• 8 months ago
What is Zero Trust Model | What is Zero Trust Architecture | Principles of Zero Trust Security | ZTA

Description:
Welcome to my video titled "What is Zero Trust Model | What is Zero Trust Architecture | Principles of Zero Trust Security | ZTA." In this video, we'll explore the concepts of Zero Trust security, Zero Trust Architecture (ZTA), and the principles that form the foundation of this approach.

Zero Trust Model is a security model that assumes that no user, device, or network is inherently trustworthy. Instead, the model requires continuous verification of all users, devices, and applications attempting to access resources within a network.
Transcript
00:00Bismillahirrahmanirrahim, Assalamu Alaikum, welcome back
00:03and there were a lot of requests to make a video on ZeroTrust
00:08ZeroTrust Architecture, ZeroTrust Firewall, ZeroTrust Network, ZTNA
00:15So I said let's do this one
00:17Before starting this, let me tell you that ZeroTrust is not a Firewall
00:22It is not a server, it is not an application, it is not an antivirus
00:28ZeroTrust cannot be implemented with a piece of new technology
00:33It is not a new black box that you have installed in your network
00:37and you say that now my ZeroTrust Network is ready
00:41Let's make that point very very clear
00:43Let's start further
00:45First of all, the story of ZeroTrust started in 2010
00:51It seems like 10, 12, 13 years have passed but this story is still going on
00:56A person named John presented this theory based on some research he was doing
01:03that ZeroTrust is not a product
01:05It is not a product
01:07Based on this, the concept was that the notion in our mind is the concept of border and perimeter
01:15Because we used to talk a lot about perimeter defense
01:18We used to talk about it in 2004
01:21I remember very well that we were talking about it in 2008-2009
01:24Till 2010, we used to talk about perimeter defense, VPN
01:27In fact, if you go back 2 years before COVID
01:30We had an outside network and an inside network
01:33Outside is a bad world and inside is a good world
01:36It was a concept like a castle
01:38Anything that is outside is malicious, anything that is inside is protected
01:44This concept came in 2010 and Google started working towards it
01:51The concept was that the outside and inside world should be finished
01:56Now we have to move towards ZeroTrust
01:58ZeroTrust means that we don't trust anything
02:01Whether you are sitting inside my house or outside
02:05Let me take a very simple analogy
02:07A person in your office is wearing a badge
02:10There is a badge called Asif
02:11You don't know that it is his legitimate badge
02:13HR didn't fire him this morning
02:15We will talk about that
02:16A little bit of history
02:18We already knew about the notion of outside and inside world
02:22Eventually, in 2010, this idea floated
02:26There was a research institute called Forrester
02:32On which he was working
02:35Almost 2 years ago, NIST issued a statement
02:39SP 800
02:40Let me write it down
02:42Let's see if we can grab a pen here
02:47SP 800-207 document
02:52Defined ZeroTrust architecture
02:54Which is a very very good document
02:56In 2021, the White House also issued a statement
03:00It wasn't just about technology and architecture
03:03Normally, when a person breaches the perimeter of your network
03:07No one would come inside and stop him laterally
03:11In 2022, there is an institute called CISA
03:14It is a US institute
03:16A couple of months ago, I was in US
03:19I met a CTO of that institute
03:22They issued a second version of Cloud Security
03:25Technical Reference Architecture
03:28They also talked about ZeroTrust
03:31Now, we are talking about ZeroTrust Extended
03:36ZTX
03:38The whole story is the same
03:40So, there is no need to worry
03:42If someone puts ZeroTrust firewall or ZeroTrust antivirus
03:45Then there is no need to worry
03:47The purpose is that after today's 10-15 minute session
03:51You will have a very clear understanding
03:53So, the concept goes
03:55Asif comes with an office badge
03:571. Do we trust him who he says he is?
04:00He says, I work in facilities
04:03Your AC is not working
04:05So, you trust him
04:07You don't have to trust him
04:09ZeroTrust says, you don't know
04:11So, the very fundamental principle is
04:13Never trust and always verify
04:15That this is the person's picture on the badge
04:17And you have some other mechanism
04:19How will you verify from HR that this is not the person?
04:22Or HR's responsibility to physically escort the person
04:25We are not going into that domain
04:27But just to give you a very high-level picture
04:29List privilege
04:31We know all this
04:33We have been talking about this in layer defense for a long time
04:35And the third thing is
04:37Assume that there is a breach
04:39Assume that Asif is suspicious
04:41If you are developing an application
04:43The portions of the application working in the middle of the application
04:47A request comes out of a docker container
04:49And goes to another docker container with an API request
04:51So, you make sure that
04:53You are authenticating
04:57And we will talk about authentication in a while
05:01So, the fundamental principle is
05:03Never trust and always verify
05:05If we give an IP address to Asif
05:0710.1.1.1
05:09He is trusted
05:11He is our master admin
05:13And if his machine is compromised
05:15Then the whole network will be in a tight spot
05:17So, these concepts
05:19We have eliminated
05:21This is an inside network
05:23That's why we trusted him
05:25This is an outside network
05:27That's why we didn't trust him
05:29These people call it a strategy
05:31I call it a mindset change
05:33There are three things in this
05:35User
05:37That whatever he is saying is coming
05:39Device
05:41What is that device
05:43Do we trust that device
05:45Are there right controls on it
05:47And application
05:49These are inside and outside
05:51Concepts
05:57These three identities are very important
05:59User, device and application
06:01These three things
06:03You don't have anything else
06:05User's step one
06:07Zero day effort
06:09Call it a strategy
06:11Stronger authentication
06:13Identity
06:15And least privilege on application
06:17This is the policy
06:19Integrated with user's device
06:21This user came with this device
06:23Before
06:25Whether this device is outside or inside
06:27I don't care
06:29My important concern is
06:31Is it patched?
06:33Is it integrated with Azure AD
06:35Is AV installed on it
06:37Are there latest security controls on it
06:39Log monitoring
06:41After that, application comes
06:43And application
06:45Implicit trust
06:47Various components within the application
06:49For example, I have an application
06:51For example
06:53It gives me a numerical
06:55Output
06:57And second component
06:59Of this application
07:01A and B
07:03It gives me an image
07:05I give this numerical value
07:07In this and it gives me
07:09Image in output
07:11And
07:13The thing is
07:15When a developer or set of developers
07:17Are making an application
07:19They don't do authentication
07:21As a hacker, I enter this application
07:23And start transferring numerical values
07:25From which output image is given
07:27And it is not validating
07:29Why is it sending me this information
07:31I have made up
07:33What numerical value will be there
07:35Instead of which image will be there
07:37This barcode is being printed
07:39Which allows you to go to a show
07:41Giving an example
07:43Infrastructure
07:45Router, switch, cloud
07:47IOT
07:49Supply chain
07:51Third party vendor
07:53Air conditioning facility
07:55Breach
07:59Must be
08:01They all need to be addressed
08:03Zero trust strategy
08:05Zero trust approach
08:07Zero trust mindset
08:09This is a very good document
08:11It is a 5 minute read
08:13Visibility, automation and orchestration
08:15Microsoft is selling its stuff
08:17But leave that
08:19Around zero trust
08:21There are some key technologies
08:23Like we talked about
08:25User application and device
08:27Here it is expanded a little
08:29Identity
08:31When an identity tries to access a resource
08:33If there is an identity
08:35I bring it
08:37I have put a card in the ATM card
08:39I want to access a resource
08:41Verify the identity
08:43With strong authentication
08:45We are not talking about username and password
08:47Multifactor authentication
08:49With number matching
08:51If number matching is not implemented in your company
08:53Try to do a number matching
08:55What is it? Multifactor authentication
08:57Google it
08:59Many companies are using physical tokens
09:01Ubi keys
09:03After that
09:05Endpoint
09:07Bring your own device
09:09Whatever the situation
09:11Security
09:13Data
09:15Data is in your company
09:17If leaving the company
09:19It should remain safe
09:21Classification, labeling, encryption
09:23Restriction, attribution
09:25Whatever you want to do
09:27There are many applications
09:29In many applications
09:31There was research in the last few days
09:33Microsoft
09:35Or Verizon
09:37Lifted and shifted
09:39Cloud application
09:41You picked it up from on-prem
09:43And took it to the cloud
09:45And its API authentication is not happening
09:47Hacker came to your network
09:49And started lateral movement
09:51There are many breaches
09:53I don't want to name them
09:55A person compromised an account
09:57From that account
09:59He saw password vault
10:01Master password
10:03He made this vault
10:05Master password
10:07He identified it
10:09API call was happening
10:11He authenticated
10:13He got all the passwords
10:15He is sitting on the company's network infrastructure
10:17He is eating breakfast
10:19He is running your network for you
10:21He knows your network better than you do
10:23Now
10:25Let's move towards
10:27Network security engineer
10:29Firewall
10:31Paloalto
10:33ZTA
10:35Principle
10:37Firewalls are the first line of defense
10:39Again
10:41I don't know what will happen in the future
10:43Microsegmentation
10:45According to the security
10:47You can do further segmentation
10:49User ID
10:51This is user ID
10:53Context
10:55Device health
10:57This is personal device
10:59Do I want to bring it in my core network
11:01Which section of the core network
11:03Do I want to bring it in
11:05Routers play a very important role
11:07Policy based writing of different microsegments
11:09Your segment
11:11Is not just a big VLAN
11:13You can further segment it
11:15IoT
11:17Operational network
11:19IoT network
11:21Further segmentation
11:23So that the lateral movement of the hacker
11:25Can be minimized
11:27If he is in one segment
11:29He has to go from one segment to another
11:31This is the job of network security engineers
11:33After that
11:35App developer
11:37App developer has its own responsibility
11:39App developer's fundamental responsibility
11:41Every time there is a request
11:43Zero trust
11:45He says I have to authenticate
11:47Then I will authorize
11:49Then I will give you access
11:51If the IP address is coming
11:53My application is running in my own container
11:55The container has been compromised
11:57This approach is very important
11:59This document
12:03I have copied this diagram
12:05On NCSC website
12:07We will discuss its principles
12:09In a while
12:11Inside this diagram
12:13A few things are very important
12:17These are different signals
12:19A signal is coming from your identity
12:21A signal is coming from device health
12:35A signal is coming from device health
12:39What happened?
12:41Pen
12:43A signal is coming from device health
12:45How is the health of your device
12:47Time and zone is coming
12:49Where are you logging in
12:51Impossible travel
12:53Impossible travel
12:55These three different signals
12:57Identity
12:59Identity services
13:01I am not dropping any product
13:03Device configuration
13:05Maintenance
13:07Health monitoring
13:09All this information
13:11Is going to your policy engine
13:13Policy engine
13:15Is getting a policy
13:17That no one
13:19Can log in from Russia
13:21After 6 pm
13:23Or in our environment
13:25Not after 6 pm
13:27And with this
13:29You have another information loop
13:31Which is called
13:33Historical information
13:35No one can read this
13:37Historical information
13:39I call it
13:41Historical information
13:43With advanced learning
13:45You have this
13:47In your policy engine
13:49Continuously evolving
13:51Continuously learning
13:53Maintaining
13:55Continuously learning
13:57Maintaining
13:59Enforcing policies
14:01Policy enforcement
14:03One user
14:05Says that
14:07I need
14:09Kashif's national insurance number
14:11On HR database
14:13From where is this person logging in
14:15Is his username and password
14:17Multi-factor
14:19Identity services verified
14:21He is not talking to each other
14:23He is talking to policy engine
14:25From which device is he logging in
14:27He is logging in from mobile
14:29Mobile is in UK
14:31And at this time
14:33Last time he logged in
14:35And the policies you have to implement
14:37And eventually he says
14:39My trust level is around 80
14:41And he is logging in from China
14:43Irrespective of his identity
14:45I want to reject him
14:47And if he says
14:49I think this is right
14:51Based on all these signals
14:533 signals, 4 signals, 5 signals
14:55And after that
14:57If he requests access
14:59He can take Kashif's HR national insurance number
15:01National insurance number
15:03Is a number in UK
15:05I don't know about Pakistan, India
15:07And other countries
15:09This is a number
15:11By which your payrolls are maintained
15:13Okay
15:15National center of security
15:17National cyber security center
15:19Shameful, I don't know it
15:21Okay
15:23He has taken out 10 principles
15:25I will quickly skim it
15:27Because I am mindful of time
15:29I gave myself 15 minutes
15:31Application is built in support of zero trust network
15:33Know your architecture
15:35Know your user device and services
15:37Create a single strong user identity
15:39Not multiple identity
15:41Like IEM concept
15:43Strong device identity
15:45Authenticate everywhere
15:47Know the health of your devices
15:49And services
15:51Whether your device is fully patched
15:53Antivirus
15:55Focus on monitoring of devices
15:57And services
15:59Set policies
16:01Control access
16:03Don't trust the network
16:05Zero trust network
16:07Zero trust network
16:09Zero trust
16:11Smart security
16:13Smart security
16:15By removing
16:17Implicit trust
16:19Validating
16:21Every digital interaction
16:23Implicit trust
16:25Trust
16:27Validation
16:29Checking
16:31Every digital interaction
16:33Every digital interaction
16:35This is a very fundamental saying
16:37By me and chat gpt
16:39Smart security
16:41By removing implicit trust
16:43And validating every digital interaction
16:45That's the fundamental thing you need to remember
16:47If you are going today
16:49After 15 minutes
16:51Fast forward everything
16:53Whatever interaction
16:55Security review
16:57Threat model
16:59On every transaction
17:01Make sure
17:03User access request to the data
17:05Or any service
17:07Which is a digital interaction
17:09Need to be validated
17:11Be happy
17:13Remember in prayer
17:15See you later