 Thanks for joining the session today. Today, we are going to talk about zero trust. Zero trust has become one of the security or cybersecurity latest buzzword. So it's imperative to understand what zero trust is and what zero trust isn't. So without further delay, let me share my screen and start talking about what zero trust, especially in the cloud. When we are all talking about moving to the cloud. So before we deep dive into the topic, let me brief about myself. I'm Vandana Varma Segel. My day job is with one of the multinational companies as a product security architect. And apart from that, I root for pro bono work. I'm one of the global board of directors for OWASP. OWASP is open web application security project. Apart from that, I also root for diversity initiatives wherein I've trained over 4,000 women around the world on cybersecurity. And I run an organization called InfoSec Girls. I'm the president for InfoSec Girls. I also work with multiple other communities to bring diversity in cybersecurity. This is what we call it as a traditional security model. We assume all the good guys, all the good people are inside the castle and all the bad people are outside. It's like a castle, where in castle is protected by a lot of people outside and everything inside is all good. This approach lag, depth and breadth which we needed, especially in the dynamic digital world we are in. So the castle and moth model ensures cyber defenses against external threats, but no defense against the insider threats. The castle and moth model ensures cyber defense against the external threats, but there is no defense against the insider threats. Those who have access to the organization or internal network or have gained the privileges or internal access can actually steal the credentials. And how about if there is an admin whose credentials gets lost, what will happen? So anyone who's inside the network can move around in the internal network or in the organization network and can perform any task. This might look similar to you, especially when we all have a work done creating all these network diagrams, understanding the architecture, all the segregation between the firewalls. So under this particular trust model, it is assumed that a user's identity is never compromised and that we all are trusted or supposed to act responsibly. But can we do that? Can we trust everyone or anyone? So traditional network security model, it was all segregated by the different firewalls. There were different zones, especially contained by one or more firewalls. Every zone was like one or more firewalls. Each zone is granted some level of access, but that determines the network resources, access or permissions. So through this model, protection is given by building multiple lines of defenses where an attacker must go past, especially before getting into the network while possible insider threat are not taken into the consideration. So this trust model continued to be abused. The traditional CASL and MOT model of cybersecurity is no more the combat to modern cyber threats that we are dealing with all the APTs and whatnot we are dealing with nowadays. So the question arises, trust insiders, what about the threats which are caused by the insiders? Only one door, because we have, let's say if someone loses the credentials, anyone can come and access it. Is it practical? I don't think so. We should protect everything from outsider, but how about the cost of protecting non-critical information? It's a huge amount of money. So the current landscape has also changed. In the old model, network packet firewalls were there to protect and tightly control the network. All traffic could be traced back and can be marked as insider or outside traffic. But this has changed over the years. And especially when the workforce has changed, move outside, that right now we are all working from home. It's been so many months, we are all working from home. And we are all connecting to the network from outside. You're all dependent on some other technology which can connect us to the office network. So especially when we talk about business trips, we are all remote, like we are right now. So how can actually internal network can be protected? Or how can organization be protected? And especially when we say, as today's network is different, privileged access not only covers the infrastructure, databases and network devices, but is extended to cloud environments as well. We are all talking about hybrid environments, multi-cloud environments, some sort of managing SaaS environments. So how should we handle all of those things? It is also includes big data projects. It must be automated for DevOps. And it now needs to cover hundreds of containers or microservices to represent what used to be a single server. So you can see that everything has modified. Everything has changed. And as I said, on top of this, we now live in a world of advanced persistent threats or APTs that create a growing and changing risk to the organizations, financial assets, intellectual property, and reputation the most of all, expanding access and obtaining credentials. It's an essential part of most APTs. Talk about 80% of the steps happen or data breach happens because of privileged access abuse or credentials abuse. So access has become a kind of a crown jewel for any organization over the years. Let's talk about some breach statistics. And when we are spending so much money on the security products each year or creating or setting up the security team in our organization, but we're still actually less secure. Xerotrass provides a better framework to look at the cybersecurity and rethink the way we are doing security. As per cybersecurity ventures, the cybersecurity cost, which was $3 trillion, that was in 2015, will now be $6 trillion in 2021 or 2021, or maybe more, average cost of a data breach would be 3.62 million, that's a huge number. And that's quoted by Ponemon Research Institute. And there's a new research that has come up recently. Now, as I said, there's another research by Forester, which estimate that 80% of the data breaches which happen because of privileged access abuse. That's a good number. That's a huge, huge number. So these figures come despite of organization spending a lot on the cybersecurity. And there are more and more efforts that are going in the cybersecurity or securing the organization. But the worry some picture comes is when we talk about that there is an organization which has breached once, but then that happens not just once, but multiple times. We are spending more money, but we are becoming less secure. How come that's happening? We're spending money on tools, people and whatnot. But the point comes is, are we spending the money on the right things or the right kind of a framework? Because I wouldn't say that what we were doing earlier was wrong or right, but I would say, my point is that every year there's something new that is coming up. Not just every year, every month, every day is something new that is coming up. We have to tackle that and we have to make sure our organization is secure. No organization is ever 100% secure, but we can take baby steps towards it. So I have some questions for you. When we talk about client, do we say that client is secure? Are the people, the users are secure? No, they're not. We've seen that. How about a server? Can we say that the server is secure? No. How about the whole network? Can we just depend on that? What do you say? We're all working remote. So are we dependent on network and can we just trust it? No, so if we don't do that, so simply don't trust and what shall we do? So if we have to trust, what should we verify? It's like trust but verify, but is it safe to say that trust but verify? So here, if zero trust sounds similar to you or familiar to you, it's because zero trust has been around for a while, but it's really hitting the nail right now or hitting the rhythm right now. The old model was, oh, you are in the network? We're going to trust you. The new model says, never trust and always verify. So this actually flips the mantra from trust but verify to never trust and always verify. It says, trust no one, not even the users behind the firewall. While we're talking about zero trust, let's learn about how it all came into picture. So over the years, security models have mature or have transitions. Many of us have our first thing, access control list. Then came role-based access control which still exists in some form. And then came principles of least privilege and especially it was at all rage. But the problem with our backwards or role-based access control work and even subsequently with least privilege as well was actually it just allowed all the subjects to be assigned multiple roles and multiple permissions which eventually losing to a point wherein it defeated the purpose it was meant for or intended the control it was meant for. And when we talk about introduction to cloud and diverse SaaS offerings, especially for our core applications, how are we going to implement and manage this effectively? If as an admin, I leave the organization today, how soon are we removing the accesses? Or let's say if I moved from one team to another, how soon are we managing those accesses? It's really, really hard. So those things are really important to be managed and security parameter has become a thing of the past, whatever we say, especially with the cloud adoption and advancement in technologies enterprise must assume that the environment is hostile. And that's how when we go to the public cloud, we have something in mind that we are putting our data into the public cloud and we have to take some ownership. We have to talk about the shared responsibility model that what's the cloud provider's responsibility, what's our responsibility. And that's the core tenant of Zero Trust. And it provides a better framework to look at cybersecurity and rethink the way we are working towards cybersecurity. It's essentially establish a model of trust verification and continuous evaluation of trust for further access and lateral moment. Now, when we say Zero Trust, how's the architecture? If you can see in the picture, the whole system or the supporting system in the whole architecture is called a control plane. And every component is referred to as a data plane, which has been coordinated and configured by the control plane. In Zero Trust, we first identify a protect surface. Now, what is a protect surface? It's made up of the organizations or network most critical and valuable data, assets, applications, services. So once we identify, now why we need to identify because it's unique to every organization. Not all organizations can have the same crown jewels. So we need to first identify those unique critical infrastructure. When we have identified that, we can identify how the traffic moves around the organization, understanding who the users are, which applications they're trying to access and how they are connecting to the network and enforcing the policies based on that. Once we have the basic understanding of interdependencies between data, application, users, services, we can put controls, especially when we say that these protect surface need the control as soon as possible. Creating a microparameter around it and we can create a microparameter by deploying a segmentation gateway, more commonly known as a next generation firewall, especially to ensure only known allowed traffic or legitimate applications have access to the protect surface. The segmentation gateway can actually provide us granular visibility into the traffic and enforce additional layer of security, especially layer seven security that we've been talking about. And people always talk about network segmentation, but application segmentation is also equally important. So we need to have application segmentation, application gateway segmentation or network segmentation in place. We continue to monitor and maintain in real time. Still, we are actually lacking a lot of things. First, we identify one perimeter, security. Move ahead. We need to go phase by phase. We cannot say that we are going to do everything at once. That's not quite humanly possible or even with machines possible. If everything takes time, we need to understand the environment, we need to start understanding what's happening in the organization, what assets do we have, what network do we have. So at the same time, implementing zero trust in an enterprise network is predicted on the organization's network itself. It establishes where boundaries can be placed and enforcing access controls to shield the specific applications, sensitive applications, such as which are on-premise applications, data centers, safeguarding it from unauthorized access and lateral movements that I mentioned. Most companies have applications and data spread across the multiple locations and don't have insight on who's accessing their application, how data is being stored. So to address all these things, companies have often access multiple resources, use multiple technologies around. And when cloud came into picture, everybody needed, like we need information stored secretly, save badly on the on-premise servers. And when we are moving to the cloud, a public cloud, private cloud, SaaS applications we have started using. So how shall we leverage all those things? We started talking about CASB. We started talking about Inbound Proxy, virtualized firewall, software-defined parameter. So this is a mix of technology which actually creates a segmentation security architecture where we can actually, which might be difficult to be sure what policies are in place or how data can be secure. So to succeed, we all need to have a single unified security architecture. This is our network where the users are accessing these applications. This is how data is flowing across the public cloud. These are my SaaS applications and this is how they are interacting. This is my private cloud and this is my data center. There are controls and limits who has access to what information, what assets, how they can use it. If we are dealing with any third-party vendor, how much access they will have, whether they will have read-only access, they'll have write access. Inspect the traffic and enforce security policies. The first thing we should categorize the data. Ultimately, security teams are focused on protecting the data, whatever we say. Where possible, data should be safe even when it leaves the organization, leave the device, app, infrastructure, network. The control that we have in place, data should be classified, labeled, encrypted, and access restrict based on all of these things. So what should we do in that case? We should first understand the current setup. Take a detailed look at what current data we have, what locations we have, do we have any regulations in place. And data classification also is important because it's allowed organizations to manage the data more effectively and accurately. The organizations might be facing issues, okay, my assets are lying all over there. But if you think about, there's a crown jewel and we have not marked it as a crown jewel. There's a low-hanging fruit and we don't know whether it's a low-hanging fruit or that might be a critical device for some of the teams. So it's very important to label it, whether it's restricted, internal, external, confidential, private, or what kind of data it is. Principles of lease privilege. And you must be hearing it from ages back, okay, we should have principles of lease privilege. Did we implement it? Lease privilege access rights is a fundamental principle of zero-stress security. Overly access of access is one of the key issues, causing the insider threat to become insider incidents. Zero-trust networks only allow access rights as and when necessary. Covering the access is no longer appropriate. So authenticating and verifying on all access is important. User access to cloud resources must be first authenticated. Certificate only based on authentication is a weak solution. As a certificate can be stolen. If I have your certificate, I can log into the environment. Another insecure approach would be insecure access method to jump host or bastion host. So what we can do is we can have multi-factor authentication which can be integrated with the LDAP or any other solution which can be there. And we can have single sign-on which can improve the authentication strength. However, authentication itself or alone is not sufficient. Users access, who's accessing the cloud resources must be authorized once we have authenticated. So the fine-grained control can be applied and less lateral moments of a user can make it even if someone try and access the network. We have fine-grained access. The access can be stopped then and there. User account with lease privileges. Especially if an employee leaves an organization. How about removing their access? It becomes very important to remove their access. With the principles of lease privilege an employee whose job is to enter the data center. The person can actually add or modify the records if the person's laptop is infected with a malware. What could go wrong? The system can actually install a malware on other systems, can infect the database. If the person has root credentials the infection can actually spread the system-wise and spread in the network. I'll give you an example which happened with me, where a person who's working with me, the person was a network person who was handling the firewalls. His job was to monitor and work on the firewall rules. So the person can monitor and make changes to the firewall or ACX. But suddenly the person moves to security team. Now the person's job is to manage the firewall logs which is like a quite different thing. Now the person who's managing the firewall logs suddenly gets a request. Can you please modify this access to me in the firewall? And the person does it. Ideally or practically, the person should have access to the network or network firewall? No. The person should not be even having access to it. Lead the modifying part. So it becomes important to have all those rights checked the regular intervals. You can have just in time privilege. If a user who's rarely needs access to the root credentials, reducing privileges, especially when they don't need it, we can use disposable credentials. We can enable a function. Okay, these are the six hours or six days. The person needs access to this environment and after six days, let's remove the access. So all of these things can be done. And we can actually stop the lateral moment of all those attacks that are happening. Might be spreading across the network. And this is one of the things that the primary thing that a pen tester can leverage. If all those privilege rights are not there, that can be exploited. And as a security researcher, if these things are not there, I am going to target that. If he's on off what the malicious actors might get access to. We can stop the attack because they will be only able to infect a certain zone, not the whole area. So if the public cloud we are using, we have to have principles of release privilege. We have to have a principle to build the cloud network which can result in isolated island of a lot of different networks. If one network is breached, we have other networks which can be safeguarded because it's impossible to gain access to those networks which can actually reduce the attack surface. Now tell me one thing. How many of you have multiple accounts, multiple passwords? I have. I have like tons and tons of username passwords, tons and tons of accounts on multiple websites. So what could go wrong? Where in earlier the identities were not defined. There were all internal applications. There were many passwords. But then in mid 90s identities, we started defining. We started uniquely identifying who has access to what. We started talking about single sign-on, password policies, role-based access controls. Then came an era where we started talking about how about having multi-factor authentication because we saw so many breaches with banks, with financial institutions and what not healthcare industry. We made sure that we have to have something in place which can reduce the privileges. So we came up with principles of release privilege. Then came a point that that's not necessary. How about understanding what could be the risk score? How are we handling the risk of an application? How are we handling the risk scores, adaptive access, then text-aware access, authorization, application-only access? And now we're talking about, let's go password less. We're talking about QR code scans and what not. Fido too. So all of those things are actually contributed towards maturing the organization IAM strategy. Now, what is context-aware security and why are we even talking about it? So if we look at 10 years back, MFO was just a pain. People would cringe and say that I don't want to use multi-factor authentication. We were all stick to the old world. Today, with all the modern solutions that we have, especially with cloud, can we just have a username and password? I have on one of the projects wherein the organization was using six digit characters. Should we use that small character password? No, when you talk about moving to cloud, we have to be sure that we are using a strong password. We have to have a strong password policy. We have to have multi-factor authentication to verify during login or password checkout, especially at the time of privilege elevation. Multi-factor authentication is a must have. We cannot counter that with anything. And passwords are not good enough. Let's face it, whatever we say. And even if we talk about the people who are listening to the stock, we can say that half of our passwords are the dictionary passwords. The passwords are somebody who you know. On months with add one, two, three, zero, six, or whatever. All of that is there. So the good news is multi-factor authentication is an easy way. We have, as I said, Fido 2. We have Google Authenticator. And many other indicators are available which can actually help us in securing our applications, securing our data. With context aware access, we can figure out where we are trying to access, which device we are using. If we're using a device for so long, there is a context that has been built for the device. And suddenly we change the device. The application should ask us for blocking or for asking for a step of authentication and saying that, okay, let's re-authenticate you. If I am in India right now, if I am in Bangalore, suddenly I log in from US, UK, or any other location. Am I supposed to log in? No, I'm not. Practically it's not possible. So what shall we do? Block the access. And adaptive access can be on applications and services. At the same time, when we have adaptive access, how about monitoring that? Which means enabling the right users or right user to have the right access to the right data for the right reason from the right location. So what I said, enabling the right users to have the right access to the right data for the right reason for the right location, which includes device, network, workload, and application, all at the same time. Now, when we say monitoring and logging, we can build identity-based network context like creating microparameters that are based on identifying the users. This is also known as zoning, where we can automatically monitor, continuously monitor and manage the data between the zones. Authentication and authorization can actually give us good view about these zones. Besides users and accounts, every device owned by the organization should be uniquely identifiable in a single device directly, wherein we can say, okay, these are the devices which are in use. If there's a fishy device, let's remove it from the network. And whosoever is trying to access it from a malicious device, let's block their access. And let's face it that hacking is inevitable. A fact will happen. The systems will get compromised. But we should have an idea what's our blast radius? What's our network? Then if we find that there's something malicious going on, we can stop it or prevent it to happen. Are the alerts being managed? How much automation we have in place to detect the incidents we're talking about orchestration, creating the playbooks relevant to our organization. So it becomes important to monitor and lock all the data which is going on in the network. Then comes how about we architect our own zero trust architecture, micro parameters. Once we know our data, our flow, what's happening in the network, we can create the optimal micro networks around each of them. Separate production data from depth and test can really, really help us in segmenting the whole network. We can have separate cloud accounts which can be a best practice for having isolation. What can we do? We can define the micro parameter, zones and segmentation, especially around sensitive data. We can enforce segmentation using physical and virtual security controls. Establish access based on these controls and micro parameter designs. We can include all the network traffic regardless of origin. But it has to be checked what is relevant. Now, another important aspect is policies and procedures. Identity governance and policies are very important but must be comprehended across the applications. We also have to take into the account the legacy applications or legacy applications that we have. Do we have support from them? How are we going to handle them when we talk about cloud or the advanced latest technologies that we have? Legacy apps can be run in virtualized environments or containers or can be segmented from the rest of the network. So that if something happens, if they are compromised, the malicious users cannot pivot and move literally to compromise the rest of the systems or infrastructure. So what we can do as part of implementing... Starting with categorizing data, with lease privilege, network management, segmentation, policies and procedures, all of this, that's there. But how should we take a step forward? Especially when we have remote access, we have the BYOD, we have default deny or so many other policies. How are we going to handle that? We can implement it wherein we identify what type of applications are there. And that's the fundamental step. If we know our infrastructure, we have categorized it. We know what's public, what's internal, what's confidential. We can define the zones. We can have microparameters come in and help us. We can suggest that, okay, let's create a chunk of data that represent that own microparameter. Then we can map the flows of the sensitive data. We can have, okay, this is the segment, which can be multi-directional, which can be bi-directional, or it shouldn't be accessible to the rest of the world, which can actually optimize our data flows. Then how about creating the boundaries? Once we all know this all micro network, we can design them. We can say, okay, this is what fits for the security. And this also take into consideration that, okay, we have a nice posture in our organization. We have a mature posture in our organization. We can continuously monitor and log the traffic. It can actually provide us the data analytics for malicious activities across the entire microparameter ecosystem. We can embrace automation, which might not be really possible because we don't know our network. So we can have a lot of automation, orchestration policies, procedures in place. So as I said, should we trust or don't trust? Zero trust is more of a perspective than a product. If someone says it's a product, sorry, that's not the case. And technology moves very fast. We can never think that we've just gotten to where we know everything about our organization. There has to be something which might be failing. So no single technology which is associated with zero trust architecture. There are multiple technologies, multiple processes which are there. And it also defines the maturity of our organization. It's a holistic approach to cybersecurity, which contains multiple principles and technologies. So can we say that identity is a security perimeter or a new security perimeter can see that now. So there are things that we've been doing. There are things that we can do, but we can take the baby steps. We can take the steps towards the zero trust journey. And the first step comes in when we start thinking about it, that what are things we can do? We can talk about verifying the users. We can have single sign-on, multi-factor authentication everywhere. We can have user behavior analysis. We can have risk scoring for access. We can validate the devices. It could be device and app management, device context. We can have endpoint privilege management properly. Then principles of lease privilege, which we can never remove. We can have granular role-based access, which can actually limit literal moments. Then how about learning from the architecture that we have and adapting to the new architecture using machine learning, AR? These are some of the references that I have looked through and research of some amazing cooperation. You can reach me on Twitter, LinkedIn. That's my email address. I'm very much reachable on all the platforms. If you have feedback, you want to have a discussion. And then we're all good. Thank you so much. This is Namaste from India. Thank you.