Zero Trust Network Architecture John Kindervag, Principal Analyst April 11, 2013
Agenda The new threat landscape Next gen security architecture for traditional networks Zero Trust – the next generation secure network
Agenda The new threat landscape Next gen security architecture for traditional networks Zero Trust – the next generation secure network
2011-2013 Notable Hacks RSA Epsilon Sony PSN Lockheed Martin Symantec Date Actor Attack Type Motive Data Impact RSA March 17, 2011 Advanced: State-sponsored APT – Targeted Malware Espionage – Intellectual Property RSA Secure ID token source code Potentially opens customers to attack Epsilon April 1, 2011 Unknown Not disclosed Financial Email addresses Brand damage, could lead to Spear Phishing attacks Sony PSN April 19, 2011 “Anonymous” suspected Hacktivism Personally Identifiable Information PII Sony PSN down: >$170M hard costs Lockheed Martin May 28, 2011 RSA Secure ID exploited Corporate Espionage Brand Damage Symantec February 8, 2012 Unknown perhaps “Anonymous” Extortion Source Code CIA February 10, 2012 “Anonymous,” DDoS None Website Offline Bit9 February 27, 2013 SQL Injection Create Attack Vector Companies using Bit9 were attacked Evernote March 3, 2013 Data Theft 50 Million customers passwords Password resets & possible data loss Source: CNET Hacker Chart: http://news.cnet.com/8301-27080_3-20071830-245/keeping-up-with-the-hackers-chart/ Source: CNET Hacker Chart: http://news.cnet.com/8301-27080_3-20071830-245/keeping-up-with-the-hackers-chart/ and http://www.privacyrights.org/data-breach/new.
Frequency of data breaches 25% of companies have experienced a breach during the last 12 months that they know of LL: Could we update the all report PDF screenshots to higher resolution? http://www.forrester.com/pimages/forrester/imported/forresterDotCom/Research/60564/60564_1.pptx Base: 1319 IT security decision-makers; Source: Forrsights Security Survey, Q3 2012
Data is the new oil Theme slide
Selling fresh vergin wordwide cvv GOOD OFFER SELLING hacked RDP GURANTED 24HOURS UP TIME ONLY 10$ Selling (Worldwide Cvvs, Worldwide Fullz, UK, Usa Logins Worldwide Dumps, UK, Usa Paypal, Ebay Accounts...) I need RDP UK US Germany To buy NOW VIA WMZ wana buy 9
Data Security And Control Framework Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Data Security And Control Framework Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Data Security And Control Framework Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Agenda The new threat landscape Next gen security architecture for traditional networks Zero Trust – the next generation secure network
TechRadar™: Network Threat Mitigation, Q2 ’12 May 2012 “TechRadar™ For Security & Risk Professionals: Zero Trust Network Threat Mitigation, Q2 2012”
Agenda The new threat landscape Next gen security architecture for traditional networks Zero Trust – the next generation secure network
Trust but verify
Which one goes to the Internet? UNTRUSTED TRUSTED
Zero Trust UNTRUSTED
Concepts of zero trust All resources are accessed in a secure manner regardless of location. Access control is on a “need-to-know” basis and is strictly enforced. Verify and never trust. Inspect and log all traffic. The network is designed from the inside out.
Building the Traditional Hierarchal Network Edge Core Distribution Access
Security Is An Overlay Edge FW IPS Email WCF WAF VPN DAM DLP DB ENC Core Distribution IPS IPS WLAN GW FW NAC Access
Deconstructing the Traditional Network Edge FW IPS Email WCF WAF VPN DAM DLP DB ENC Core Distribution IPS IPS WLAN GW FW NAC FW Access
Re-Building the Secure Network FW WLAN GW CRYPTO AM CF IPS WAF NAC FW IPS AC Email WCF DAM Packet Forwarding Engine DLP DB ENC VPN
Segmentation Gateway FW IPS CF AC Crypto AM NGFW Very High Speed Multiple 10G Interfaces Builds Security into the Network DNA
Zero Trust Drives Future Network Design MCAP – Micro Core and Perimeter MCAP resources have similar functionality and share global policy attributes MCAPs are centrally managed to create a unified switching fabric User MCAP WWW MCAP MGMT server Management = Backplane
Zero Trust Drives Future Network Design All Traffic to and from each MCAP is Inspected and Logged User MCAP WWW MCAP MGMT server SIM NAV DAN MCAP
Zero Trust Network is Platform Agnostic and VM Ready Creates VM friendly L2 Segments Aggregates Similar VM Hosts Secures VMs by Default User MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP
Zero Trust Network Architecture is Compliant MGMT server WWW WWW MCAP User MCAP SIM NAV DAN MCAP WL MCAP
Zero Trust Network Architecture is Scalable MGMT server WWW WWW MCAP WL MCAP User MCAP SIM NAV DAN MCAP DB MCAP APPS MCAP
Zero Trust Network Architecture is Segmented WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP
Zero Trust Network Architecture is Flexible WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP
Zero Trust Network Architecture is Extensible WL MCAP DB MCAP User MCAP APPS MCAP CHD MCAP WAF WWW MGMT server SIM NAV DAN MCAP WWW MCAP
ZTNA Supports the Extended Enterprise WL MCAP DB MCAP User MCAP APPS MCAP CHD MCAP WAF WWW MGMT server SIM NAV DAN MCAP WWW MCAP
What about fabrics?
A Traditional Hierarchical Network Will Evolve To A Flatter, Meshed Topology Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
A Traditional Hierarchical Network Will Evolve To A Flatter, Meshed Topology Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
Zero Trust Network Architecture is Fabric Friendly Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
Augment Hierarchal Networks with Zero Trust IPS Server farm WWW farm DB farm WAN WAF DAM CHD MCAP MGMT server WL MCAP User MCAP SIM NAV DAN MCAP
Zero Trust Multi-Dimensionality Zero Trust Data Identity: Treat data as if it’s living User identity (UID) Application identity (AID) Network User Transport Application Identity Generates traffic Generates traffic Context Data Idea: treat data as if it’s living Information Data Location Classification Type Data identity (DID)
Zero Trust Multi-Dimensionality Zero Trust Data Identity: Treat data as if it’s living Network Transport User identity (UID) User Application identity (AID) Application Data identity (DID) Data Monitored via DAN/NAV Idea: treat data as if it’s living Identity Context
http://us.fotolia.com/id/15840096 Trust But Verify
http://us.fotolia.com/id/13501861 Verify and Never Trust
Hard and Crunchy WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP
Summary Make the Network and Enforcement Point Zero Trust — “Verify and never trust!” Inspect and log all traffic. Design from the inside out. Design with compliance in mind. Embed security into network DNA. UNTRUSTED
Thank you John Kindervag +1 469.221.5372 jkindervag@forrester.com Twitter: Kindervag www.forrester.com - If you would like to include social media info (Twitter, blog, etc.), please add new lines below the email address but above the Web site.