DevNexus_Building_with__Zero_Trust_Architecture_Copy.pdf

Transcript

1. Building with Zero Trust Architecture sendilkumarn @sendilkumarn

2. @sendilkumarn @sendilkumarn Rust Zig JavaScript Java Kotlin TypeScript Swift Go

   Haskell Functional vs Imperative Spaces vs Tabs JetBrains vs VSCode Gradle Vs Maven React Vue Svelte AlpineJS Webpack WebAssembly Istio Cloud Native Linkerd Microservices Kubernetes Full Stack Docker Spring JHipster Open Source Micronaut Kotlin Hipster Engineering Manager building Payments @Uber

3. 81% organizations are moving towards hybrid workspace source @sendilkumarn

4. No more luxury of corporate networks @sendilkumarn

5. Increase the attack exposure @sendilkumarn

6. 125% increase in cyber attacks @sendilkumarn source

7. Reduce Attack Surface Limit Lateral Move Contain Breach @sendilkumarn

8. Trust but verify @sendilkumarn

9. Verify but Never Trust @sendilkumarn Trust but verify

10. Zero Trust @sendilkumarn

11. In Zero Trust, we assume every action is breach. We

    continuously verify it @sendilkumarn

12. Continuous Verification @sendilkumarn

13. @sendilkumarn Building blocks of Zero Trust Architecture

14. Data 10101010 @sendilkumarn

15. Data 10101010 @sendilkumarn @ rest at transit at use

16. Data 10101010 Protect your data at rest. @sendilkumarn

17. Data 3ab13… @sendilkumarn

18. • Encrypt the data • Use vaults for key management

    • Cycle secrets frequently Data 3ab13…

19. Data 10101010 Protect your data at transit. @sendilkumarn

20. Data 10101010 🔐 HTTPS / TLS Encryption @sendilkumarn

21. Data 10101010 Protect your data in use. @sendilkumarn

22. Secure Enclaves @sendilkumarn

23. Secure Enclaves • Trusted Execution Environment • To store highly

    sensitive data and with limited access • Cryptographically attested data • Isolated environment @sendilkumarn

24. Data contextttttttttt DATA Encryption Label @sendilkumarn

25. 4M+ $ Average loss of business value due to a

    data breach source @sendilkumarn

26. Confidential Data @sendilkumarn

27. Data @sendilkumarn

28. By default we should block access and allow access with

    verification @sendilkumarn

29. Data @sendilkumarn User Role Access Admin View / Edit /

    …

30. Data @sendilkumarn User Role Access Admin View / Edit /

    … Role Based Access Control / RBAC

31. Data @sendilkumarn Role Based Access Control / RBAC Access the

    data Authenticated

32. Data @sendilkumarn Access the data Role Based Access Control /

    RBAC Policy Authenticated

33. Data @sendilkumarn Access the data Policy Authenticated

34. @sendilkumarn Data Policy Data Policy Data Policy Data Policy Data

    Policy Data Policy Data Policy Data Policy Data Policy

35. @sendilkumarn Data Data Data Data Data Data Data Policy Data

    Data

36. Policy • Dynamic : easy to add & revoke •

    Secure : no unauthorized access • Changes should be logged • Specific to the business policy • Evaluated periodically @sendilkumarn

37. @sendilkumarn Policy Engine Policy authenticated Data Data Data Data

38. Policy Engine • Validates rules based on the authentication &

    RBAC • Decides whether to allow / block the access • Brain of your zero trust architecture • Single point for all the decisions • Ensures policy enforcement @sendilkumarn

39. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data

40. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy

    Controller

41. Policy Controller • Based on the access the policy controller

    does the following ◦ Governance ◦ Compliance ◦ Optimize ◦ Assess • CRUD operator for policies • Dynamically enforce / revoke policies & accesses @sendilkumarn

42. @sendilkumarn Zero Trust Policy authenticated Data Data Data Data Policy

    Controller

43. @sendilkumarn Zero Trust Policy Identities Policy Controller authenticated Data Data

    Data Data

44. @sendilkumarn Data Zero Trust Policy Identities Policy Controller authenticated

45. Identities • can be anyone that access your system •

    Uses Password / MFA / SSO to authenticate • Continuously verify the identities • Log all the activities • Do not assume any privileges @sendilkumarn

46. @sendilkumarn Data Zero Trust Policy Identities Computers / Servers Policy

    Manager authenticated Compliance devices Policy Controller

47. @sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Policy Controller

48. Endpoints • Prevent vulnerable / rooted devices • Data access

    via BYOD • Log all the activities • Enforce baseline activities @sendilkumarn

49. @sendilkumarn Data Zero Trust Policy Identities Endpoints Policy Controller authenticated

    Compliance devices Applications

50. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Policy Controller

51. Applications • Has policies too • Provide in-app permissions &

    roles • Gate access based on real time analytics • Log all the activities @sendilkumarn

52. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure Policy Controller

53. Infrastructure • Provide Just-In-Time access to harden defense • Automatically

    block and flag risky behavior • Log all the activities • Fix outdated VMs & audit external tools (eg., Kubernetes) @sendilkumarn

54. Infrastructure & Application - Deployments • Attest the binary at

    the time of deployment ◦ Verify the authenticity of the binary ◦ Verify the sender of the binary Binary Authorization in GCP @sendilkumarn

55. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

56. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller

57. Network • Always encrypt data end-to-end • Real time /

    Dynamic threat protection • Log all the activities • Make it harder for anyone to move laterally @sendilkumarn

58. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Policy Controller

59. Threat protector • Threat intelligence • ML models to act

    • Forensics • Automate response • Continuous assessment @sendilkumarn

60. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller

61. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller

62. Control Plane Data Plane Infrastructure Data Application Network Private /

    Public Policy Identities Human / Non-Human Endpoints Corporate / Personal Zero Trust Architecture Components @sendilkumarn Telemetry Threat Protector

63. @sendilkumarn

64. @sendilkumarn Effective Zero Trust Model

65. Define Context contextttttttttt DATA Encryption Label Access - Understand users

    / data - Label them - Create boundaries @sendilkumarn

66. Verify & Enforce Verify - Continously - Validate all access

    - Right access to right resource @sendilkumarn

67. Resolve Incidents - Revoke immediately - Create issue - Start

    compliance check @sendilkumarn

68. Analyze & Improve 🧐 - Evaluate policies - Adjust them

    as needed - Improve @sendilkumarn

69. @sendilkumarn Zero Trust Architecture - Stages @sendilkumarn

70. Zero Super Hero Hero

71. Zero Passwords authn. On permise Device management Log everything Data

    is labelled, access provided Reactive threat detection Super Hero Go passwordless Bring Your Own Device Automatically fix when things go wrong Proactive data governance Fully Automated threat investigation & fix Hero MFAs / SSOs authn. Cloud device management Log & Automatically highlight risks Data is restricted, and automatic labels Proactive threat detection

72. @sendilkumarn Best Practices

73. Never assume roles / privilege @sendilkumarn

74. Just Enough Access Provide least privilege everywhere @sendilkumarn

75. Just In Time Access @sendilkumarn

76. Questions @sendilkumarn

77. Verify but Never Trust @sendilkumarn Thanks!!

78. Sources • Evolving Zero Trust • Microsoft Digital Defense Report

    • Zero Trust Adoption Report • BeyondCorp Image Credits - unspalsh.com @sendilkumarn

79. Thanks @sendilkumarn

80. Enable MFA @sendilkumarn

81. Know / Govern / Protect / Control Data @sendilkumarn

82. Always verify explicitly @sendilkumarn

83. Log & Inspect all corporate traffic @sendilkumarn

84. Limits & Controls access to network @sendilkumarn

85. Verify & Secure network @sendilkumarn

86. Anti Malwares are important @sendilkumarn

87. Reduce attack exposure @sendilkumarn

88. Assume Breach @sendilkumarn

89. Prevent lateral movement in your architecture. @sendilkumarn

90. Stage - Zero • MFAs / SSOs • Device compliance

    • Audit logging • Networks are monitored • Networks are segmented • Data is encrypted, segregated & risk identified • Manual Policies enforced

91. Stage - Hero • Real time risk analytics • Act

    quickly with collected information • Proactively figure out issues and fix • Automatic discoveries for anamolies • Data is restricted • Policies enforced based on signals

92. Stage - Super Hero • Go passwordless • Constantly +

    autonomously verify endpoints • Enrich user experience & user productivity • Automated threat protection • Proactive data governance • Dynamically enforce policies

93. Security Pillars Confidentiality Integrity Availability Encryption & Decryption Verify message

    is unchanged Verify Sender is real @sendilkumarn

94. Every transaction between systems will be validated before the transaction.

    @sendilkumarn

95. Zero Trust provides a secure and healthy way to access

    information from anywhere @sendilkumarn

96. Telemetry • Collect all the data • Automatically detect the

    anamolies • Log & Monitor • Decide on the go. @sendilkumarn Monitor and enforce zero trust security policies with intelligent analytics. View and monitor the behavior of all users, resources and data connecting within the business.

97. @sendilkumarn Data Zero Trust Policy Identities

98. @sendilkumarn Data Zero Trust Policy Users Network Private / Public

99. Data @sendilkumarn Role Based Access Control / RBAC Policy

100. Data Network Private / Public Users Policy @sendilkumarn

101. Data Users Policy @sendilkumarn

102. Data User Role Access Admin View / Edit / …

     @sendilkumarn

103. Data Role Based Access Control / RBAC @sendilkumarn

104. Data Policy @sendilkumarn

105. Data Network Private / Public Policy Users Policy @sendilkumarn

106. Data Network Private / Public Policy Users Policy @sendilkumarn

107. Data Network Private / Public Policy Users @sendilkumarn

108. Data Network Private / Public Policy Users authentication @sendilkumarn

109. Data Network Private / Public Policy Identities Human / Non-Human

     authentication @sendilkumarn

110. Data Application Network Private / Public Policy Identities Human /

     Non-Human authentication @sendilkumarn

111. Infrastructure Data Application Network Private / Public Policy Identities Human

     / Non-Human authentication @sendilkumarn

112. Infrastructure Data Application Network Private / Public Policy Identities Human

     / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

113. Infrastructure Data Application Data Collector Network Private / Public Policy

     Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

114. Infrastructure Data Application Data Collector Network Private / Public Policy

     Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn

115. Infrastructure Data Application Data Collector Threat Protector Network Private /

     Public Policy Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? assess risk @sendilkumarn