Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevNexus_Building_with__Zero_Trust_Architecture_Copy.pdf

Sendil Kumar N
April 14, 2022
0
41

 DevNexus_Building_with__Zero_Trust_Architecture_Copy.pdf

Sendil Kumar N

April 14, 2022
Tweet

More Decks by Sendil Kumar N

See All by Sendil Kumar N
[Heapcon-2023] Building High Performance Web Applications
sendilkumarn
0
60
Building Reactive Microservices with Kotlin & running on Kubernetes
sendilkumarn
0
130
Building Reactive Microservices with JHipster & K8s
sendilkumarn
0
12
Designing High Performance React Applications
sendilkumarn
1
140
Batching, Suspense, and Server Components
sendilkumarn
0
33
Lessons Learnt with Visual Testing and Snapshots
sendilkumarn
0
100
Easy Microservices with K8s & Istio
sendilkumarn
0
83
KHipster - Kotlin Hipster
sendilkumarn
0
170
Microservices with JHipster
sendilkumarn
0
71

Featured

See All Featured
Being A Developer After 40
akosma
57
580k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Clear Off the Table
cherdarchuk
84
310k
Agile that works and the tools we love
rasmusluckow
325
20k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Building Applications with DynamoDB
mza
88
5.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k

Transcript

  1. Building with Zero Trust Architecture sendilkumarn @sendilkumarn

  2. @sendilkumarn @sendilkumarn Rust Zig JavaScript Java Kotlin TypeScript Swift Go

    Haskell Functional vs Imperative Spaces vs Tabs JetBrains vs VSCode Gradle Vs Maven React Vue Svelte AlpineJS Webpack WebAssembly Istio Cloud Native Linkerd Microservices Kubernetes Full Stack Docker Spring JHipster Open Source Micronaut Kotlin Hipster Engineering Manager building Payments @Uber

  3. 81% organizations are moving towards hybrid workspace source @sendilkumarn

  4. No more luxury of corporate networks @sendilkumarn

  5. Increase the attack exposure @sendilkumarn

  6. 125% increase in cyber attacks @sendilkumarn source

  7. Reduce Attack Surface Limit Lateral Move Contain Breach @sendilkumarn

  8. Trust but verify @sendilkumarn

  9. Verify but Never Trust @sendilkumarn Trust but verify

  10. Zero Trust @sendilkumarn

  11. In Zero Trust, we assume every action is breach. We

    continuously verify it @sendilkumarn

  12. Continuous Verification @sendilkumarn

  13. @sendilkumarn Building blocks of Zero Trust Architecture

  14. Data 10101010 @sendilkumarn

  15. Data 10101010 @sendilkumarn @ rest at transit at use

  16. Data 10101010 Protect your data at rest. @sendilkumarn

  17. Data 3ab13… @sendilkumarn

  18. • Encrypt the data • Use vaults for key management

    • Cycle secrets frequently Data 3ab13…

  19. Data 10101010 Protect your data at transit. @sendilkumarn

  20. Data 10101010 🔐 HTTPS / TLS Encryption @sendilkumarn

  21. Data 10101010 Protect your data in use. @sendilkumarn

  22. Secure Enclaves @sendilkumarn

  23. Secure Enclaves • Trusted Execution Environment • To store highly

    sensitive data and with limited access • Cryptographically attested data • Isolated environment @sendilkumarn

  24. Data contextttttttttt DATA Encryption Label @sendilkumarn

  25. 4M+ $ Average loss of business value due to a

    data breach source @sendilkumarn

  26. Confidential Data @sendilkumarn

  27. Data @sendilkumarn

  28. By default we should block access and allow access with

    verification @sendilkumarn

  29. Data @sendilkumarn User Role Access Admin View / Edit /

  30. Data @sendilkumarn User Role Access Admin View / Edit /

    … Role Based Access Control / RBAC

  31. Data @sendilkumarn Role Based Access Control / RBAC Access the

    data Authenticated

  32. Data @sendilkumarn Access the data Role Based Access Control /

    RBAC Policy Authenticated

  33. Data @sendilkumarn Access the data Policy Authenticated

  34. @sendilkumarn Data Policy Data Policy Data Policy Data Policy Data

    Policy Data Policy Data Policy Data Policy Data Policy

  35. @sendilkumarn Data Data Data Data Data Data Data Policy Data

    Data

  36. Policy • Dynamic : easy to add & revoke •

    Secure : no unauthorized access • Changes should be logged • Specific to the business policy • Evaluated periodically @sendilkumarn

  37. @sendilkumarn Policy Engine Policy authenticated Data Data Data Data

  38. Policy Engine • Validates rules based on the authentication &

    RBAC • Decides whether to allow / block the access • Brain of your zero trust architecture • Single point for all the decisions • Ensures policy enforcement @sendilkumarn

  39. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data

  40. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy

    Controller

  41. Policy Controller • Based on the access the policy controller

    does the following ◦ Governance ◦ Compliance ◦ Optimize ◦ Assess • CRUD operator for policies • Dynamically enforce / revoke policies & accesses @sendilkumarn

  42. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy

    Controller

  43. @sendilkumarn Zero Trust Policy Identities Policy Controller authenticated Data Data

    Data Data

  44. @sendilkumarn Data Zero Trust Policy Identities Policy Controller authenticated

  45. Identities • can be anyone that access your system •

    Uses Password / MFA / SSO to authenticate • Continuously verify the identities • Log all the activities • Do not assume any privileges @sendilkumarn

  46. @sendilkumarn Data Zero Trust Policy Identities Computers / Servers Policy

    Manager authenticated Compliance devices Policy Controller

  47. @sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Policy Controller

  48. Endpoints • Prevent vulnerable / rooted devices • Data access

    via BYOD • Log all the activities • Enforce baseline activities @sendilkumarn

  49. @sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Controller authenticated

    Compliance devices Applications

  50. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Policy Controller

  51. Applications • Has policies too • Provide in-app permissions &

    roles • Gate access based on real time analytics • Log all the activities @sendilkumarn

  52. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure Policy Controller

  53. Infrastructure • Provide Just-In-Time access to harden defense • Automatically

    block and flag risky behavior • Log all the activities • Fix outdated VMs & audit external tools (eg., Kubernetes) @sendilkumarn

  54. Infrastructure & Application - Deployments • Attest the binary at

    the time of deployment ◦ Verify the authenticity of the binary ◦ Verify the sender of the binary Binary Authorization in GCP @sendilkumarn

  55. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

  56. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

  57. Network • Always encrypt data end-to-end • Real time /

    Dynamic threat protection • Log all the activities • Make it harder for anyone to move laterally @sendilkumarn

  58. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Policy Controller

  59. Threat protector • Threat intelligence • ML models to act

    • Forensics • Automate response • Continuous assessment @sendilkumarn

  60. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller

  61. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller

  62. Control Plane Data Plane Infrastructure Data Application Network Private /

    Public Policy Identities Human / Non-Human Endpoints Corporate / Personal Zero Trust Architecture Components @sendilkumarn Telemetry Threat Protector

  63. @sendilkumarn

  64. @sendilkumarn Effective Zero Trust Model

  65. Define Context contextttttttttt DATA Encryption Label Access - Understand users

    / data - Label them - Create boundaries @sendilkumarn

  66. Verify & Enforce Verify - Continously - Validate all access

    - Right access to right resource @sendilkumarn

  67. Resolve Incidents - Revoke immediately - Create issue - Start

    compliance check @sendilkumarn

  68. Analyze & Improve 🧐 - Evaluate policies - Adjust them

    as needed - Improve @sendilkumarn

  69. @sendilkumarn Zero Trust Architecture - Stages @sendilkumarn

  70. Zero Super Hero Hero

  71. Zero Passwords authn. On permise Device management Log everything Data

    is labelled, access provided Reactive threat detection Super Hero Go passwordless Bring Your Own Device Automatically fix when things go wrong Proactive data governance Fully Automated threat investigation & fix Hero MFAs / SSOs authn. Cloud device management Log & Automatically highlight risks Data is restricted, and automatic labels Proactive threat detection

  72. @sendilkumarn Best Practices

  73. Never assume roles / privilege @sendilkumarn

  74. Just Enough Access Provide least privilege everywhere @sendilkumarn

  75. Just In Time Access @sendilkumarn

  76. Questions @sendilkumarn

  77. Verify but Never Trust @sendilkumarn Thanks!!

  78. Sources • Evolving Zero Trust • Microsoft Digital Defense Report

    • Zero Trust Adoption Report • BeyondCorp Image Credits - unspalsh.com @sendilkumarn

  79. Thanks @sendilkumarn

  80. Enable MFA @sendilkumarn

  81. Know / Govern / Protect / Control Data @sendilkumarn

  82. Always verify explicitly @sendilkumarn

  83. Log & Inspect all corporate traffic @sendilkumarn

  84. Limits & Controls access to network @sendilkumarn

  85. Verify & Secure network @sendilkumarn

  86. Anti Malwares are important @sendilkumarn

  87. Reduce attack exposure @sendilkumarn

  88. Assume Breach @sendilkumarn

  89. Prevent lateral movement in your architecture. @sendilkumarn

  90. Stage - Zero • MFAs / SSOs • Device compliance

    • Audit logging • Networks are monitored • Networks are segmented • Data is encrypted, segregated & risk identified • Manual Policies enforced

  91. Stage - Hero • Real time risk analytics • Act

    quickly with collected information • Proactively figure out issues and fix • Automatic discoveries for anamolies • Data is restricted • Policies enforced based on signals

  92. Stage - Super Hero • Go passwordless • Constantly +

    autonomously verify endpoints • Enrich user experience & user productivity • Automated threat protection • Proactive data governance • Dynamically enforce policies

  93. Security Pillars Confidentiality Integrity Availability Encryption & Decryption Verify message

    is unchanged Verify Sender is real @sendilkumarn

  94. Every transaction between systems will be validated before the transaction.

    @sendilkumarn

  95. Zero Trust provides a secure and healthy way to access

    information from anywhere @sendilkumarn

  96. Telemetry • Collect all the data • Automatically detect the

    anamolies • Log & Monitor • Decide on the go. @sendilkumarn Monitor and enforce zero trust security policies with intelligent analytics. View and monitor the behavior of all users, resources and data connecting within the business.

  97. @sendilkumarn Data Zero Trust Policy Identities

  98. @sendilkumarn Data Zero Trust Policy Users Network Private / Public

  99. Data @sendilkumarn Role Based Access Control / RBAC Policy

  100. Data Network Private / Public Users Policy @sendilkumarn

  101. Data Users Policy @sendilkumarn

  102. Data User Role Access Admin View / Edit / …

    @sendilkumarn

  103. Data Role Based Access Control / RBAC @sendilkumarn

  104. Data Policy @sendilkumarn

  105. Data Network Private / Public Policy Users Policy @sendilkumarn

  106. Data Network Private / Public Policy Users Policy @sendilkumarn

  107. Data Network Private / Public Policy Users @sendilkumarn

  108. Data Network Private / Public Policy Users authentication @sendilkumarn

  109. Data Network Private / Public Policy Identities Human / Non-Human

    authentication @sendilkumarn

  110. Data Application Network Private / Public Policy Identities Human /

    Non-Human authentication @sendilkumarn

  111. Infrastructure Data Application Network Private / Public Policy Identities Human

    / Non-Human authentication @sendilkumarn

  112. Infrastructure Data Application Network Private / Public Policy Identities Human

    / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

  113. Infrastructure Data Application Data Collector Network Private / Public Policy

    Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

  114. Infrastructure Data Application Data Collector Network Private / Public Policy

    Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

  115. Infrastructure Data Application Data Collector Threat Protector Network Private /

    Public Policy Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? assess risk @sendilkumarn