Garry Coldwells - Demystifying Zero Trust

[Applause] hey everybody um thanks for joining us thanks for the after lunch attendance that's really good um I was told you know monotone really slow speech and the first head to nod first of all his head goes like this buys the drinks tonight that's the deal right and it won't be mine I can promise you so that's good um yeah so thanks a lot I'm going to talk about demystifying zero trust so just briefly talk a little bit about zero trust um kind of start with what it's not because that's the easiest bit then I'll get into a little bit of the history right not a lot of people have a great awareness of how far back this this

concept goes I'll talk briefly about the history talk about some of the near-term 2018 at least in terms of nist and what they've put together and where that is um and then from there get into kind of the practitioners or The Operators perspective in terms of you know how do we approach what do we do what is what is you know what are the basis of of how we go forward I'll talk through the mindset you want to apply and you know to the modeling and the structure and then finish off with reassessment it's you know zero trust is not a thing of like I'm gonna go to the store I'm gonna go to the rack I'm going to buy

pink zero trust I'm going to install this thing and we're magic it's done I'm going to go to the board get my bonus and everything's wonderful absolutely not the case zero trust is an ongoing Journey so trust is a vulnerability it's dangerous right so it's exploited and it has always been exploited um I happen to find an old snippet that I'd recorded 28 odd years ago which is an old CSI FBI search document that was produced way back then 28 years ago and at the time it was found that Insider threat was the greatest the greatest issue of the time right so the concept of identity of who these people are what they do within our

infrastructure is at that stage was very nice and like it was it was it was very simplistic stuff and that was obviously part of the problem so there's some key underpinnings that go with that I'm going to talk about activity Ministries activity how we model for it how we we're going to work away from that and do it in a way that's measurable and attainable right because one of the things that happens it was just talking about zero trust and there's a lot of confusion in the industry and a lot of confusion in the market right there's people that do products that they claim on zero trust capable there are people that do services that are zero trust capable

there are people that do combinations of these and you've got to be really careful about what you're taking on here so let's get into this identity and access management and outstanding practice an absolute Cornerstone of our industry and what we need to do but as a statement this is identity Nexus management is not zero trust right it is a contributor to the state that informs the model which will get us to where we need to be with us but this is not the singular piece that gets us there right so just sit this sit the table on that zero trust network access tremendously interesting amazing groups of product Suites that people have that will deliver these

types of functions for you and have a very solid place in your structure and in your thinking but this is not again we don't buy as Etna and we have an answer here right and in fact some of the ztna that's out there is a little bit aged and needs to be you know updated so incorrect on that one micro segmentation again tremendously useful really you know functionally where we need to be in terms of adaptation and moving forward but this also is not zero trust and then finally zero trust is not a product I mean I joke about it in terms of like buying the pink one the green one the red one you know if I pay more for the

red one is it better than the pink one you know kind of mindset there's unfortunately a lot of marketing has glommed onto the xero trust principle and concept and try to sweep a lot of rubbish under the carpet on that one we want to avoid all of that please and so what it is zero trust we go back to the Genesis so Stephen Paul Marsh and to make sure everyone's listening I'm going to say at the Battle of Sterling not the University of Sterling because that always get to feed people like whoa hang on where are we um it's after lunchtime April 1994 in his foundational paper he introduced the concept of zero trust um the Jericho forum is a following

2003 started talking about what was then sort of categorized as deprimaturization so the sense that our focused previously on hardening the inside with the moats and keeps and all the the language we had at the time for defensive circles around our key infrastructure and key people in key regions and resources with an outward view started changing quite significantly even that back then so that's 20 years ago people started really practically thinking about how this is going to work and go and here we are 20 years later with a very confusing landscape with the zero trust thing being thrown about so key thing there and I'll just reference there D perimeters deep perimeterization lovely if you could actually say it

which maybe put my teeth in um is uh it was referenced in 2009 by Mark kedrich in a book called endpoint security he's a San Diego based researcher did some original reading around this stuff red poll stuff I was in put together a book on on endpoint uh security and he really he really got a hold of this and really published quite extensively from that I would say from his work some more stuff came forward including 2009 Google uh took its first stab at actually deploying a parallel structure called Beyond Corp which is a zero trust Enterprise that they were building experimenting and growing it continues to grow it continues to evolve uh which is key that's the this is an

evolutionary process this is not a we start here we spend 100 million dollars and we get to their kind of a thing this is something that we'll ever be ongoing whether it's a 10 exercise or 100 million dollar exercise is a process with no end right ultimately and then looking at that the stuff that really started getting a lot of comp a lot of attention John kindevag with Forrester in uh 2010 he talks about the zero trust model and he's the first person that really codified the approach of like let's take this thinking look at it from a perspective of like how could you Embrace this as a practical model that people could use and go forward with and

so this 13 years ago was the start of the conversation started really making this a practical thing that people could actually bite off on and understand and so later on in the slides I'm going to talk about how we approach zero trust I'm going to talk about kind of the five core principles of what you want to do I'll talk about the Kipling method in terms of application and how you build your policy around that um I'm about to break out into the nisting as well which is brief I'm not going to go too deep on that um but all of that really leveraged off John's Key work John is still very much active in the zero trust uh in the zero

trust world and he's now because of all the marketing fluff that's going on is actually sort of looking at rebranding the zero trust approach as original zero trust or true zero trust and the intent there is to be like my carpet sweeper that is being sold as a zero trust devices rubbish this is actually what you need to be having to think about uh he's a hell of a character like if you ever get to get him out he loves racing he loves cowboy boots um having him in Toronto in July for the Indie race uh in a in a suede jacket and cowboy boots in 28 degree heat is quite fun good man to manage at that stage but

very smart operator and uh I had mentioned the nist piece so a little bit detailed but 2018 nist in their cyber the Cyber Excellence group within that published SP 800 207 and within that they looked at a number of principles and how you could actually Define them and apply them so this is where we get the first government look at putting together something that would be then generally available and broadly accepted and documented and run and this is the first piece of that I highlighted the one that one piece there and that's enforcing accurate per request access decisions right so again back to the identity component identity is absolutely part of what you need to be having there be it

for a resource a person or just a function and then per request access decisions need to be validated as we go through this is a foundational thing that we have there right I did reference the paper for those that need it I'll give you a minute if you need to have that the slides I believe will be available and there is a recording that we'll have that's absolutely well worth a read right for anyone that's going to embrace this approach start down this road or even better pay a consultant to come in and tell them what they should be doing around this having a foundational read in there building some understanding of what's available what you should be

thinking of we'll introduce some questions you might be able to put to people like that and based on their response you might be interviewing other Consultants or really embracing them and welcome them into your organization to do great things for you I did promise to be a little bit contentious but I was told to turn it down so I hope we've been okay here let's look to this um a couple of key callouts are we going to do the laser thingy separation of control and data plane right inputs so you know rediscovery your engine for constant rediscovery and constant inputs look at your policy structure pki inputs ID management your sim Etc but the breakout here is

separation control and data plane select your input component process it through something well that will take it through a policy enforcement Point it'll validate through policy and usually through layers of policy and layers of structure here to to give you a no no go decision based on a go decision we can then forward it on and have a sense of of propriety very simplistic modeling very simplistic look there's a great deal of detail that goes into this but I wanted this up there just specifically because it calls out that separation here and in a practical sense why how you would apply that is again looking at you know what you would commonly deal with in an

architecture perspective identity structure and Source including you know some sort of regionality Etc device and workloads again regionality where they're located what performance what they perform for us and how they operate whether they're calling to an application or providing the application Etc so data flows taking it into a context there what access type is required and then transaction right so break that out into the little chunks you can understand and build on and go forward with that so back to some of the original Concepts and thinking there the perimeter changed right so originally we looked at our organization as our piece with maybe some adjacent satellite functions that we have secured Etc but we have we have these pieces

that we secured and with time and especially you know the last three years with what happened with work from home and and the and coven the pandemic things change dramatically and so what I'm just going to paint this out what we have now is essentially a function that's that is required and available everywhere users are everywhere applications are everywhere our control of infrastructure has changed dramatically and so with that we've had to change the architectures change our approaches to meet these you know requirements concerns and objectives through there so this is a simple example my context within the company that I happen to work for is I'm actually 14 different devices within their infrastructure and so they need to have an

understanding of like what is this user's identification what certificates are on those devices what state is the device in terms of security posture like what is applied within there what controls are in play et cetera Etc and based on the the you know the communication of all those things to a control point to that decision piece to the policy structure I would be granted access to things either intern or external to the organization in accordance with making sure that you know from a zero trust perspective making sure that policy is applied correctly and so again internal users work no matter where they operate from internal of course being the old way of thinking Partners contractors work from home people Etc

all of this is in context all of this is in scope more and more the data center is actually collapsing and moving away right so I work in Canada quite extensively most the banks there have had significant you know collapsing and shrinking of data data center functionality and Personnel in favor of cloud functions more and more applications of course are directly you know accessible outside of the organization anyway current count and just a quick interest point SAS applications does anyone want to have a guess or does anyone have a sense of how many SAS applications are viably commercially available to you today someone's thrown a number oh three thousand ten it's so commercially available there are

there are entities so if you include China in what's available then you're probably in that region and what we recognize in most of the western world is about 58 000 unique SAS applications that you could potentially interact with and your users could potentially be using right or you could potentially be providing the services through and leveraging as part of your Enterprise scope so from a zero trust perspective that's a lot to take in that is not a human issue at that point I am not going to be sitting down at a device going through and maintaining currency on 58 000 applications that are growing at about 5000 applications every quarter to keep any sense of scope or

understanding of what's going on in it this is a machine issue right so here's one of the Practical intersections if anyone was here last year when I talked about machine learning for the sock here this is now in you know on the front end of the house practical application machine learning and AI in terms of making the Discrimination for you on what is going on in that scope right and so when we look at the old Define perimeter it was physical flat Network and I'm going to paint this out and then obviously talk about the other static policy so things that we would potentially apply and then never think about again like I commonly go into environments

where I'm talking to people about their architectures and I said damn this is a and I say like you know paint paint for your Landscapes tell me where the applications are tell me where your users are what cloud infrastructures you use what's in the data centers how do we use these things what are the data flows let's understand your business and how things go and they'll paint this picture of how things are and what have you and part of what will come out of that is there is inevitably device or device is within their infrastructures that have been there for decades that nobody can touch just in case something ever happens on that device right the policy that was

set there way back in the day like it might be an old checkpoint you know 3ob firewall from 25 years ago but we know that that's the Caribbean banking arm they send us once a quarter they send us this little blip of communication which is you know goes to that specific back office guy in legal don't touch it it's the only way we can work it we think it's secure we kind of hope it's secure the Auditors can't even tell us if it's secure but like just leave it that's where you get into static policy and stupidities around that kind of thing that has to change obviously uh and then generally they're network based and network-based because we own

the networks we own the infrastructures that we could kind of get our arms around the interconnect points were obviously commercially done through mpls or you know direct connections all t1s Etc back in the day and so the new is more Concepts like logical perimeter right we don't own the infrastructure we don't know where things are we own function we're on outputs we own applications right and we contract these things and they're they're amazing and I'm really hoping we kind of secure those really well because sometimes we miss on that as well and people really do um we segment the next so segmented networks these days there's not the concept of like you know the old

pictures you see of like untrust firewall trust but that's 25 years ago as a model that's even 20 years ago's model but again referencing back to 19 you know 1993 oh sorry 2003 thinking changed deep perimeterization 2009 really started catching hold 2010 John's paper this is one of the most significant things is the segmenting of the network into function right it's not region now now it's function where it's like this is the HR Network and this is the legal Network and here's my you know Payment Processing Network Etc and you start logically breaking these things up by functioning form which is far simple as obviously to to secure from a zero trust perspective Dynamic policy and again static policy

this person going to that thing for this you know for these reasons with these Security checks great never never think about it again rubbish Dynamic policy these group of ips right Office 365 these group of ips I will give my people access to these things and if they access those I will I would expect from them these inputs right or this user ID these certificates these checks on the inside checks behind the policy you know before the policy is applied and that can be dynamic so as their state changes as the IPS themselves that we're getting service from change Etc we don't have to stop the process we'd have to reinitiate a connection we can actually adjust for

these things and go forward and log those things which is useful more of a context-based mindset for my security so very specifically think about this in terms of like not ports and protocols but layer 7. so John kinderberg last year at cx-22 got up on stage about four minutes about zero trust the most important message on those four minutes was zero trust requires application Level security it's a layer 7 construct if you do import some protocols in whatever form you will never know exactly what the applications are that are processing through those and they can be obfuscated and they can change in you know they can flux while they're processing and you're just blind to that

it has to so there's context within there this is also context in terms of the data in flow so I'll talk briefly about single pass architecture but essentially what I'm saying is within your security controls is the ability to look at the stream of what's going through and make determinations of what's on the Fly there not just what's at race but also what's on the Fly and what's in motion for you class Cloud host success I've already spoken a little bit about that but just in thinking there in terms of like volume um pretty much everyone I talked to these days has SAS in in great volumes and can't get away from that and then lastly the new sort of thinking

is more of a prevention room to the mindset prevention first right this is something that's been around for at least 12 years people have started thinking more about less about here's my perimeter this is what I defend I can see it so I know I'm safe to more of like if these things happen what are my responses going to be and let's make sure we have those in place that I don't have to think about it at the time as they happen it's automated it just occurs right so xdr MDR type approaches within that as well so Architects has changed dramatically and if you look at the landscape today so I am remains a key piece right so identity is

absolutely you know Central to everything that we would do there a concept of endpoint so for the device itself not only what is the device what certificates what validation or security parameters could I check from there but the state of the device itself is tremendously useful right so no matter how it's communicated if it originates communication or it's the responder having a sense of what's there and what the state is is tremendously helpful having a sense of network security obviously just generically within there so my cloud and all the other connect pieces within there put those two together and kind of conflate them a little bit for the way today's view is you need to have a sense of all these

components and what we're breaking it down to is what are the locations we need to service from into who are the users that will be that these things will be applied for and within that what are the subgroups of users so you know again HR as an as an operational function versus you know Joey from HR with a specific function right he's the the employee helper or whatever um users as well in the context of function and code potentially for some a process that performs an output that is uniquely identifiable as well uh iot and devices as a function of that applications themselves and referencing to those obviously that's everything these days and then the iot piece and the ability

to recognize you know what devices potentially would not be measurable as from an endpoint perspective but still form some part of our function and need to be recorded and measured and monitored very carefully as part of that foreign so each line is just another Point product there's obviously a lot of confusion there's a lot of meshing of of information flows within here that's where architecture these days is so important it's critical to understand everything that communicates to everything else what the flows on Etc and I'll paint that out in a minute here and the last piece for this those single point products is a zero trust entity like it's it's not a thing it's it's it is a model it is an

approach that we have to consider here so let's talk about the concept so from the operator or the consumer's perspective focus on your business outcome so what is it the business the business requires right and is that static or is that changing like as we as we as an entity are we in flux are we developing are we changing our things change you know things changing for us but what is going to be our competitive competitive differentiators again Canadian banking is an example the cloud move is well done like people started off typically a bit of an IBM relationship to be safe but not really you know we don't want our shareholders and our users to be scared so we'll kind

of just quietly do some backup stuff in there and then gcp AWS all the other guys came online we started doing they started doing more stuff and courage grew they looked at their peers and they're like yeah we can actually do this stuff this can work data centers then obviously start shrinking trust grows with monitoring maintenance and you start to look at like what are the possibilities and then that becomes a more of a strategic thing so focus on the business outcomes what are the business outcomes that are needed to be achieved how do we get there designed from the inside out so still that mindset of we control what we can see and touch

but it's no longer in our environment this is now anywhere so if it's in the cloud and we've got Cloud instances of function and form that we're servicing to other people we have to have the design for the inside out in terms of that cloud and what it's going to do for us so this is not within our scope within our Network anymore this is now the new world this is where we we need to be thinking determine who and what needs access right so this is obviously just simplified but again what's the device where are they going what level of application awareness are we building into this thing and who is the who's the entity requesting that and

of course inspect and log all traffic so this is really simplistic there's a very straightforward approach right now if we get into the details some more so in terms of delivering this you've got to have complete visibility into what's going on so if you've got stuff that's being tunneled through your infrastructures and you don't know about it or you've got stuff that's an encrypted drive that you don't have access to right or your users are performing function with SAS apps that are encrypted that are outside of the scope of what you can maintain and run you're blind to these things well you cannot see you cannot check right you can't validate so complete visibility into all traffic

again using context so Dynamic policy requires context it requires the context of what is the application what are the sub applications that could be called within that application what other applications maybe spawned recognized or information drawn from you know um and then beyond that automating so automate the integrated sorry automated and integrated complete threat prevention capabilities within here automation again just to be able to deal with the scale of things that you see today for those of you here last year I spoke at the time of you know stock Automation and where that was going and what's what's happening within that the referencing back then I was talking in the order of about 12 to 15 billion

events a month just what we see currently is about 59 so about 5X and if you can't automate that and you can't use your automation to handle that stuff for you you just never you're never going to win you can't put people at that process alone cannot do that for you it is it is technology and automation that will do that for you then applies within your threat to landscape as well so the volume of threats what you have to face and how you have to deal with that is such that you have to have automation as part of your approach and so to dig into these just briefly complete visibility so decryption is decryption and inspection absolutely

critical you cannot embrace the zero trust mindset and build a model and get into this if you're not going to be decrypting so just quick show of hands in this room by your awareness is everyone decrypting everything they possibly can any hands at all not one right wow is anyone not decrypting because they deal with Microsoft stuff like print certificates or services that Transit their Network for proprietary encryption or is this just like a this is a thing of will of like no we don't want to touch this stuff you know common common issues around decrypt would come into things like personal medical information you know in some in some jurisdictions as well it's a human rights conversation

France Germany some parts of Canada where we can't decrypt stuff because it's very specific to the user and the user is a you know as a human entity has very specific protections around them so we can do stuff within the business context for some things but not for their own personal stuff so their health records their own financials Etc are completely to move so what that requires is if you're going to decrypt you have to have a very strong sense of what exactly is the application and where is that application reaching to and what is it Servicing so again if you don't have that you can't even start this process right so it's a bit of a catch-22 but key message

you've got to be able to decrypt you've got to be able to do it efficiently in an automated fashion as much as you possibly can context again John's words himself zero trust approach the zero trust model requires layer 7 policy enforcement because you have to be able to identify the application the core app all the sub apps that would spawn and be able to build policy such that you would say we don't like Facebook based but we like Facebook Messenger but yes we're not going to allow uploading of information from Facebook Messenger we'll only download or whatever your whatever context would be that you'd need to apply that's what you would then build from here

and again on the threat protection side take that prevention first approach right so if we see something we know it's a problem and it's been seen somewhere else and it's validated let's not let's not do it you know just simple context there like let's take a DNS example while users reaching out to something spawns a DNS request DNS request goes out my resolver goes oh I spoke to the DNS security thing right here I said a millisecond ago and we've seen that somewhere else and that was a malicious domain serving ransomware let's cut that communication off and start again notify the user maybe if you want to but otherwise just cut that stuff off and

let's carry on and so that prevention first mindset the prevention first approach comes into there and of course ongoing monitoring is absolutely critical again this is a journey this is not we don't go from here to there you know 0 to 60 and you know 3.5 and then the job's done and we get my bonus on bugger off this is all about an ongoing practice right and the single pass architecture is just referencing the ability to make a group of decisions in one flow so as we see the stuff flow throughout you know through the cloud through your Technologies Etc that a decision can be reached such that the policy is applied once because what will happen is if you

potentially have a firewall over here that does this for me and I've got a VPN technology over here that does this for me and I've got a URL filtering thing over here that does this and here's my DNS stuff and there's my cloud protection and there's the other Cloud's projection and stuff's going to Transit all of that as individual decision points contention is going to come into play you're going to run into latency issues you're going to run into problems in terms of logging and monitoring and be able to decipher with something went wrong all right depending on what you need to record and that can become an issue for you so having it having a

policy structure having an architecture that supports having a single policy with a single logging Source if possible be it whatever you're going to use on the on the bottom end to collate this information and give you a meaningful output that's that's absolutely critical so a quick word on the learning curve because obviously I'm talking about a lot of broad stroke stuff here let's get into this so protect surface and you know the the concept of like how difficult this will be and how much time it would take and so essentially how it's how we look at this I'm just going to flick through a little bit as with everything we embrace the concept we charge down the road we study

like mad up all night weeks on end and we start figuring out what we need to do and by the time we reach we reach a stage where we're decent practitioners with this it becomes fairly straightforward almost automatic and we usually then fall asleep at the switch and some degree in kind of things might fall off a bit that's not what we're describing here that's not this phase what I'm saying here is there will be an initial phase where you'll start defining hey this sounds interesting that guy spoke about this thing in the conference we should really think about that how do we go about it and that'll be this phase here and it's literally this

we'll talk about protect surface as essentially a function that you need to protect from the pieces that I've already spoken about and using the pieces I've already spoken about and what you'll have is you'll have a learning phase we all say why don't we start this out with X right we're going to do this for salesforce.com for Access for just our sales group accessing that SAS app here's what we're going to do we're going to take that application we look at the flows we'll build an architecture that supports full security with zero trust modeling and mindset to do this and we might approach that from here and work our way through that learn some lessons we've got it cool

we've got that pinned down we're going to go into on ongoing monitoring we will come back and readjust as they adjust and we adjust in terms of how we resource it and how they Supply it that's great and we'll move on to the next and so you'll you'll go forward and build a few you know build some scars get some scars build a few experiences and in time that will become something of a practice right you'll sort of feel comfortable like this feeling a bit bold courage is strong the ball's padding on the back of the head carry on and what will happen in time is you will then reach the crown jewels right you'll get to the

stage where you're like I'm happy about this stuff the stuff I was really scared about that nobody should ever touch because it'll cause us trouble and that's a career limiting move and a resume generating event we will now take this on and go forward and when that's successful then it just becomes sort of an ongoing process to that point so this is almost the excitement trajectory oh my God I can't believe I'm actually doing this oh my God I'm actually can't believe I'm actually succeeding well let's take on everything and then it's like yeah I'm an old head at this I'm really just go and work for one of the consultancies and you know make make fortunes doing

this for someone else right um sorry a little bit not cheeky I know but it is what it is um this is kind of like the timeline this is the obviously the expectation of the hype cycle behind some of the stuff as well I love this because it allows me to be a little bit naughty with it but um that really is how that approach starts it's really just the learning phase to begin with starter for something small something that's manageable something you think you understand because I'll guarantee you that when you start down the process of actually building the architecture and looking at these things things are going to come out of left and

right field that you have no idea about that you're never even considered that they're going to be a problem for you absolutely they are and you can nod your heads in acknowledgment at this point things are going to happen that you had no concept of that you need to be aware of and you'll have to be adaptable and jump on the Fly and make things happen those lessons even in here will inform the success of what comes later obviously this is just natural and so we like to talk about a five-step methodology for zero trust well Define the protect surface so again look at you know what is it I'm going to protect what is the architecture how are

we going to draw these things together start thinking about the transaction flow where is this service from oh it's a cloud service okay what does that mean for me I'm on an island does this mean this is a New Jersey thing or is this a Jamaica thing for me like you know let's start thinking about this and start building up what does that mean how is it practically applicable to what we need to achieve here right look at the application flows in terms of who's reaching out to these replications and again how do we validate them the devices they're coming from are they operating in regions which we want them to operate from amazing example

the whole Russia thing kicks off one of our biggest Partners our biggest Global partner gets hold of us and says we've got to be out of Russia in 90 days how the hell do we do that well because they're an architecture that was a zero trust modeled architecture we could very simply dynamically shut that down overnight kind of cool to be able to do that if you need to not an everyday kind of occurrence though but you know it's if it's well thought out it's very flexible so architecting the zero trust Network creating that zero trust policy right eliminating implicit trust as we go through all these processes and we start thinking about things and then lastly Monitor and maintain

this is almost the most critical piece of it because you can build great stuff you can have an amazing thought you have brilliant teams put the stuff for you incredible Consultants come and validate that you've done amazing things the board can high five and if you're not keeping an eye on it something will change and you're going to land up with egg on your face invariably you look at the examples of the breaches that occur these days they're not occurring in places that have no protections they're not occurring places that aren't well consulted fully audited and everything else what's going on is environments where something slipped in terms of updates currency Etc and things weren't monitored and maintained

the best example of this the best example is still what happened with Target Old example but just I love the fact that the alert is seen and the alert team in India notifies the guys and says well problem here and they're like yeah we're busy we'll get to that until it was too late right this is such a critical part of your zero trust approach I just can't I can't highlight that enough so that five-step methodology I'm going to really quickly go through just a couple of things now defining the protect surface and I want to paint this out as we go discover and classifier right what where's what data are we talking about what are my assets what assets do I own

what are my partners own what have I contracted to in terms of assets as a service functionally what applications are we using and where are they what services do we use within those applications probably not using all of them you know unless you're paying Salesforce off a million bucks a month you wouldn't be using everything they offer so dig into what's what's available and functionally useful to you in there map the transaction flows right and where possible use an automated tool or tooling that'll paint some of this for you understand how data applications flow what systems they use networks they interact with so what are the connect points for all of those architecture zero trust Network right

it's a segment ensure your enforcement points are enabled right with shared policy and consistent policy if it if possible so again consisting of policy across your entire infrastructure would be useful simplify your management and centralized management if if what you're looking at is you have a multi-vendor approach right defense and depth used to be called so I have an XYZ firewall and I have a ABC firewall and I keep those things separate and that's my you know that's maybe that's my Approach is that I'm gonna have these two things doing discrete function similar but discrete function and the intent is that if some things make it through a b is going to catch them there's still a lot of that going on

it's still very much a legitimate approach as long as you to simplify your management or at least the logging maintenance and review of those things because if that's disparate systems that feed to disparate log structures or different you know and don't feed the Sim correctly it's just double your work at that point it's really not buying you an awful lot build an architecture with performance and scalability in mind to that end a lot of what we're talking about now in the North American context these days is very much a cloud conversation right for folks to host on-prem capability is just it's operation expensive you know in terms of overheads Etc maintenance currency it's just there's

just too much involved it's far simpler these days for that just to be a cloud thing these days which is interesting create a zero trust policy and here I'm just going to go straight to the bottom the Kipling method is talking about the who what where when why and how right so if you look at those there the who an employee on the company managed asset great it's Gary on the corporate laptop on his MacBook what's going on he's accessing source code so subtext of what's happened there is because I'm accessing source code I've used OCTA so I've used my aad to log into my system I've used octo to log into a landing page and in this case

I'll probably use ping ID to get to the source code right multi-factor validating each step of the way when normal working hours okay good where is he going he's going to our GitHub GitHub repository that's protected in some form right why is my job function business justification right this is part of my job that I need to be looking at that source code to validate how I could use that for my customers best benefits how full inspection and decryption so decrypting anything in terms of the flow to understand what I'm doing when and how um and to read and write the you know to see my read and write Privileges and at this point the action allow

allow and record deny deny and record Etc right or just send a warning page like go away you don't have access to the system whatever it would be again Monitor and maintain continuous monitoring continuously using that monitoring that output as an enhancement cycle again this is not a it's not a you know start to end thing there's a continuous Evolution and that's where we come to use security analytics to quickly identify a record and record threats and act on those and adjust your model accordingly don't just respond to the threat think that one day I'm going to get back to that just to patch that thing and rewrite that do it immediately and then lastly

there's a wrap up here one of the most critical things about this is within this journey is as you process through that Discovery phase you know kind of being capable doing the crown jewels Etc as you embrace the Euro trust as a model as you Embrace this approach and you go through all of this please always keep in mind your view is biased by what you see and know there will always be people out there that can give you a third party view that obviously will have value in terms of their experiences within your industry your peers and wherever else they've been in scene they'll be able to give you a decent commentary on what

they've seen so trust assessment I would argue has got to come from the outside right you have to have relationships with your Auditors and others that are going to come in are you going to be able to validate what you've taken on how you've approached it what it's doing for you and make sure that it's meeting all those criteria all the way through not just to logging and monitoring thing but literally all the way through so I want your assessors to come in look at how you do device ownership look at how you know your quarantine and check right location-based stuff your compliance checks within there on your user side application identification what actually you know how are you doing

that your user identification what tree of of decision do you have for a primary user and enhanced user secure user Etc as you break through all those different things in I am um when trust decisions are made how short was the time frame on those and how do you revalidate that they're shut down all right just a simple thing some people Miss on the access control piece I basic access controls continuous monitoring and then trust level changes and again within here how do you account for these trustable changes as your applications shift and they might call information from other parts right so we've got we've got information going into a web form that's calling something in a database is that

accounted for like make sure that that is part of your modeling and you've got that stuff covered so that is that is what I wanted to cover today that is the intent of it at this stage I'd welcome any questions please oh

everyone's still awake that's damn good nobody's buying drinks then I guess sorry

hi Gary hey um quick question so with um threat and Bad actors both internal and external yes obviously third party as you've mentioned um with zero trust security how can you ensure that your service provider can be trusted and if your service provider is protecting you who is protecting them what are your best practice recommendations in terms of backup to protect you and your business I love that so key thing about when you're talking about zero trust modeling is the modeling is not just for you and your entity and what you do it's also for anyone that provides you service anyone that provides you function it has to be applied equally within their infrastructures and you have to

understand those things so just like the cloud relationship is a simple one it's like hey Google's giving me these functions that's great and they're telling me that they're C2 certified which is it's kind of nice to know but I don't really trust that what else can I you know what else can we talk about and at that point it's a discussion with your provider on what does that actually mean to you like where do you draw your personnel how are they validated how often can we review this with you do you report regularly and get into those things as well yeah it's critical and it's you any application any controls you apply internally you have to apply

to them as well yeah and if if they don't then you can obviously put them into a categorization in terms of how they access things with you or through you that is severely restricted yeah is that cool thanks hi I I I wanna I want you to clarify your your comments on decryption yes um because I can I can see where if you decrypt everything that could be a lot of problems because what you're doing is that you are saying that you're providing an automatic mechanism uh for a back door and once a back door exists and people know that the back door exists um elements various governments around the world can ask for the back door that's a

that's an excellent question and the answer there is that when I'm talking about decryption in this context I'm thinking about SSL TLS uh potentially ssh in in some function it's very limited but some people do that as well but it's intentional that we we decrypt in the single pass architecture so what happens is the decrypt happens when we do the insecurity inspection and it's re-encrypted in software in process in a secured module before it's passed out and the key thing is when you engineer that you have to engineer it in such a way that that module and everything and the memory that's used in that is separated from every other function yeah so it's not it's not completely Flawless

there is still potential there but you reduce that as much as you possibly can so my final comment on that is just you know you have euba so if you have that in place you don't necessarily have to decrypt right the only reason why decrypts is essential yeah no so from the user Behavior perspective that's really useful and I'd agree with that as Principle as long as the as long as the you the application the user thinks they're using is that right if something's been compromised I'll give an example one of the Canadian universities phones me at 11 30 on a Sunday night and they say we've been hit by ransomware we've got 300 servers that

are still up but everything else in the data centers hosed right so they still have function carrying on in the environment but now at this point they don't trust anything as they shouldn't at that point uaba would tell us what users are doing what behaviors are going on within there which is useful but we don't have an assurance of the applications they think they're using our sound and that's where the decrypt can come in and say exactly what it is and not so it's nuanced but it's useful yeah good uh yes sorry here he's looking at the back I'm sorry I was in the wrong blue shirt yeah this is a general question uh is

there any case studies published that you would consider to be a best practice implementation of zero trust so I'll say the original 20 2010 white paper that Forester published in the sort of the principles of the model and how it should be applied is really useful that nist paper are referenced is very useful in terms of actually a more practical application of that yeah those are the two that I would say are of foundationally very good to start from because I know about a restaurant but you hear a lot about principles but the actual practical the actual practical implementation so the challenge there is if you think about the five things that I want to look at

for building the model for you would be what is your application what are your users where are they how do we build that architecture around that specific instance so while there are anecdotal references to people that have built these models that are maintaining them whether that's good or bad is never is never published in the Articles yeah that's where I'd reference back to getting the verifications that yeah yeah it's kind of a weird it's a weird Sticky Thing for that I agree cool thanks very much everyone have a great day