Slide 1

Slide 1 text

Zero Trust Strategy Implementation and Operational Challenges Cloudflare Meet-up Tokyo Vol.5 07/04/2024 Shun Yoshie

Slide 2

Slide 2 text

My introduction Shun Yoshie NRI / Security Consultant AWS Security Hero My Community: ● Security-JAWS My Interest: ● Mulchi-Cloud ● Cloud Native ● Audit ● CNAPP ● Security Observability

Slide 3

Slide 3 text

Zero Trust related articles to watch in April 2024 ゼロトラストを誤解してほしくない--提唱者が説く正しい定義 https://japan.zdnet.com/article/35218137/ Gartner、ゼロトラストの最新トレンドを発表 https://www.gartner.co.jp/ja/newsroom/press-releases/pr-20240422 You will be able to reacquaint yourself with Zero Trust and understand what companies have done to strengthen security in their Zero Trust strategies.

Slide 4

Slide 4 text

Birth of Zero Trust: Traditional Network Architecture DMZ(Web Srv, App Srv) Untrust(Internet) Trust(DB Srv) OA(PC, File Srv)

Slide 5

Slide 5 text

Birth of Zero Trust: Traditional Secure Network Architecture DMZ (Web Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv

Slide 6

Slide 6 text

Birth of Zero Trust: Targeted attacks turn Trust into Untrust DMZ (Web Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv Targeted Attacks Lateral Movement ZT!

Slide 7

Slide 7 text

Zero Trust Several core Concepts Devices There are no longer a trusted and an untrusted interface on our security devices users There are no longer trusted and untrusted users Network There are no longer a trusted and an untrusted network https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf A security "concept" proposed by John Kindervag in 2010 (The initial concept was born in 2008.) “NEVER TRUST, ALWAYS VERIFY”

Slide 8

Slide 8 text

Zero Trust is the only cybersecurity STRATEGY Zero trust is the only cybersecurity strategy to stop intrusions and breaches. Zero trust strategies for each vendor: ● Microsoft ○ Embrace proactive security with Zero Trust ● Amazon Web Services ○ Embracing Zero Trust: A strategy for secure and agile business transformation ● Google ○ Beyond Corp ● Zscaler ○ How Do You Implement Zero Trust?

Slide 9

Slide 9 text

Embracing Zero Trust: A strategy for secure and agile business transformation from AWS(1/2) Stakeholder engagement Engage with stakeholders to understand priorities, concerns, and vision for the organization's security posture. Risk assessment Conducting a comprehensive risk assessment helps identify issues, excessive surface area, and critical assets, which helps you make informed decisions on security controls and investment https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes

Slide 10

Slide 10 text

Embracing Zero Trust: A strategy for secure and agile business transformation from AWS(2/2) Technology evaluation Identify existing gaps and select appropriate tools and solutions in line with ZTA principles https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes Change management Recognizing the cultural and organizational impacts of adopting a ZTA model is essential (incl fostering a security-aware culture around ZTA principles and benefits)

Slide 11

Slide 11 text

Tenets of Zero Trust by NIST 1. All data sources and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. 5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Slide 12

Slide 12 text

Service providers that claim zero trust ● Zscaler ● Okta ● On2It ● Akamai ● Netskope ● Box ● Fortinet ● Palo Alto Networks ● Cloudflare ● etc It is easy to become a single point of failure, and when a security incident occurs, it is catastrophic.

Slide 13

Slide 13 text

Misconceptions when using {security|zero trust} services It is necessary to perform the following operations: ● Rule version update for security products ● Setting changes due to changes in customer environment ● Checking the contents of alerts from devices ● etc As attack methods become more sophisticated, operation after implementation is extremely important. https://speakerdeck.com/opelab/20171212-automation?slide=32 If you don't understand how to operate it, please read materials of Hatano-san.

Slide 14

Slide 14 text

Report executive summary https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf One of our goals with Zero Trust is to optimize the security architectures and technologies for future flexibility. As we move toward a data-centric world with shifting threats and perimeters, we look at new network designs that integrate connectivity, transport, and security around potentially toxic data. We call this “designing from the inside out.” If we begin to do all those things together we can have a much more strategic infrastructure. If we look at everything from a data-centric perspective, we can design networks from the inside out and make them more efficient, more elegant, simpler, and more cost-effective.

Slide 15

Slide 15 text

Data-centric security by OCI https://speakerdeck.com/oracle4engineer/oci-security-sabisu-ji-shu-gai-yao? slide=6

Slide 16

Slide 16 text

Introducing important Zero Trust documents I will now introduce documents that will be helpful when thinking about implementing and operating Zero Trust. In addition, operational design policies and operations that have been handled using conventional methods, not just Zero Trust, are effective.

Slide 17

Slide 17 text

Defining the Zero Trust Protect Surface by CSA (EN)https://cloudsecurityalliance.org/artifacts/defining-the-zero-trust-protect-surface (JP)https://www.cloudsecurityalliance.jp/site/wp-content/uploads/2024/04/Defining-the-Zero-T rust-Protect-Surface-20240227-J.pdf Released by Cloud Security Alliance. A Japanese translation was recently released by CSAJ. Have you defined what should be protected? ● Data ● Application ● Asset ● Service What should we protect, not just Zero Trust? What are the threats to it? You need to understand it properly.

Slide 18

Slide 18 text

Zero Trust Maturity Model by CISA https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. Latest Version is 2.0. Don't forget the steps of correctly understanding the data flow, building ZTA, creating policies, and monitoring, maintaining, and operating the network.

Slide 19

Slide 19 text

NSTAC Report to the President on Zero Trust and Trusted Identity Management by CISA https://www.cisa.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20Pres ident%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management%20%2810- 17-22%29.pdf NSTAC Report to the President on Zero Trust and Trusted Identity Management Step 5 of the Maturity Model, ``Monitor and Maintain the Network,'' is a must-read for those who are satisfied with the introduction of a service that claims to be Zero Trust. Data such as event logs is required, and a data collection network (data lake in the cloud) is required. Finally, it is integrated with SIEM.

Slide 20

Slide 20 text

Advancing Zero Trust Maturity Throughout the Application and Workload Pillar by NSA https://media.defense.gov/2024/May/22/2003470825/-1/-1/0/CSI-APPLICATION-AND-WORK LOAD-PILLAR.PDF The NSA is releasing the Cybersecurity Information Sheet (CSI), “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar” Incl application inventory, secure software development and integration, software risk management, resource authorization and integration, and continuous monitoring and ongoing authorizations.

Slide 21

Slide 21 text

About Cloudflare monitoring and operation Cloudflare is not a system or security monitoring/observability service. Although Cloudflare is a platform that provides zero trust security, it cannot monitor itself. We need to monitor Cloudflare. This is just a consideration.

Slide 22

Slide 22 text

About Cloudflare Zero Trust Stop lateral movement Replace VPN connections with default-deny Zero Trust rules Accelerate remote access Connect users faster and more safely than a VPN Protect any application Protect access to any application: SaaS, cloud, or on-premise https://community.cloudflare.com/t/about-the-zero-trus t-category/433840

Slide 23

Slide 23 text

CNAPP and Zero Trust Gartner proposed cloud native application protection platform (CNAPP) as a comprehensive approach to ensuring security in cloud-native environments. CNAPP, defined by Gartner, is said to integrate many functions that were previously siled, such as “Container Image Scanning”, “CSPM”, “IaC Scanning”, “CIEM (Cloud Infrastructure Entitlement Management)”, and “CWPP”. In recent years, they have also integrated other features. Uptycs

Slide 24

Slide 24 text

CNAPP and Zero Trust Uptycs has a partnership with Cloudflare and can monitor Cloudflare Zero Trust. Additionally, Uptycs' service provides CNAPP, which enables multi-cloud and hybrid cloud monitoring. https://www.cloudflare.com/partners/technology-p artners/uptycs/

Slide 25

Slide 25 text

ex) Uptycs and Cloudflare Integration Created based on the picture below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/

Slide 26

Slide 26 text

Zero Trust for safe use of generated AI Here are the reasons why Zero Trust Security is effective when using generative AI: ● Enhanced User Authentication and Access Control ● Comprehensive Data Protection and Encryption ● Continuous Monitoring and Anomaly Detection ● Application of the Principle of Least Privilege ● Segmented Network Architecture

Slide 27

Slide 27 text

Future?) Uptycs and Cloudflare with GenAI Integration Created based on the picture below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/ AISPM?

Slide 28

Slide 28 text

In conclusion Zero trust is the only cybersecurity strategy to stop intrusions and breaches. Engagement with stakeholders is important when introducing zero trust. Before moving forward with Zero Trust, define what data and assets need to be protected. Even with zero trust, don't neglect monitoring.

Slide 29

Slide 29 text

Thank you Linkedin Shun Yoshie Twitter @Typhon666_death