DevNexus_Building_with__Zero_Trust_Architecture_Copy.pdf

Slide 1

Slide 1 text

Building with Zero Trust Architecture sendilkumarn @sendilkumarn

Slide 2

Slide 2 text

@sendilkumarn @sendilkumarn Rust Zig JavaScript Java Kotlin TypeScript Swift Go Haskell Functional vs Imperative Spaces vs Tabs JetBrains vs VSCode Gradle Vs Maven React Vue Svelte AlpineJS Webpack WebAssembly Istio Cloud Native Linkerd Microservices Kubernetes Full Stack Docker Spring JHipster Open Source Micronaut Kotlin Hipster Engineering Manager building Payments @Uber

Slide 3

Slide 3 text

81% organizations are moving towards hybrid workspace source @sendilkumarn

Slide 4

Slide 4 text

No more luxury of corporate networks @sendilkumarn

Slide 5

Slide 5 text

Increase the attack exposure @sendilkumarn

Slide 6

Slide 6 text

125% increase in cyber attacks @sendilkumarn source

Slide 7

Slide 7 text

Reduce Attack Surface Limit Lateral Move Contain Breach @sendilkumarn

Slide 8

Slide 8 text

Trust but verify @sendilkumarn

Slide 9

Slide 9 text

Verify but Never Trust @sendilkumarn Trust but verify

Slide 10

Slide 10 text

Zero Trust @sendilkumarn

Slide 11

Slide 11 text

In Zero Trust, we assume every action is breach. We continuously verify it @sendilkumarn

Slide 12

Slide 12 text

Continuous Veriﬁcation @sendilkumarn

Slide 13

Slide 13 text

@sendilkumarn Building blocks of Zero Trust Architecture

Slide 14

Slide 14 text

Data 10101010 @sendilkumarn

Slide 15

Slide 15 text

Data 10101010 @sendilkumarn @ rest at transit at use

Slide 16

Slide 16 text

Data 10101010 Protect your data at rest. @sendilkumarn

Slide 17

Slide 17 text

Data 3ab13… @sendilkumarn

Slide 18

Slide 18 text

● Encrypt the data ● Use vaults for key management ● Cycle secrets frequently Data 3ab13…

Slide 19

Slide 19 text

Data 10101010 Protect your data at transit. @sendilkumarn

Slide 20

Slide 20 text

Data 10101010 🔐 HTTPS / TLS Encryption @sendilkumarn

Slide 21

Slide 21 text

Data 10101010 Protect your data in use. @sendilkumarn

Slide 22

Slide 22 text

Secure Enclaves @sendilkumarn

Slide 23

Slide 23 text

Secure Enclaves ● Trusted Execution Environment ● To store highly sensitive data and with limited access ● Cryptographically attested data ● Isolated environment @sendilkumarn

Slide 24

Slide 24 text

Data contextttttttttt DATA Encryption Label @sendilkumarn

Slide 25

Slide 25 text

4M+ $ Average loss of business value due to a data breach source @sendilkumarn

Slide 26

Slide 26 text

Conﬁdential Data @sendilkumarn

Slide 27

Slide 27 text

Data @sendilkumarn

Slide 28

Slide 28 text

By default we should block access and allow access with veriﬁcation @sendilkumarn

Slide 29

Slide 29 text

Data @sendilkumarn User Role Access Admin View / Edit / …

Slide 30

Slide 30 text

Data @sendilkumarn User Role Access Admin View / Edit / … Role Based Access Control / RBAC

Slide 31

Slide 31 text

Data @sendilkumarn Role Based Access Control / RBAC Access the data Authenticated

Slide 32

Slide 32 text

Data @sendilkumarn Access the data Role Based Access Control / RBAC Policy Authenticated

Slide 33

Slide 33 text

Data @sendilkumarn Access the data Policy Authenticated

Slide 34

Slide 34 text

@sendilkumarn Data Policy Data Policy Data Policy Data Policy Data Policy Data Policy Data Policy Data Policy Data Policy

Slide 35

Slide 35 text

@sendilkumarn Data Data Data Data Data Data Data Policy Data Data

Slide 36

Slide 36 text

Policy ● Dynamic : easy to add & revoke ● Secure : no unauthorized access ● Changes should be logged ● Speciﬁc to the business policy ● Evaluated periodically @sendilkumarn

Slide 37

Slide 37 text

@sendilkumarn Policy Engine Policy authenticated Data Data Data Data

Slide 38

Slide 38 text

Policy Engine ● Validates rules based on the authentication & RBAC ● Decides whether to allow / block the access ● Brain of your zero trust architecture ● Single point for all the decisions ● Ensures policy enforcement @sendilkumarn

Slide 39

Slide 39 text

@sendilkumarn Zero Trust Policy authenticated Data Data Data Data

Slide 40

Slide 40 text

@sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy Controller

Slide 41

Slide 41 text

Policy Controller ● Based on the access the policy controller does the following ○ Governance ○ Compliance ○ Optimize ○ Assess ● CRUD operator for policies ● Dynamically enforce / revoke policies & accesses @sendilkumarn

Slide 42

Slide 42 text

@sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy Controller

Slide 43

Slide 43 text

@sendilkumarn Zero Trust Policy Identities Policy Controller authenticated Data Data Data Data

Slide 44

Slide 44 text

@sendilkumarn Data Zero Trust Policy Identities Policy Controller authenticated

Slide 45

Slide 45 text

Identities ● can be anyone that access your system ● Uses Password / MFA / SSO to authenticate ● Continuously verify the identities ● Log all the activities ● Do not assume any privileges @sendilkumarn

Slide 46

Slide 46 text

@sendilkumarn Data Zero Trust Policy Identities Computers / Servers Policy Manager authenticated Compliance devices Policy Controller

Slide 47

Slide 47 text

@sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Policy Controller

Slide 48

Slide 48 text

Endpoints ● Prevent vulnerable / rooted devices ● Data access via BYOD ● Log all the activities ● Enforce baseline activities @sendilkumarn

Slide 49

Slide 49 text

@sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Controller authenticated Compliance devices Applications

Slide 50

Slide 50 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Policy Controller

Slide 51

Slide 51 text

Applications ● Has policies too ● Provide in-app permissions & roles ● Gate access based on real time analytics ● Log all the activities @sendilkumarn

Slide 52

Slide 52 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Infrastructure Policy Controller

Slide 53

Slide 53 text

Infrastructure ● Provide Just-In-Time access to harden defense ● Automatically block and ﬂag risky behavior ● Log all the activities ● Fix outdated VMs & audit external tools (eg., Kubernetes) @sendilkumarn

Slide 54

Slide 54 text

Infrastructure & Application - Deployments ● Attest the binary at the time of deployment ○ Verify the authenticity of the binary ○ Verify the sender of the binary Binary Authorization in GCP @sendilkumarn

Slide 55

Slide 55 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

Slide 56

Slide 56 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

Slide 57

Slide 57 text

Network ● Always encrypt data end-to-end ● Real time / Dynamic threat protection ● Log all the activities ● Make it harder for anyone to move laterally @sendilkumarn

Slide 58

Slide 58 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Policy Controller

Slide 59

Slide 59 text

Threat protector ● Threat intelligence ● ML models to act ● Forensics ● Automate response ● Continuous assessment @sendilkumarn

Slide 60

Slide 60 text

@sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller

Slide 61

Slide 61 text

Slide 62

Slide 62 text

Control Plane Data Plane Infrastructure Data Application Network Private / Public Policy Identities Human / Non-Human Endpoints Corporate / Personal Zero Trust Architecture Components @sendilkumarn Telemetry Threat Protector

Slide 63

Slide 63 text

@sendilkumarn

Slide 64

Slide 64 text

@sendilkumarn Eﬀective Zero Trust Model

Slide 65

Slide 65 text

Deﬁne Context contextttttttttt DATA Encryption Label Access - Understand users / data - Label them - Create boundaries @sendilkumarn

Slide 66

Slide 66 text

Verify & Enforce Verify - Continously - Validate all access - Right access to right resource @sendilkumarn

Slide 67

Slide 67 text

Resolve Incidents - Revoke immediately - Create issue - Start compliance check @sendilkumarn

Slide 68

Slide 68 text

Analyze & Improve 🧐 - Evaluate policies - Adjust them as needed - Improve @sendilkumarn

Slide 69

Slide 69 text

@sendilkumarn Zero Trust Architecture - Stages @sendilkumarn

Slide 70

Slide 70 text

Zero Super Hero Hero

Slide 71

Slide 71 text

Zero Passwords authn. On permise Device management Log everything Data is labelled, access provided Reactive threat detection Super Hero Go passwordless Bring Your Own Device Automatically ﬁx when things go wrong Proactive data governance Fully Automated threat investigation & ﬁx Hero MFAs / SSOs authn. Cloud device management Log & Automatically highlight risks Data is restricted, and automatic labels Proactive threat detection

Slide 72

Slide 72 text

@sendilkumarn Best Practices

Slide 73

Slide 73 text

Never assume roles / privilege @sendilkumarn

Slide 74

Slide 74 text

Just Enough Access Provide least privilege everywhere @sendilkumarn

Slide 75

Slide 75 text

Just In Time Access @sendilkumarn

Slide 76

Slide 76 text

Questions @sendilkumarn

Slide 77

Slide 77 text

Verify but Never Trust @sendilkumarn Thanks!!

Slide 78

Slide 78 text

Sources ● Evolving Zero Trust ● Microsoft Digital Defense Report ● Zero Trust Adoption Report ● BeyondCorp Image Credits - unspalsh.com @sendilkumarn

Slide 79

Slide 79 text

Thanks @sendilkumarn

Slide 80

Slide 80 text

Enable MFA @sendilkumarn

Slide 81

Slide 81 text

Know / Govern / Protect / Control Data @sendilkumarn

Slide 82

Slide 82 text

Always verify explicitly @sendilkumarn

Slide 83

Slide 83 text

Log & Inspect all corporate traﬃc @sendilkumarn

Slide 84

Slide 84 text

Limits & Controls access to network @sendilkumarn

Slide 85

Slide 85 text

Verify & Secure network @sendilkumarn

Slide 86

Slide 86 text

Anti Malwares are important @sendilkumarn

Slide 87

Slide 87 text

Reduce attack exposure @sendilkumarn

Slide 88

Slide 88 text

Assume Breach @sendilkumarn

Slide 89

Slide 89 text

Prevent lateral movement in your architecture. @sendilkumarn

Slide 90

Slide 90 text

Stage - Zero ● MFAs / SSOs ● Device compliance ● Audit logging ● Networks are monitored ● Networks are segmented ● Data is encrypted, segregated & risk identiﬁed ● Manual Policies enforced

Slide 91

Slide 91 text

Stage - Hero ● Real time risk analytics ● Act quickly with collected information ● Proactively ﬁgure out issues and ﬁx ● Automatic discoveries for anamolies ● Data is restricted ● Policies enforced based on signals

Slide 92

Slide 92 text

Stage - Super Hero ● Go passwordless ● Constantly + autonomously verify endpoints ● Enrich user experience & user productivity ● Automated threat protection ● Proactive data governance ● Dynamically enforce policies

Slide 93

Slide 93 text

Security Pillars Conﬁdentiality Integrity Availability Encryption & Decryption Verify message is unchanged Verify Sender is real @sendilkumarn

Slide 94

Slide 94 text

Every transaction between systems will be validated before the transaction. @sendilkumarn

Slide 95

Slide 95 text

Zero Trust provides a secure and healthy way to access information from anywhere @sendilkumarn

Slide 96

Slide 96 text

Telemetry ● Collect all the data ● Automatically detect the anamolies ● Log & Monitor ● Decide on the go. @sendilkumarn Monitor and enforce zero trust security policies with intelligent analytics. View and monitor the behavior of all users, resources and data connecting within the business.

Slide 97

Slide 97 text

@sendilkumarn Data Zero Trust Policy Identities

Slide 98

Slide 98 text

@sendilkumarn Data Zero Trust Policy Users Network Private / Public

Slide 99

Slide 99 text

Data @sendilkumarn Role Based Access Control / RBAC Policy

Slide 100

Slide 100 text

Data Network Private / Public Users Policy @sendilkumarn

Slide 101

Slide 101 text

Data Users Policy @sendilkumarn

Slide 102

Slide 102 text

Data User Role Access Admin View / Edit / … @sendilkumarn

Slide 103

Slide 103 text

Data Role Based Access Control / RBAC @sendilkumarn

Slide 104

Slide 104 text

Data Policy @sendilkumarn

Slide 105

Slide 105 text

Data Network Private / Public Policy Users Policy @sendilkumarn

Slide 106

Slide 106 text

Data Network Private / Public Policy Users Policy @sendilkumarn

Slide 107

Slide 107 text

Data Network Private / Public Policy Users @sendilkumarn

Slide 108

Slide 108 text

Data Network Private / Public Policy Users authentication @sendilkumarn

Slide 109

Slide 109 text

Data Network Private / Public Policy Identities Human / Non-Human authentication @sendilkumarn

Slide 110

Slide 110 text

Data Application Network Private / Public Policy Identities Human / Non-Human authentication @sendilkumarn

Slide 111

Slide 111 text

Infrastructure Data Application Network Private / Public Policy Identities Human / Non-Human authentication @sendilkumarn

Slide 112

Slide 112 text

Infrastructure Data Application Network Private / Public Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

Slide 113

Slide 113 text

Infrastructure Data Application Data Collector Network Private / Public Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

Slide 114

Slide 114 text

Infrastructure Data Application Data Collector Network Private / Public Policy Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

Slide 115

Slide 115 text

Infrastructure Data Application Data Collector Threat Protector Network Private / Public Policy Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? assess risk @sendilkumarn