Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Trust Networks: Building Systems in Untrus...

Evan Gilman
December 09, 2016
Technology
0
190

Zero Trust Networks: Building Systems in Untrusted Networks

Let's face it—the perimeter-based architecture has failed us. Today's attack vectors can easily defeat expensive stateful firewalls and evade IDS systems. Perhaps even worse, perimeters trick people into believing that the network behind it is somehow "safe," despite the fact that chances are overwhelmingly high that at least one device on that network is already compromised.

It is time to consider an alternative approach. Zero Trust is a new security model, one which considers all parts of the network to be equally untrusted. Taking this stance dramatically changes the way we implement security systems. For instance, how useful is a perimeter firewall if the networks on either side are equally untrusted? What is your VPN protecting if the network you're dialing into is untrusted? The Zero Trust architecture is very different indeed.

In this talk, we'll go over the Zero Trust model itself, why it is so important, what a Zero Trust network looks like, and what components are required in order to actually meet the challenge.

Evan Gilman

December 09, 2016
Tweet

More Decks by Evan Gilman

See All by Evan Gilman
Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments
evan2645
2
230
Zero Trust Networks: Building Trusted Systems in Untrusted Networks
evan2645
0
160
Infra as Code: The Organizational Bottleneck and the Shared Service Anti-Pattern
evan2645
0
320
Perimeter-less networks: The death of the LAN
evan2645
0
270
Resilient Infrastructure Automation with Serf
evan2645
3
380
Bridging the Great Divide
evan2645
0
61
Bloated Chefs: A Tale of Gluttony and the Path to Enlightenment
evan2645
0
79
Inside the End-to-End Provider Testing Suite
evan2645
0
48

Other Decks in Technology

See All in Technology
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
Taming you application's environments
salaboy
0
200
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
550
Lambdaと地方とコミュニティ
miu_crescent
2
370
AIチャットボット開発への生成AI活用
ryomrt
0
170
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
190
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
170
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
670
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
190
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
170

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Why Our Code Smells
bkeepers
PRO
334
57k
Facilitating Awesome Meetings
lara
50
6.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
BBQ
matthewcrist
85
9.3k
Docker and Python
trallard
40
3.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
How to Think Like a Performance Engineer
csswizardry
20
1.1k

Transcript

  1. Evan Gilman @evan2645 Zero Trust Networks

  2. @evan2645 12/5/16 About Me Zero Trust: Building Systems in Untrusted

    Networks

  3. @evan2645 12/5/16 Agenda Zero Trust: Building Systems in Untrusted Networks

    The Problem What is Zero Trust? Implementations State of the Union

  4. @evan2645 The Problem

  5. @evan2645 12/5/16 Enforcement Zero Trust: Building Systems in Untrusted Networks

    Users feel safe inside

  6. @evan2645 12/5/16 Even if they are not Bad Guy Enforcement

    Zero Trust: Building Systems in Untrusted Networks

  7. @evan2645 12/5/16 Even if they are not Bad Guy …

    Am I really that safe? Enforcement Zero Trust: Building Systems in Untrusted Networks

  8. @evan2645 What Are We Protecting?

  9. @evan2645 12/5/16 Common Sense Security Important Server Enforcement Zero Trust:

    Building Systems in Untrusted Networks

  10. @evan2645 12/5/16 Common Sense Security Important Server Enforcement Zero Trust:

    Building Systems in Untrusted Networks

  11. @evan2645 What is Zero Trust?

  12. @evan2645 What is Zero Trust?

  13. @evan2645 12/5/16 What is a Zero Trust Network? No Pools

    of Trust Internet Security Everywhere All Flows Strongly Authenticated + Authorized Zero Trust: Building Systems in Untrusted Networks

  14. @evan2645 12/5/16 Zero Trust Networks Zero Trust: Building Systems in

    Untrusted Networks Primitive Required Advanced Optional

  15. @evan2645 Manifestation

  16. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  17. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  18. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  19. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  20. @evan2645 Examples

  21. @evan2645 Server-Side

  22. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Zero Trust: Building Systems

    in Untrusted Networks

  23. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Zero Trust: Building Systems

    in Untrusted Networks

  24. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Zero Trust: Building

    Systems in Untrusted Networks

  25. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Zero Trust: Building Systems in Untrusted Networks

  26. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Topology-Manager Zero Trust: Building Systems in Untrusted Networks

  27. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  28. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  29. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  30. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  31. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  32. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane

  33. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Authorized User

  34. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Authorized User

  35. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory Authorized User

  36. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  37. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  38. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Config Mgmt Authorized User

  39. @evan2645 12/5/16 Topology-Manager No Trust In Network Zero Trust: Building

    Systems in Untrusted Networks

  40. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere Zero Trust: Building Systems in Untrusted Networks

  41. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere All Flows Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  42. @evan2645 Client-Side

  43. @evan2645 Client-Side

  44. @evan2645 Client-Side

  45. @evan2645 12/5/16 Google Large Network, Large Perimeter Zero Trust: Building

    Systems in Untrusted Networks

  46. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Zero Trust: Building Systems in Untrusted Networks

  47. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable Zero Trust: Building Systems in Untrusted Networks

  48. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable BeyondCorp Zero Trust: Building Systems in Untrusted Networks

  49. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Corp. Client

  50. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Corp. Client

  51. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client

  52. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Enforcement

  53. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement

  54. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement

  55. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane User Inventory

  56. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO User Inventory

  57. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory

  58. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory

  59. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory

  60. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory

  61. @evan2645 12/5/16 BeyondCorp No Trust In Network Zero Trust: Building

    Systems in Untrusted Networks

  62. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free Zero Trust: Building Systems in Untrusted Networks

  63. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  64. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  65. @evan2645 Mature Zero Trust

  66. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine

  67. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine

  68. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Score Score

  69. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data Device Data

  70. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Device Data

  71. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Accounting Device Data

  72. @evan2645 UX is Important

  73. @evan2645 UX is Important

  74. @evan2645 Earth is Calling…

  75. @evan2645 Earth is Calling…

  76. @evan2645 Earth is Calling…

  77. Evan Gilman @evan2645 Zero Trust Networks