Embed Size (px)
Citation preview
Identities are the new security
perimeter in a Zero trust world:
Use them effectively to secure
your distributed IT environmentSeptember 18, 2019
Identities are the new security perimeter in a Zero trust world…
Today’s web conference is generously sponsored by:
Neustarhttps://www.thalesgroup.com/
Identities are the new security perimeter in a Zero trust world…
Moderator
Dipto Chakravarty is the author of three best-selling books on computer architecture andsecurity from McGraw-Hill and Wiley that have been translated in five languages. He has 11patents to his credit in AI, security and cloud, holds a M.S in Computer Science from U. ofMaryland, GMP from Harvard Business School, and EMBA from Wharton School U. Penn. He iscurrently the Chairman of Security, Privacy and Trust COE for IoT Community, and boardmember at RANK Software.
Dipto Chakravarty , Chairman, Security, Privacy and Trust COE, IoT Community
Identities are the new security perimeter in a Zero trust world…
Speaker
Felice Flake, Candidate, MBA, MSci, B.A., CEO of ScySec LLC, is a highly sought after and proven leader in the security field. Felice has extensive experience in both the government and private sectors. She is the President of the Tampa Bay ISSA Chapter, and the Chairperson of the International Chapters Sub-Committee, ISSA International, Chairperson. She also serves as the Chairperson of the Scholarships & Awards Committee, Women in Defense-Central Florida Chapter, and the Peerlyst Tampa Ambassador. Some of Felice’s most recent speaking engagements include the Tampa Small Business Symposium, Tampa (ISC)2 B-Sides event, and the 2018 Women in Cybersecurity Conference (WiCyS) Conference in Chicago.
She is a contributing author to the 2016 book, Women in Security. Felice is a member of the National CyberWatch Center's Curriculum Standards Panel (NCC-CSP) for the Cybersecurity Foundation Series. Felice is also an invited member of the University of South Florida Cybersecurity Education Advisory Board, the Tampa Military Spouse Economic Empowerment Zone (MSEEZ) Working Group, and the University of South Florida Cybersecurity for Executives Advisory Committee. She is also a nominee for the “2018 Tampa Bay Business Woman of the Year” Award and serves on the leadership team for the 2018 Diana Initiative Conference co-located with DEFCON.
Felice holds a Bachelor’s degree in Criminal Justice with a focus on Homeland Security, a Master of Science in Cybersecurity, and is close to completing her Master of Business Administration focusing on Information Security Management.
Felice Flake, CEO, ScySec LLC
What Is a Zero Trust Network?
“Zero trust security (and network) is an IT security (and network) model that requires strict identity verification for every person and device trying to
access resources on a private network, regardless of whether they are sitting within or outside of the
network perimeter. ... Traditional IT network security is based on the castle-and-moat concept.”
Source: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
What Is a Zero Trust Network?
What Is a Zero Trust Network?
Zero Trust and the Shifting Landscape
What Is a Zero Trust Network?
A zero trust network is created based on five central principles:
1. The network is always assumed to be hostile.
2. External and internal threats exist on the network at all times.
3. Network locality is not sufficient for deciding trust in a network.
4. Every device, user, and network flow is authenticated and authorized.
5. Policies must be developed as inclusive with data gathered from all possible sources and their design must keep adaptability at the forefront.
Source: Gilman, Evan. Zero Trust Networks: Building Secure Systems in Untrusted Networks (Kindle Locations 140-143). O'Reilly Media. Kindle Edition.
What Is a Zero Trust Network?
➢ Forrester’s John Kindervag in 2010 originated the conception of the Zero Trust Network
➢ Google’s BeyondCorp
➢ PagerDuty’s Cloud Agnostic Network
Source: Gilman, Evan. Zero Trust Networks: Building Secure Systems in Untrusted Networks (Kindle Locations 140-143). O'Reilly Media. Kindle Edition.
What Is a Zero Trust Network?
Source: https://banyanops.com/blog/beyondcorp-zero-trust/
Zero Trust and IAM (Identity Access Management)
Zero Trust and IAM (Identity Access Management)
Identity Access Management
▪ IAM is a critical component to the success of Zero Trust networking.
▪ Verifying identity is not exclusive to individual users but also to devices.
▪ IAM trends:▪ Provides Zero Trust with context.
▪ Expanding role of data identity.
▪ Traditional IAM will give way to API-based options.
What Is a Zero Trust Network?
Summary
▪ Reverse traditional concepts—we “never trust and verify everything!”
▪ Design from the inside out.▪ Compliance is at the forefront of design plans.▪ Security is embedded directly into the DNA of the
network.▪ ALL traffic on the network is inspected and logged.▪ The network is the enforcer.▪ Importance of authentication and IAM’s role.
Identities are the new security perimeter in a Zero trust world…
Ashley Adams is a Product Marketing Manager for Authentication and Access Management. Ashley’s areas of focus are outward bound lead gen programs including web site content management and optimizations, developing awareness campaigns, driving content creation, constructing sales enablement tools and communicating new product features and releases. Ashley is a born and raised Austinite and graduated from the University of Texas. She started with Thales in 2011 and has held positions in both Austin and HQ in Paris, France.
Speaker
Ashley Adams, Product Marketing Manager for Authentication and Access Management, Thales
16
Securing Identities in a Zero Trust World
Ashley AdamsProduct Marketing ManagerThalesSeptember 18, 2019
Thales & Gemalto: A New Profile
Does not include externally financed R&D.
80,000employees
*Based on Thales and Gemalto reported 2017 consolidated income statements.68Countriesglobal presence
€1bn+self-fundedR&D* 2017
Our team Around the world
Innovation
€19bnA balancedrevenue structure
Revenue*
around
60%Civil
40%Defence
Digital Identity & Security
• Combining existing digital assets in a dedicated global business unit
SIGN
UP
LOG
INUSE
LEAVE
Data EncryptionAccess
Management &
Authentication
Identity
Verification
Cryptographic
Account Deletion
Protecting the entire digital service cycle
The transition to a “no perimeter” reality
Zero Trust
Organizations should not automatically trust
anything inside or outside their perimeters.
Enterprises should leverage granular security applied at the app
level based on users, their locations and other data to establish
trust for entities seeking access to a particular part of the
enterprise.
Rather that trusting the network to any extent, a zero-trust model puts all of its
effort behind protecting applications, and the data they access.
Perimeter Security – Point MFA at the VPN
With perimeter defense, there are two access
points – Physically connecting to the corp.
network or the VPN. MFA is a point security
solution on the network
MFA
RADIUS
AGENTS
APIs
VPN
On-Prem Apps
Email Travel Finance
HR Storage DB
Servers CRM IT
Moving to a non-perimeter environment
MFA
RADIUS
AGENTS
APIs
VPN
On-Prem Apps
A password
?
Moving to a non-perimeter environment
MFA
RADIUS
AGENTS
APIs
VPN
On-Prem Apps
HR
TravelFinancial PAMPassword ?
Password ?
Password ?
Password ?
Password ?
Password ?
Password ?
IDENTITY THEFT
69%
of breach
incidents
came from
identity theft
The main cause of data breaches
78% 73%
37%27%
16% 11%
0102030405060708090
Average of
27 Cloud
Applications
Considerations for Zero Trust Security
➢ Perimeter security offers no protection
❑ Your users are now accessing the most sensitive resources bypassing any perimeter / network controls
➢ The login page is completely exposed
❑ Malicious users can easily find your front door
➢ Compliance and visibility
❑ The need to be able to get oversight and visibility into who is accessing which app, when and how is key to compliance
Best Practices for Access Security in a Zero Trust RealityBest Practices for Access Security in a Zero Trust Reality
Applying security at the app level:Determine who, when and how users are accessing cloud apps
ASSESS RISK
MANAGE RISK
CONTAIN RISK
• Define where your
sensitive data is located
• Identify cloud apps
• Define who should
access what
• Define appropriate
authentication method
Define access policies taking into
account
• Identities/profiles
• Type of resource being accessed
• Context (device, location, network…)
1
2
3
Detect, Monitor and Respond
• Detect unusual security events
• Respond: Block, allow, step-up, etc.
• Monitor: Report & adapt policies
Applying the right level of security for the right users at the app level
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
VPN
On-Prem Apps
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
Standard Users
VPN
On-Prem Apps
Applying the right level of security for the right users at the app level
O365 access from local networkTransparent authentication (context), once per session
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
Standard Users
C-Suite
O365 access from outside network on known devicePUSH OTP, once per session
VPN
On-Prem Apps
Applying the right level of security for the right users at the app level
O365 access from local networkTransparent authentication (context), once per session
Step up to MFA
SS
O
Acce
ss P
olic
ies
Set policies that take into account role and context to apply the right level of security at the right time, per app, per user
SaaS / IaaS
Co
nte
xtu
al a
ttri
bu
tes
SAML
OIDC
APIs
IT Admins
Standard Users
C-Suite
www.thalesgroup.com
Thank you
