

  28. Who’s to blame?
    Target, orrrr...the industry?

    View Slide

  29. Alarming results
    ● Simple attacks succeed
    at an alarming rate
    ● Attackers are going after
    users and their access
    ● Lack of focus on
    security fundamentals
    http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_att
    ack_hierarchy_of_needs

    View Slide

  30. What are progressive
    companies doing?

    View Slide

  31. Google - Beyond Corp
    https://www.usenix.org/conference/lisa13/enterprise-arch
    itecture-beyond-perimeter

    View Slide

  32. Google - Beyond Corp
    https://www.usenix.org/conference/lisa13/enterprise-arch
    itecture-beyond-perimeter

    View Slide

  33. Netflix - 100% cloud
    http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap
    http://www.amplifypartners.com/interviews/netflix-vp-of-it-on-the-future-of-infrastruct
    ure/

    View Slide

  34. Netflix - 100% cloud
    http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap
    http://www.amplifypartners.com/interviews/netflix-vp-of-it-on-the-future-of-infrastruct
    ure/

    View Slide


  35. ● $50B+ financial provider
    ● Tearing out their SSL VPN
    ○ An “enterprise network” is now an abstract idea
    ● Tearing out their MDM
    ○ Not culturally-compatible with consumerized IT
    ● Define lightweight, consistent access security
    policies across devices and services

    View Slide

  36. Progressive companies
    ● These companies see the writing on the wall
    and are getting ahead of the curve
    ● Similarities
    ○ Embracing cloud and mobile
    ○ Assuming a zero trust environment
    ○ Anchoring on user and device authentication
    ○ Protecting user access

    View Slide

  37. What should I do?
    I’m not Google,
    Netflix, or !

    View Slide

  38. Panic?
    Totally valid coping mechanism

    View Slide

  39. Rejection
    “That would never work for my org!”

    View Slide

  40. Blind acceptance
    “I’m burning down my datacenter tomorrow.”

    View Slide

  41. Recognize the changing role of IT
    ● Previously
    ○ User: “Can I …?”, IT: “No.”
    ● Then
    ○ CEO shows up with shiny new iPad
    ○ Employees spinning up SaaS applications left and right
    ● Now
    ○ IT: “How can partner with my users so they'll actually ask?”
    ○ “Department of No -> Department of Secure Enablement”

    View Slide

  42. Keep an open mind
    ● Digest (breakfast and thoughts)
    ● Keep an open mind throughout the day
    ● Watch some of the linked content later
    ● Think a little further out, beyond the headlines
    ● Enjoy the event!

    View Slide

  43. Questions?
    Q & A
    Jon Oberheide
    @jonoberheide
    [email protected]

    View Slide