Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevNexus_Building_with__Zero_Trust_Architecture...

Sendil Kumar N
April 14, 2022
55

 DevNexus_Building_with__Zero_Trust_Architecture_Copy.pdf

Sendil Kumar N

April 14, 2022
Tweet

Transcript

  1. @sendilkumarn @sendilkumarn Rust Zig JavaScript Java Kotlin TypeScript Swift Go

    Haskell Functional vs Imperative Spaces vs Tabs JetBrains vs VSCode Gradle Vs Maven React Vue Svelte AlpineJS Webpack WebAssembly Istio Cloud Native Linkerd Microservices Kubernetes Full Stack Docker Spring JHipster Open Source Micronaut Kotlin Hipster Engineering Manager building Payments @Uber
  2. In Zero Trust, we assume every action is breach. We

    continuously verify it @sendilkumarn
  3. • Encrypt the data • Use vaults for key management

    • Cycle secrets frequently Data 3ab13…
  4. Secure Enclaves • Trusted Execution Environment • To store highly

    sensitive data and with limited access • Cryptographically attested data • Isolated environment @sendilkumarn
  5. 4M+ $ Average loss of business value due to a

    data breach source @sendilkumarn
  6. Data @sendilkumarn User Role Access Admin View / Edit /

    … Role Based Access Control / RBAC
  7. @sendilkumarn Data Policy Data Policy Data Policy Data Policy Data

    Policy Data Policy Data Policy Data Policy Data Policy
  8. Policy • Dynamic : easy to add & revoke •

    Secure : no unauthorized access • Changes should be logged • Specific to the business policy • Evaluated periodically @sendilkumarn
  9. Policy Engine • Validates rules based on the authentication &

    RBAC • Decides whether to allow / block the access • Brain of your zero trust architecture • Single point for all the decisions • Ensures policy enforcement @sendilkumarn
  10. Policy Controller • Based on the access the policy controller

    does the following ◦ Governance ◦ Compliance ◦ Optimize ◦ Assess • CRUD operator for policies • Dynamically enforce / revoke policies & accesses @sendilkumarn
  11. Identities • can be anyone that access your system •

    Uses Password / MFA / SSO to authenticate • Continuously verify the identities • Log all the activities • Do not assume any privileges @sendilkumarn
  12. @sendilkumarn Data Zero Trust Policy Identities Computers / Servers Policy

    Manager authenticated Compliance devices Policy Controller
  13. Endpoints • Prevent vulnerable / rooted devices • Data access

    via BYOD • Log all the activities • Enforce baseline activities @sendilkumarn
  14. Applications • Has policies too • Provide in-app permissions &

    roles • Gate access based on real time analytics • Log all the activities @sendilkumarn
  15. Infrastructure • Provide Just-In-Time access to harden defense • Automatically

    block and flag risky behavior • Log all the activities • Fix outdated VMs & audit external tools (eg., Kubernetes) @sendilkumarn
  16. Infrastructure & Application - Deployments • Attest the binary at

    the time of deployment ◦ Verify the authenticity of the binary ◦ Verify the sender of the binary Binary Authorization in GCP @sendilkumarn
  17. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller
  18. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Policy Controller
  19. Network • Always encrypt data end-to-end • Real time /

    Dynamic threat protection • Log all the activities • Make it harder for anyone to move laterally @sendilkumarn
  20. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Policy Controller
  21. Threat protector • Threat intelligence • ML models to act

    • Forensics • Automate response • Continuous assessment @sendilkumarn
  22. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller
  23. @sendilkumarn Applications Zero Trust Policy Identities Endpoints Policy Manager authenticated

    Compliance devices Data Infrastructure NETWORK PRIVATE / PUBLIC Threat Protector Telemetry Telemetry Policy Controller
  24. Control Plane Data Plane Infrastructure Data Application Network Private /

    Public Policy Identities Human / Non-Human Endpoints Corporate / Personal Zero Trust Architecture Components @sendilkumarn Telemetry Threat Protector
  25. Define Context contextttttttttt DATA Encryption Label Access - Understand users

    / data - Label them - Create boundaries @sendilkumarn
  26. Verify & Enforce Verify - Continously - Validate all access

    - Right access to right resource @sendilkumarn
  27. Zero Passwords authn. On permise Device management Log everything Data

    is labelled, access provided Reactive threat detection Super Hero Go passwordless Bring Your Own Device Automatically fix when things go wrong Proactive data governance Fully Automated threat investigation & fix Hero MFAs / SSOs authn. Cloud device management Log & Automatically highlight risks Data is restricted, and automatic labels Proactive threat detection
  28. Sources • Evolving Zero Trust • Microsoft Digital Defense Report

    • Zero Trust Adoption Report • BeyondCorp Image Credits - unspalsh.com @sendilkumarn
  29. Stage - Zero • MFAs / SSOs • Device compliance

    • Audit logging • Networks are monitored • Networks are segmented • Data is encrypted, segregated & risk identified • Manual Policies enforced
  30. Stage - Hero • Real time risk analytics • Act

    quickly with collected information • Proactively figure out issues and fix • Automatic discoveries for anamolies • Data is restricted • Policies enforced based on signals
  31. Stage - Super Hero • Go passwordless • Constantly +

    autonomously verify endpoints • Enrich user experience & user productivity • Automated threat protection • Proactive data governance • Dynamically enforce policies
  32. Zero Trust provides a secure and healthy way to access

    information from anywhere @sendilkumarn
  33. Telemetry • Collect all the data • Automatically detect the

    anamolies • Log & Monitor • Decide on the go. @sendilkumarn Monitor and enforce zero trust security policies with intelligent analytics. View and monitor the behavior of all users, resources and data connecting within the business.
  34. Infrastructure Data Application Network Private / Public Policy Identities Human

    / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn
  35. Infrastructure Data Application Data Collector Network Private / Public Policy

    Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn
  36. Infrastructure Data Application Data Collector Network Private / Public Policy

    Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? @sendilkumarn
  37. Infrastructure Data Application Data Collector Threat Protector Network Private /

    Public Policy Controller Policy Identities Human / Non-Human Endpoints Corporate / Personal authentication is this device allowed? assess risk @sendilkumarn