Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Federal Zero Trust Summit 2020

Dug Song
February 01, 2020

Federal Zero Trust Summit 2020

Keynote for our Federal Zero Trust Summit in DC, February 2020 - opening for US CIO Suzette Kent :-)

Dug Song

February 01, 2020
Tweet

More Decks by Dug Song

Other Decks in Technology

Transcript

  1. © 2020 Cisco and/or its affiliates. All rights reserved. 2014

    If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case. So encryption in this instance would not have protected this data.
  2. © 2020 Cisco and/or its affiliates. All rights reserved. 2015

    In the next 30 days we know there is a set of things we can do that will fairly dramatically improve our security profile... like two-factor authentication, patching, minimizing the number of system administrators that you have and so on. Tony Scott’s 30-day Cyber Sprint
  3. © 2020 Cisco and/or its affiliates. All rights reserved. Google

    on Nation’s Cybersecurity Priorities ✓ Strong Authentication ✓ Up-to-Date Devices ✓ End-to-End Encryption
  4. © 2020 Cisco and/or its affiliates. All rights reserved. ✓

    Strong Authentication ✓ Up-to-Date Devices ✘ Encryption? THANKS OBAMA 2016
  5. © 2020 Cisco and/or its affiliates. All rights reserved. BeyondCorp

    (2014) 800-207: Zero Trust Architecture (2019) Zero Trust Architecture (2019) Connecting from a particular network must not determine which services you can access All communication is secure regardless of network location Don’t trust the network, including the local network Access to services is granted based on what we know about you and your device Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes Create a single strong user identity Create a strong device identity Know the health of your devices and services Set policies according to value of the service or data All access to services must be authenticated, authorized, and encrypted All data sources and computing services are considered resources Know your architecture including users, devices, and services Access to individual enterprise resources is granted on a per-connection basis Control access to your services and data Choose services designed for zero trust User authentication is dynamic and strictly enforced before access is allowed Authenticate everywhere The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible Focus your monitoring on devices and services
  6. © 2020 Cisco and/or its affiliates. All rights reserved. Securing

    the enterprise User and device access Application and workload access Network access Workforce Workload Workplace SaaS & Public cloud Access happens everywhere – how do you get visibility and ensure secure, trusted access?
  7. © 2020 Cisco and/or its affiliates. All rights reserved. User

    and device access Zero Trust for the Workforce What to do: How to do it: Verify users’ identities Multifactor Authentication Enforce access policies for every app Adaptive & role-based access control Gain device visibility and establish trust Endpoint health & security posture
  8. © 2020 Cisco and/or its affiliates. All rights reserved. Application

    and workload access Zero Trust for the Workload What to do: How to do it: Gain visibility into what’s running and what’s critical Identify workload dependencies Contain breaches and minimize lateral movement Application segmentation Alert or block communication if policy is violated Continuous monitoring & response
  9. © 2020 Cisco and/or its affiliates. All rights reserved. Zero

    Trust for the Workplace Network access What to do: How to do it: Discover and classify users, devices and apps on your network Network authentication, profiling authorization Grant the right level of network access based on user and device context Network segmentation Contain infected endpoints and restrict network access Continuous monitoring and responding to threats
  10. © 2020 Cisco and/or its affiliates. All rights reserved. Workforce

    Duo Workload Tetration Workplace SD-Access Security ensured today and for the future with Zero Trust
  11. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco

    is a leader in Zero Trust The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 Tools And Technology: The Zero Trust Security Playbook October 29, 2019 The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
  12. © 2020 Cisco and/or its affiliates. All rights reserved. Compliance

    as a by-product of Zero Trust Compliance CJIS FFIEC GBLA GDPR HIPAA NIST 800-53 NIST 800-171 NERC PCI DSS Details Criminal Justice Information Services v5.6 Federal Financial Institutions Examination Council Version Sept 2016 Gramm-Leach -Bliley Act FIL-22-2001 EU General Data Protection Regulation Regulation (EU) 2016/679 Health Insurance Portability and Accountability Act CFR 45 revised Oct 1, 2007 National Institute of Standards and Technology 800-53 r4 National Institute of Standards and Technology 800-171 June 2015 includes updates as of 01-14-2016 North American Electric Reliability Corporation v5 Critical Infrastructure Protection Reliability Stds Payment Card Industry Data Security Standard v3.2 Where Duo Can Help Section: 5.5.2.3 5.5.6.1 5.5.6.2 5.6.2.1 5.6.2.1.3 5.6.2.2 5.6.3.2 5.10.4.1 5.10.4.4 5.13.7.1 5.13.7.2 Title: II.C.5 II.C. II.C.7(a) II.C.7(e) II.C.10(d) II.C.13(e) II.C.15(b) II.C.15(c) II.C.15(d) II.D III.C Title: V Subtitle A Section 501(3) Article 5 Section 1(f), 2 Article 24 Section 1 Article 32 Section 1(b), 2 Standard: 164.308(a)(1) 164.308.(a)(4)1 64.312(d) Control: IA-2 IA-3 IA-5 IA-6 SC-7 SC-11 Control: 3.1.1, 3.1.1, 3.1.3, 3.1.7, 3.1.11, 3.1.12, 3.1.14, 3.1.15, 3.1.18, 3.1.20, 3.3.1, 3.3.2, 3.3.8, 3.4.1, 3.4.2, 3.5.2, 3.5.3, 3.7.5 CIP-005 Table R2 Part 2.3 CIP-007-6 Table R5 5.1 CIP-010-2 Table R2 2.1 Requirements: 6.2 7.1-7.2 8.3.1 8.3.2
  13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 28 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Measuring the benefits Strategic User Trust (Survey) C Quarterly survey + trend Risk Overall Risk level E Based upon organisation risk calculation; mitigation impact Risk Register issue mitigation E Impact on specific items Audit and compliance E/D Impact on specific items Impact on application risk E Based upon application risk profile and assessment Management FTE usage A/B Numeric Implementation efficiencyA/B Project Time and cost vs projected Operational Coverage % A Numeric Incident Reduction E Numeric Inactive Accounts D Number of users that are not longer active employees Inactive Devices D Number of devices that are no longer in inventory Inventory Clarification D Device numeric - unknown devices Device status - O/S D Percentage against status - Browser D Percentage against status Phishing response levels E Report back from phishing tool - trended Application coverage A/B Percentage vs all applications A. Ease of Implementation B. Ease of Use C. Ease of Integration D. Enhanced Visibility E. Risk Reduction F. Organisational Security Culture