Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Trust Networks: Building Systems in Untrus...

Evan Gilman
December 09, 2016

Zero Trust Networks: Building Systems in Untrusted Networks

Let's face it—the perimeter-based architecture has failed us. Today's attack vectors can easily defeat expensive stateful firewalls and evade IDS systems. Perhaps even worse, perimeters trick people into believing that the network behind it is somehow "safe," despite the fact that chances are overwhelmingly high that at least one device on that network is already compromised.

It is time to consider an alternative approach. Zero Trust is a new security model, one which considers all parts of the network to be equally untrusted. Taking this stance dramatically changes the way we implement security systems. For instance, how useful is a perimeter firewall if the networks on either side are equally untrusted? What is your VPN protecting if the network you're dialing into is untrusted? The Zero Trust architecture is very different indeed.

In this talk, we'll go over the Zero Trust model itself, why it is so important, what a Zero Trust network looks like, and what components are required in order to actually meet the challenge.

Evan Gilman

December 09, 2016
Tweet

More Decks by Evan Gilman

Other Decks in Technology

Transcript

  1. @evan2645 12/5/16 Agenda Zero Trust: Building Systems in Untrusted Networks

    The Problem What is Zero Trust? Implementations State of the Union
  2. @evan2645 12/5/16 Even if they are not Bad Guy Enforcement

    Zero Trust: Building Systems in Untrusted Networks
  3. @evan2645 12/5/16 Even if they are not Bad Guy …

    Am I really that safe? Enforcement Zero Trust: Building Systems in Untrusted Networks
  4. @evan2645 12/5/16 What is a Zero Trust Network? No Pools

    of Trust Internet Security Everywhere All Flows Strongly Authenticated + Authorized Zero Trust: Building Systems in Untrusted Networks
  5. @evan2645 12/5/16 Zero Trust Networks Zero Trust: Building Systems in

    Untrusted Networks Primitive Required Advanced Optional
  6. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  7. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  8. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  9. @evan2645 12/5/16 Control Plane Services Zero Trust: Building Systems in

    Untrusted Networks User Inventory Device Inventory Config Mgmt Authentication Services Data Plane Servers Servers Servers Servers Servers Phones Servers Servers Laptops
  10. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Zero Trust: Building Systems in Untrusted Networks
  11. @evan2645 12/5/16 PagerDuty Multiple Cloud Providers Cross-WAN Strong Authenticity +

    Privacy Topology-Manager Zero Trust: Building Systems in Untrusted Networks
  12. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  13. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  14. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  15. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  16. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Server Agent Contained Workload Server Agent Contained Workload Enforcement
  17. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory Authorized User
  18. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User
  19. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Authorized User
  20. @evan2645 12/5/16 Topology-Manager Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Provisioner Device Inventory User Inventory Config Mgmt Authorized User
  21. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere Zero Trust: Building Systems in Untrusted Networks
  22. @evan2645 12/5/16 Topology-Manager No Trust In Network Compute Can Be

    Bootstrapped Anywhere All Flows Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  23. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Zero Trust: Building Systems in Untrusted Networks
  24. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable Zero Trust: Building Systems in Untrusted Networks
  25. @evan2645 12/5/16 Google Large Network, Large Perimeter Many Remote Employees

    Perimeter + Remote Access Untenable BeyondCorp Zero Trust: Building Systems in Untrusted Networks
  26. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client
  27. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Enforcement
  28. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement
  29. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Enforcement
  30. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory
  31. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane SSO Device Inventory User Inventory
  32. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory
  33. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory
  34. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free Zero Trust: Building Systems in Untrusted Networks
  35. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  36. @evan2645 12/5/16 BeyondCorp No Trust In Network Users Safely Roam

    Free All Requests Get Strong AuthN/AuthZ Zero Trust: Building Systems in Untrusted Networks
  37. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine
  38. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Data Plane Control Plane Access Control Engine SSO Device Inventory User Inventory Trust Engine
  39. @evan2645 12/5/16 BeyondCorp Zero Trust: Building Systems in Untrusted Networks

    Control Plane Data Plane Access Proxy Corp. Client Backend Backend Backend Score Score
  40. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data Device Data
  41. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Device Data
  42. @evan2645 12/5/16 Mature Zero Trust Zero Trust: Building Systems in

    Untrusted Networks Trust Engine User Data sFlow Accounting Device Data