Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20240704 Zero Trust Strategy Implementation and...

20240704 Zero Trust Strategy Implementation and Operational Challenges

2024/07/04 Cloudflare Meet-up Tokyo Vol.5 でお話させていただいた内容です。
https://cfm-cts.connpass.com/event/321900/
#CloudflareUG #CloudflareUG_hnd

Shun Yoshie

July 04, 2024
Tweet

More Decks by Shun Yoshie

Other Decks in Technology

Transcript

  1. My introduction Shun Yoshie NRI / Security Consultant AWS Security

    Hero My Community: • Security-JAWS My Interest: • Mulchi-Cloud • Cloud Native • Audit • CNAPP • Security Observability
  2. Zero Trust related articles to watch in April 2024 ゼロトラストを誤解してほしくない--提唱者が説く正しい定義

    https://japan.zdnet.com/article/35218137/ Gartner、ゼロトラストの最新トレンドを発表 https://www.gartner.co.jp/ja/newsroom/press-releases/pr-20240422 You will be able to reacquaint yourself with Zero Trust and understand what companies have done to strengthen security in their Zero Trust strategies.
  3. Birth of Zero Trust: Traditional Network Architecture DMZ(Web Srv, App

    Srv) Untrust(Internet) Trust(DB Srv) OA(PC, File Srv)
  4. Birth of Zero Trust: Traditional Secure Network Architecture DMZ (Web

    Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv
  5. Birth of Zero Trust: Targeted attacks turn Trust into Untrust

    DMZ (Web Srv, App Srv) LB Trust(DB Srv) OA IDS / IPS/ WAF FW FW FW / NGFW AV / URLF / MF / Proxy / DNS File Srv Targeted Attacks Lateral Movement ZT!
  6. Zero Trust Several core Concepts Devices There are no longer

    a trusted and an untrusted interface on our security devices users There are no longer trusted and untrusted users Network There are no longer a trusted and an untrusted network https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf A security "concept" proposed by John Kindervag in 2010 (The initial concept was born in 2008.) “NEVER TRUST, ALWAYS VERIFY”
  7. Zero Trust is the only cybersecurity STRATEGY Zero trust is

    the only cybersecurity strategy to stop intrusions and breaches. Zero trust strategies for each vendor: • Microsoft ◦ Embrace proactive security with Zero Trust • Amazon Web Services ◦ Embracing Zero Trust: A strategy for secure and agile business transformation • Google ◦ Beyond Corp • Zscaler ◦ How Do You Implement Zero Trust?
  8. Embracing Zero Trust: A strategy for secure and agile business

    transformation from AWS(1/2) Stakeholder engagement Engage with stakeholders to understand priorities, concerns, and vision for the organization's security posture. Risk assessment Conducting a comprehensive risk assessment helps identify issues, excessive surface area, and critical assets, which helps you make informed decisions on security controls and investment https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes
  9. Embracing Zero Trust: A strategy for secure and agile business

    transformation from AWS(2/2) Technology evaluation Identify existing gaps and select appropriate tools and solutions in line with ZTA principles https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/strategy-zero -trust-architecture/strategy-zero-trust-architecture.pdf Important 4 decision-making processes Change management Recognizing the cultural and organizational impacts of adopting a ZTA model is essential (incl fostering a security-aware culture around ZTA principles and benefits)
  10. Tenets of Zero Trust by NIST 1. All data sources

    and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. 5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
  11. Service providers that claim zero trust • Zscaler • Okta

    • On2It • Akamai • Netskope • Box • Fortinet • Palo Alto Networks • Cloudflare • etc It is easy to become a single point of failure, and when a security incident occurs, it is catastrophic.
  12. Misconceptions when using {security|zero trust} services It is necessary to

    perform the following operations: • Rule version update for security products • Setting changes due to changes in customer environment • Checking the contents of alerts from devices • etc As attack methods become more sophisticated, operation after implementation is extremely important. https://speakerdeck.com/opelab/20171212-automation?slide=32 If you don't understand how to operate it, please read materials of Hatano-san.
  13. Report executive summary https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf One of our goals with Zero

    Trust is to optimize the security architectures and technologies for future flexibility. As we move toward a data-centric world with shifting threats and perimeters, we look at new network designs that integrate connectivity, transport, and security around potentially toxic data. We call this “designing from the inside out.” If we begin to do all those things together we can have a much more strategic infrastructure. If we look at everything from a data-centric perspective, we can design networks from the inside out and make them more efficient, more elegant, simpler, and more cost-effective.
  14. Introducing important Zero Trust documents I will now introduce documents

    that will be helpful when thinking about implementing and operating Zero Trust. In addition, operational design policies and operations that have been handled using conventional methods, not just Zero Trust, are effective.
  15. Defining the Zero Trust Protect Surface by CSA (EN)https://cloudsecurityalliance.org/artifacts/defining-the-zero-trust-protect-surface (JP)https://www.cloudsecurityalliance.jp/site/wp-content/uploads/2024/04/Defining-the-Zero-T

    rust-Protect-Surface-20240227-J.pdf Released by Cloud Security Alliance. A Japanese translation was recently released by CSAJ. Have you defined what should be protected? • Data • Application • Asset • Service What should we protect, not just Zero Trust? What are the threats to it? You need to understand it properly.
  16. Zero Trust Maturity Model by CISA https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf CISA’s Zero Trust

    Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. Latest Version is 2.0. Don't forget the steps of correctly understanding the data flow, building ZTA, creating policies, and monitoring, maintaining, and operating the network.
  17. NSTAC Report to the President on Zero Trust and Trusted

    Identity Management by CISA https://www.cisa.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20Pres ident%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management%20%2810- 17-22%29.pdf NSTAC Report to the President on Zero Trust and Trusted Identity Management Step 5 of the Maturity Model, ``Monitor and Maintain the Network,'' is a must-read for those who are satisfied with the introduction of a service that claims to be Zero Trust. Data such as event logs is required, and a data collection network (data lake in the cloud) is required. Finally, it is integrated with SIEM.
  18. Advancing Zero Trust Maturity Throughout the Application and Workload Pillar

    by NSA https://media.defense.gov/2024/May/22/2003470825/-1/-1/0/CSI-APPLICATION-AND-WORK LOAD-PILLAR.PDF The NSA is releasing the Cybersecurity Information Sheet (CSI), “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar” Incl application inventory, secure software development and integration, software risk management, resource authorization and integration, and continuous monitoring and ongoing authorizations.
  19. About Cloudflare monitoring and operation Cloudflare is not a system

    or security monitoring/observability service. Although Cloudflare is a platform that provides zero trust security, it cannot monitor itself. We need to monitor Cloudflare. This is just a consideration.
  20. About Cloudflare Zero Trust Stop lateral movement Replace VPN connections

    with default-deny Zero Trust rules Accelerate remote access Connect users faster and more safely than a VPN Protect any application Protect access to any application: SaaS, cloud, or on-premise https://community.cloudflare.com/t/about-the-zero-trus t-category/433840
  21. CNAPP and Zero Trust Gartner proposed cloud native application protection

    platform (CNAPP) as a comprehensive approach to ensuring security in cloud-native environments. CNAPP, defined by Gartner, is said to integrate many functions that were previously siled, such as “Container Image Scanning”, “CSPM”, “IaC Scanning”, “CIEM (Cloud Infrastructure Entitlement Management)”, and “CWPP”. In recent years, they have also integrated other features. Uptycs
  22. CNAPP and Zero Trust Uptycs has a partnership with Cloudflare

    and can monitor Cloudflare Zero Trust. Additionally, Uptycs' service provides CNAPP, which enables multi-cloud and hybrid cloud monitoring. https://www.cloudflare.com/partners/technology-p artners/uptycs/
  23. ex) Uptycs and Cloudflare Integration Created based on the picture

    below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/
  24. Zero Trust for safe use of generated AI Here are

    the reasons why Zero Trust Security is effective when using generative AI: • Enhanced User Authentication and Access Control • Comprehensive Data Protection and Encryption • Continuous Monitoring and Anomaly Detection • Application of the Principle of Least Privilege • Segmented Network Architecture
  25. Future?) Uptycs and Cloudflare with GenAI Integration Created based on

    the picture below https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/ AISPM?
  26. In conclusion Zero trust is the only cybersecurity strategy to

    stop intrusions and breaches. Engagement with stakeholders is important when introducing zero trust. Before moving forward with Zero Trust, define what data and assets need to be protected. Even with zero trust, don't neglect monitoring.