Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Trust Networks: Building Systems in Untrus...

Evan Gilman
December 09, 2016
Technology
0
190

Zero Trust Networks: Building Systems in Untrusted Networks

Let's face it—the perimeter-based architecture has failed us. Today's attack vectors can easily defeat expensive stateful firewalls and evade IDS systems. Perhaps even worse, perimeters trick people into believing that the network behind it is somehow "safe," despite the fact that chances are overwhelmingly high that at least one device on that network is already compromised.

It is time to consider an alternative approach. Zero Trust is a new security model, one which considers all parts of the network to be equally untrusted. Taking this stance dramatically changes the way we implement security systems. For instance, how useful is a perimeter firewall if the networks on either side are equally untrusted? What is your VPN protecting if the network you're dialing into is untrusted? The Zero Trust architecture is very different indeed.

In this talk, we'll go over the Zero Trust model itself, why it is so important, what a Zero Trust network looks like, and what components are required in order to actually meet the challenge.

Evan Gilman

December 09, 2016
Tweet

More Decks by Evan Gilman

See All by Evan Gilman
Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments
evan2645
2
230
Zero Trust Networks: Building Trusted Systems in Untrusted Networks
evan2645
0
160
Infra as Code: The Organizational Bottleneck and the Shared Service Anti-Pattern
evan2645
0
310
Perimeter-less networks: The death of the LAN
evan2645
0
270
Resilient Infrastructure Automation with Serf
evan2645
3
380
Bridging the Great Divide
evan2645
0
61
Bloated Chefs: A Tale of Gluttony and the Path to Enlightenment
evan2645
0
79
Inside the End-to-End Provider Testing Suite
evan2645
0
47

Other Decks in Technology

See All in Technology
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
160
オニオンアーキテクチャで実現した 本質課題を解決する インフラ移行の実例
hryushm
14
3k
ABEMA のコンテンツ制作を最適化!生成 AI x クラウド映像編集システム / abema-ai-editor
cyberagentdevelopers
PRO
1
170
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
210
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
190
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
140
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
170
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
170
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
120
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
530

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Side Projects
sachag
452
42k
Documentation Writing (for coders)
carmenintech
65
4.4k
Designing for Performance
lara
604
68k
We Have a Design System, Now What?
morganepeng
50
7.2k
Being A Developer After 40
akosma
86
590k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2k
Become a Pro
speakerdeck
PRO
24
5k
Happy Clients
brianwarren
97
6.7k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k

Transcript

  1. Evan Gilman @evan2645 Zero Trust Networks

  2. @evan2645 12/5/16 About Me Zero Trust: Building Systems in Untrusted

    Networks

  3. @evan2645 12/5/16 Agenda Zero Trust: Building Systems in Untrusted Networks

    The Problem What is Zero Trust? Implementations State of the Union

  4. @evan2645 The Problem

  5. @evan2645 12/5/16 Enforcement Zero Trust: Building Systems in Untrusted Networks

    Users feel safe inside

  6. @evan2645 12/5/16 Even if they are not Bad Guy Enforcement

    Zero Trust: Building Systems in Untrusted Networks

  7. @evan2645 12/5/16 Even if they are not Bad Guy …

    Am I really that safe? Enforcement Zero Trust: Building Systems in Untrusted Networks

  8. @evan2645 What Are We Protecting?

  9. @evan2645 12/5/16 Common Sense Security Important Server Enforcement Zero Trust:

    Building Systems in Untrusted Networks

  10. @evan2645 12/5/16 Common Sense Security Important Server Enforcement Zero Trust:

    Building Systems in Untrusted Networks

  11. @evan2645 What is Zero Trust?

  12. @evan2645 What is Zero Trust?

  13. @evan2645 12/5/16 What is a Zero Trust Network? No Pools

    of Trust Internet Security Everywhere All Flows Strongly Authenticated + Authorized Zero Trust: Building Systems in Untrusted Networks

  14. @evan2645 12/5/16 Zero Trust Networks Zero Trust: Building Systems in

    Untrusted Networks Primitive Required Advanced Optional

  15. @evan2645 Manifestation

  16. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  17. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  18. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  19. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops

  20. @evan2645 Examples

  21. @evan2645 Server-Side

  22. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Zero Trust: Building Systems

    in Untrusted Networks

  23. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Zero Trust: Building Systems

    in Untrusted Networks

  24. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Zero Trust: Building

    Systems in Untrusted Networks

  25. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Zero Trust: Building Systems in Untrusted Networks

  26. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Topology-Manager Zero Trust: Building Systems in Untrusted Networks

  27. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  28. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  29. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  30. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  31. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement

  32. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane

  33. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Authorized User

  34. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Authorized User

  35. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory Authorized User

  36. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  37. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User

  38. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Config Mgmt Authorized User

  39. @evan2645 12/5/16 Topology-Manager No Trust In Network Zero Trust: Building

    Systems in Untrusted Networks

  40. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere Zero Trust: Building Systems in Untrusted Networks

  41. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere All Flows Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  42. @evan2645 Client-Side

  43. @evan2645 Client-Side

  44. @evan2645 Client-Side

  45. @evan2645 12/5/16 Google Large Network, Large Perimeter Zero Trust: Building

    Systems in Untrusted Networks

  46. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Zero Trust: Building Systems in Untrusted Networks

  47. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable Zero Trust: Building Systems in Untrusted Networks

  48. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable BeyondCorp Zero Trust: Building Systems in Untrusted Networks

  49. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Corp. Client

  50. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Corp. Client

  51. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client

  52. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Enforcement

  53. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement

  54. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement

  55. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane User Inventory

  56. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO User Inventory

  57. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory

  58. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory

  59. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory

  60. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory

  61. @evan2645 12/5/16 BeyondCorp No Trust In Network Zero Trust: Building

    Systems in Untrusted Networks

  62. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free Zero Trust: Building Systems in Untrusted Networks

  63. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  64. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks

  65. @evan2645 Mature Zero Trust

  66. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine

  67. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine

  68. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Score Score

  69. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data Device Data

  70. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Device Data

  71. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Accounting Device Data

  72. @evan2645 UX is Important

  73. @evan2645 UX is Important

  74. @evan2645 Earth is Calling…

  75. @evan2645 Earth is Calling…

  76. @evan2645 Earth is Calling…

  77. Evan Gilman @evan2645 Zero Trust Networks