Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
9/28/2018
1
Privacy & Security 2018
Dr. Chase Cunningham, Principal
Analyst
Zero Trust
2© 2018 Forrester Research, Inc. Reproduction Prohibited
What is your security strategy?
9/28/2018
2
3© 2018 Forrester Research, Inc. Reproduction Prohibited
A Single Strategy for Long Term Success
›Being Compliant – not a strategy
›Being Secure – not a strategy
› Implementing Controls and Tech – not a strategy
Zero Trust – One Strategy, Multiple Avenues, Long Lifecycle
4© 2018 Forrester Research, Inc. Reproduction Prohibited
What is this?
- Bill
- Feathers
- Webbed Feet
- Sells Insurance
- Sounds like Gilbert
Godfried
9/28/2018
3
5© 2018 Forrester Research, Inc. Reproduction Prohibited
What is this?
- Securing Data
- Firewalls
- Workload Security
- User/Authentication
- Device Security
- Automate and
Orchestrating Security
- Visualizing and Analyzing
Threats
6© 2018 Forrester Research, Inc. Reproduction Prohibited
Zero Trust Tenets
› Focus on the outcomes
›Design from the Inside >
Out (micro to macro)
›Start with the assets or
data that need protection
›Determine who or what
needs access
›Need to know/Least-
privilege
9/28/2018
4
7© 2018 FORRESTER. REPRODUCTION PROHIBITED.
NEVER TRUST, ALWAYS VERIFY
Connecting from a particular network must
not determine which services you can access.
Access to services is granted based on:
BEYONDCORP
1what we know
about you 2what we know
about the entity 3All access to services
must be authorized
CORE PRINCIPLES OF ZERO TRUST
8© 2018 Forrester Research, Inc. Reproduction Prohibited
ZTX Framework Simplicity
Zero Trust Strategy
Zero Trust Capability
Zero Trust Technology
Zero Trust Feature
The Risk Owner Technology Provider
9/28/2018
5
9© 2018 FORRESTER. REPRODUCTION PROHIBITED.
FEWER BREACHES IN COST SAVINGSLESS ON TECHNOLOGY COSTS
Stop the Breach, Forrester, January 2017
Forrester finds implementing Zero Trust Best Practices results in tangible benefits
10© 2018 Forrester Research, Inc. Reproduction Prohibited
Confidence increases after adopting zero trust
MORE CONFIDENCE
ACCELERATING
NEW CUSTOMER &
PARTNER EXPERIENCES
MORE CONFIDENCE SECURING
DEV AND DEVOPS
MORE CONFIDENCE ADOPTING
NEW MOBILE WORK MODELS
9/28/2018
6
11© 2018 Forrester Research, Inc. Reproduction Prohibited
Zero Trust in Practice
› Google BeyondCorp
› California Dept of Public Works
› Rolls Royce
› MoD Canadian Forces
› Dept of Public Health Canada
› IRS
› Others…
12© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Rep. Jason Chaffetz on Zero Trust:“Zero trust would have profoundly limited the attacker’s ability to move within OPM’s network and access such sensitive data.”
Source: Adopting a zero trust cyber model in government: http://federalnewsradio.com/commentary/2016/09/adopting-zero-trust-cyber-model-government/
9/28/2018
7
13© 2018 Forrester Research, Inc. Reproduction Prohibited
Committee on Oversight and Government Reform U.S. House of
Representatives 114th Congress
Recommendation 2: Reprioritize Federal
Information Security Efforts Toward a
Zero Trust Model
“To combat the advanced persistent threats
seeking to compromise or exploit federal
government IT networks, agencies should
move toward a "zero trust" model of
information security and IT architecture.
The zero trust model centers on the
concept that users inside a network are no
more trustworthy than users outside a
network…”
The OPM Data Breach: How the
Government Jeopardized Our
National Security for More than a
Generation - September 7, 2016
ePhoto/Imag
Here
14© 2018 Forrester Research, Inc. Reproduction Prohibited
9/28/2018
8
15© 2018 Forrester Research, Inc. Reproduction Prohibited
Security Situational Awareness
16© 2018 Forrester Research, Inc. Reproduction Prohibited
Your attack surface has grown exponentially
Third parties
Social
Mobile
Web (deep & dark)
Shadow IT
IT enviro-nment
9/28/2018
9
17© 2018 Forrester Research, Inc. Reproduction Prohibited
Lorem ipsum
Suspendisse
Third parties
Social
Mobile
Web (deep & dark)
Shadow IT
IT enviro-nment
Known, corporate-controlled digital footprint
Unsanctioned, rogue activity and occurrences of affiliated footprint
Fraudulent or malicious spoofing and impersonations
Nefarious threats, mentions, and sales on unaffiliated channels
Rapidly expanding attack surfaceD
ecre
asin
g c
on
trol
18© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Base: 404 global network security decision-makers whose firms have had an external security breach in the past 12 months
Source: Forrester Data Global Business Technographics® Security Survey, 2017
0%
5%
10%
15%
20%
25%
30%
Ransomware Phishing Social engineering
“How was the external attack carried out?”
Manufacturing
Retail and wholesale
Business services andconstruction
Utilities andtelecommunications
Financial services andinsurance
Public sector and healthcare
9/28/2018
10
19© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Those who have been breached take action
Base: 224 global network security decision-makers whose firms have had a security breach in the past 12 months (SMB)
Base: 349 global network security decision-makers whose firms have had a security breach in the past 12 months (Enterprise)Source: Forrester Data Global Business Technographics® Security Survey, 2017
14%
15%
15%
16%
18%
15%
17%
17%
22%
23%
18%
17%
18%
19%
17%
22%
21%
22%
19%
21%
0% 5% 10% 15% 20% 25%
Switched IT auditors
Offered optional 2-factor authentication for customers
Increased spending on incident response programs
Increased spending on endpoint detection technology
Increased spending on or hired external IT support
Increased spending on network detection technologies
Additional security and audit requirements
Increased spending on prevention technologies
Added required 2-factor authentication for all employees
Hired additional IT security staff
“What has changed at your firm as a result of the breaches occurring in the past 12 months?”
Enterprise (1,000 or more employees) SMB (20-999 employees)
20© 2018 FORRESTER. REPRODUCTION PROHIBITED.
What types of data were potentially compromised or breached in the past 12 months?
Base: Global network security decision-makers whose firms have had a security breach in the past 12 months
Source: Source: Forrester's Global Business Technographics Security Survey, 2016
31%
38%
25%
25%
31%
13%
31%
9%
3%
0%
6%
25%
26%
29%
17%
19%
23%
20%
15%
8%
1%
6%
30%
34%
28%
27%
31%
26%
28%
19%
6%
0%
3%
Payment/credit card data
Personally identifiable information (name, address, phone, SocialSecurity number)
Authentication credentials (user IDs and passwords, other forms ofcredentials)
Account numbers
Intellectual property
Corporate financial data
Website defacement
Other personal data (e.g., customer service data)
Other sensitive corporate data (e.g., marketing/strategy plans, pricing)
Other
Don't know
3 to 20(N = 32)
50 to 250(N = 84)
251 to 999(N = 148)
9/28/2018
11
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
Power of the Framework
Integrations with ZTX
Networks
9/28/2018
12
Integrations with ZTX
Visibility & Analytics
Automation & Orchestration
Integrations with ZTX
Workloads
9/28/2018
13
Integrations with ZTX
Devices
Integrations with ZTX
Data
9/28/2018
14
27© 2018 Forrester Research, Inc. Reproduction Prohibited
How is Google implementing
Zero Trust?
28© 2018 Forrester Research, Inc. Reproduction Prohibited
Use Case: Enterprise rollout of ZT: BeyondCorp
www.beyondcorp.com
9/28/2018
15
29© 2018 Forrester Research, Inc. Reproduction Prohibited
ZTN: A Practical Example
Google’s BeyondCorp initiative:
• A complete redesign of Google’s
internal security
• Practical implementation of ZTN that
illustrates some of the limitations of the
ZTN model
•A working model for other organizations
that want to move towards ZTN models
30© 2018 Forrester Research, Inc. Reproduction Prohibited
Guiding Principles
www.beyondcorp.com
9/28/2018
16
31© 2018 Forrester Research, Inc. Reproduction Prohibited
BeyondCorp Definitions
www.beyondcorp.com
32© 2018 Forrester Research, Inc. Reproduction Prohibited
Google’s BeyondCorp Initiative• Access is organized into “Trust Tiers” by the
Trust Inferer and assigned to each device
• Trust Tier decisions are informed by data
collected by the Device Inventory Service
which aggregates device data from across the
environment
• When user attempts to access any device, the
Access Control Engine uses the DIS and
Access Policy to determine the context specific
access level
• Access Policy determines minimum trust level
required for data and resource access
9/28/2018
17
33© 2018 FORRESTER. REPRODUCTION PROHIBITED.
What is the most important item in Zero Trust?
34© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Hint…It’s in the center
9/28/2018
18
35© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Micro-Segmentation Everywhere
• User – Role Based Access, 2FA, NGA
• Device – Patches, Certificates, etc…
• Application – Control what it does and what it touches
• Protocol/Network – Control what goes where
User – Who
Device – What
Application – Why
Protocol/Network – Where
36© 2018 FORRESTER. REPRODUCTION PROHIBITED.
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation
• Software defined segmentation
• Isolates applications in virtual environment
• Focus on east‐west communication
• Security defined at granular level
9/28/2018
19
37© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
38© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
DMZ
SCADA
S1 S2
Office
Substation
SCADA
9/28/2018
20
39© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
Email with BlackEnergy malware
DMZ
SCADA
S1 S2
Office
Substation
SCADA
40© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
Pivot to server and establish C&C
DMZ
SCADA
S1 S2
Office
Substation
SCADA
9/28/2018
21
41© 2018 Forrester Research, Inc. Reproduction Prohibited
DMZ
SCADA
S1 S2
Office
Substation
SCADA
Ukraine Power Grid Cyberattack 2015
They found pre‐shared keyfor VPN on SCADA firewall
42© 2018 Forrester Research, Inc. Reproduction Prohibited
DMZ
SCADA
S1 S2
Office
Substation
SCADA
Ukraine Power Grid Cyberattack 2015
Firmware has been changed on SCADA devices
9/28/2018
22
43© 2018 Forrester Research, Inc. Reproduction Prohibited
DMZ
SCADA
S1 S2
Office
Substation
SCADA
Ukraine Power Grid Cyberattack 2015
They use SCADA HMI to open breakers
44© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
DMZ
SCADA
S1 S2
Office
Substation
SCADA
9/28/2018
23
45© 2018 Forrester Research, Inc. Reproduction Prohibited
Ukraine Power Grid Cyberattack 2015
Full document with all recommendations: http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf