Zero Trust Strategy Implementation and Operational Challenges Cloudflare Meet-up Tokyo Vol.5 07/04/2024 Shun Yoshie

My introduction Shun Yoshie NRI / Security Consultant AWS Security Hero My Community: ● Security-JAWS My Interest: ● Mulchi-Cloud ● Cloud Native ● Audit ● CNAPP ● Security Observability

Zero Trust related articles to watch in April 2024 ゼロトラストを誤解してほしくない--提唱者が説く正しい定義 https://japan.zdnet.com/article/35218137/ Gartner、ゼロトラストの最新トレンドを発表 https://www.gartner.co.jp/ja/newsroom/press-releases/pr-20240422 You will be able to reacquaint yourself with Zero Trust and understand what companies have done to strengthen security in their Zero Trust strategies.

Birth of Zero Trust: Traditional Network Architecture DMZ(Web Srv, App Srv) Untrust(Internet) Trust(DB Srv) OA(PC, File Srv)

Birth of Zero Trust: Traditional Secure Network Architecture DMZ (Web Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv

Birth of Zero Trust: Targeted attacks turn Trust into Untrust DMZ (Web Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv Targeted Attacks Lateral Movement ZT!

Zero Trust Several core Concepts Devices There are no longer a trusted and an untrusted interface on our security devices users There are no longer trusted and untrusted users Network There are no longer a trusted and an untrusted network https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf A security "concept" proposed by John Kindervag in 2010 (The initial concept was born in 2008.) “NEVER TRUST, ALWAYS VERIFY”

Zero Trust is the only cybersecurity STRATEGY Zero trust is the only cybersecurity strategy to stop intrusions and breaches. Zero trust strategies for each vendor: ● Microsoft ○ Embrace proactive security with Zero Trust ● Amazon Web Services ○ Embracing Zero Trust: A strategy for secure and agile business transformation ● Google ○ Beyond Corp ● Zscaler ○ How Do You Implement Zero Trust?

Embracing Zero Trust: A strategy for secure and agile business transformation from AWS(1/2) Stakeholder engagement Engage with stakeholders to understand priorities, concerns, and vision for the organization's security posture. Risk assessment Conducting a comprehensive risk assessment helps identify issues, excessive surface area, and critical assets, which helps you make informed decisions on security controls and investment https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes

Embracing Zero Trust: A strategy for secure and agile business transformation from AWS(2/2) Technology evaluation Identify existing gaps and select appropriate tools and solutions in line with ZTA principles https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes Change management Recognizing the cultural and organizational impacts of adopting a ZTA model is essential (incl fostering a security-aware culture around ZTA principles and benefits)

Tenets of Zero Trust by NIST 1. All data sources and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. 5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Service providers that claim zero trust ● Zscaler ● Okta ● On2It ● Akamai ● Netskope ● Box ● Fortinet ● Palo Alto Networks ● Cloudflare ● etc It is easy to become a single point of failure, and when a security incident occurs, it is catastrophic.

Misconceptions when using {security|zero trust} services It is necessary to perform the following operations: ● Rule version update for security products ● Setting changes due to changes in customer environment ● Checking the contents of alerts from devices ● etc As attack methods become more sophisticated, operation after implementation is extremely important. https://speakerdeck.com/opelab/20171212-automation?slide=32 If you don't understand how to operate it, please read materials of Hatano-san.

Report executive summary https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf One of our goals with Zero Trust is to optimize the security architectures and technologies for future flexibility. As we move toward a data-centric world with shifting threats and perimeters, we look at new network designs that integrate connectivity, transport, and security around potentially toxic data. We call this “designing from the inside out.” If we begin to do all those things together we can have a much more strategic infrastructure. If we look at everything from a data-centric perspective, we can design networks from the inside out and make them more efficient, more elegant, simpler, and more cost-effective.

Data-centric security by OCI https://speakerdeck.com/oracle4engineer/oci-security-sabisu-ji-shu-gai-yao? slide=6

Introducing important Zero Trust documents I will now introduce documents that will be helpful when thinking about implementing and operating Zero Trust. In addition, operational design policies and operations that have been handled using conventional methods, not just Zero Trust, are effective.

Defining the Zero Trust Protect Surface by CSA (EN)https://cloudsecurityalliance.org/artifacts/defining-the-zero-trust-protect-surface (JP)https://www.cloudsecurityalliance.jp/site/wp-content/uploads/2024/04/Defining-the-Zero-T rust-Protect-Surface-20240227-J.pdf Released by Cloud Security Alliance. A Japanese translation was recently released by CSAJ. Have you defined what should be protected? ● Data ● Application ● Asset ● Service What should we protect, not just Zero Trust? What are the threats to it? You need to understand it properly.

Zero Trust Maturity Model by CISA https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. Latest Version is 2.0. Don't forget the steps of correctly understanding the data flow, building ZTA, creating policies, and monitoring, maintaining, and operating the network.

NSTAC Report to the President on Zero Trust and Trusted Identity Management by CISA https://www.cisa.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20Pres ident%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management%20%2810- 17-22%29.pdf NSTAC Report to the President on Zero Trust and Trusted Identity Management Step 5 of the Maturity Model, ``Monitor and Maintain the Network,'' is a must-read for those who are satisfied with the introduction of a service that claims to be Zero Trust. Data such as event logs is required, and a data collection network (data lake in the cloud) is required. Finally, it is integrated with SIEM.

Advancing Zero Trust Maturity Throughout the Application and Workload Pillar by NSA https://media.defense.gov/2024/May/22/2003470825/-1/-1/0/CSI-APPLICATION-AND-WORK LOAD-PILLAR.PDF The NSA is releasing the Cybersecurity Information Sheet (CSI), “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar” Incl application inventory, secure software development and integration, software risk management, resource authorization and integration, and continuous monitoring and ongoing authorizations.

About Cloudflare monitoring and operation Cloudflare is not a system or security monitoring/observability service. Although Cloudflare is a platform that provides zero trust security, it cannot monitor itself. We need to monitor Cloudflare. This is just a consideration.

About Cloudflare Zero Trust Stop lateral movement Replace VPN connections with default-deny Zero Trust rules Accelerate remote access Connect users faster and more safely than a VPN Protect any application Protect access to any application: SaaS, cloud, or on-premise https://community.cloudflare.com/t/about-the-zero-trus t-category/433840

CNAPP and Zero Trust Gartner proposed cloud native application protection platform (CNAPP) as a comprehensive approach to ensuring security in cloud-native environments. CNAPP, defined by Gartner, is said to integrate many functions that were previously siled, such as “Container Image Scanning”, “CSPM”, “IaC Scanning”, “CIEM (Cloud Infrastructure Entitlement Management)”, and “CWPP”. In recent years, they have also integrated other features. Uptycs

CNAPP and Zero Trust Uptycs has a partnership with Cloudflare and can monitor Cloudflare Zero Trust. Additionally, Uptycs' service provides CNAPP, which enables multi-cloud and hybrid cloud monitoring. https://www.cloudflare.com/partners/technology-p artners/uptycs/

ex) Uptycs and Cloudflare Integration Created based on the picture below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/

Zero Trust for safe use of generated AI Here are the reasons why Zero Trust Security is effective when using generative AI: ● Enhanced User Authentication and Access Control ● Comprehensive Data Protection and Encryption ● Continuous Monitoring and Anomaly Detection ● Application of the Principle of Least Privilege ● Segmented Network Architecture

Future?) Uptycs and Cloudflare with GenAI Integration Created based on the picture below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/ AISPM?

In conclusion Zero trust is the only cybersecurity strategy to stop intrusions and breaches. Engagement with stakeholders is important when introducing zero trust. Before moving forward with Zero Trust, define what data and assets need to be protected. Even with zero trust, don't neglect monitoring.

Thank you Linkedin Shun Yoshie Twitter @Typhon666_death