Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Trust Network Architecture

Published byIrene Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Zero Trust Network Architecture"— Presentation transcript:

1

2 Zero Trust Network Architecture
John Kindervag, Principal Analyst April 11, 2013

3 Agenda The new threat landscape
Next gen security architecture for traditional networks Zero Trust – the next generation secure network

4 Agenda The new threat landscape
Next gen security architecture for traditional networks Zero Trust – the next generation secure network

5 2011-2013 Notable Hacks RSA Epsilon Sony PSN Lockheed Martin Symantec
Date Actor Attack Type Motive Data Impact RSA March 17, 2011 Advanced: State-sponsored APT – Targeted Malware Espionage – Intellectual Property RSA Secure ID token source code Potentially opens customers to attack Epsilon April 1, 2011 Unknown Not disclosed Financial addresses Brand damage, could lead to Spear Phishing attacks Sony PSN April 19, 2011 “Anonymous” suspected Hacktivism Personally Identifiable Information PII Sony PSN down: >$170M hard costs Lockheed Martin May 28, 2011 RSA Secure ID exploited Corporate Espionage Brand Damage Symantec February 8, 2012 Unknown perhaps “Anonymous” Extortion Source Code CIA February 10, 2012 “Anonymous,” DDoS None Website Offline Bit9 February 27, 2013 SQL Injection Create Attack Vector Companies using Bit9 were attacked Evernote March 3, 2013 Data Theft 50 Million customers passwords Password resets & possible data loss Source: CNET Hacker Chart: Source: CNET Hacker Chart: and

6 Frequency of data breaches
25% of companies have experienced a breach during the last 12 months that they know of LL: Could we update the all report PDF screenshots to higher resolution? Base: 1319 IT security decision-makers; Source: Forrsights Security Survey, Q3 2012

7 Data is the new oil Theme slide

8 Selling fresh vergin wordwide cvv
GOOD OFFER SELLING hacked RDP GURANTED 24HOURS UP TIME ONLY 10$ Selling (Worldwide Cvvs, Worldwide Fullz, UK, Usa Logins Worldwide Dumps, UK, Usa Paypal, Ebay Accounts...) I need RDP UK US Germany To buy NOW VIA WMZ wana buy 9

9 Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”

10 Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”

11 Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”

12 Agenda The new threat landscape
Next gen security architecture for traditional networks Zero Trust – the next generation secure network

13 TechRadar™: Network Threat Mitigation, Q2 ’12
May 2012 “TechRadar™ For Security & Risk Professionals: Zero Trust Network Threat Mitigation, Q2 2012”

14 Agenda The new threat landscape
Next gen security architecture for traditional networks Zero Trust – the next generation secure network

15 Trust but verify

16 Which one goes to the Internet?
UNTRUSTED TRUSTED

17 Zero Trust UNTRUSTED

18 Concepts of zero trust All resources are accessed in a secure manner regardless of location. Access control is on a “need-to-know” basis and is strictly enforced. Verify and never trust. Inspect and log all traffic. The network is designed from the inside out.

19 Building the Traditional Hierarchal Network
Edge Core Distribution Access

20 Security Is An Overlay Edge FW IPS Email WCF WAF VPN DAM DLP DB ENC
Core Distribution IPS IPS WLAN GW FW NAC Access

21 Deconstructing the Traditional Network
Edge FW IPS WCF WAF VPN DAM DLP DB ENC Core Distribution IPS IPS WLAN GW FW NAC FW Access

22 Re-Building the Secure Network
FW WLAN GW CRYPTO AM CF IPS WAF NAC FW IPS AC WCF DAM Packet Forwarding Engine DLP DB ENC VPN

23 Segmentation Gateway FW IPS CF AC Crypto AM NGFW Very High Speed Multiple 10G Interfaces Builds Security into the Network DNA

24 Zero Trust Drives Future Network Design
MCAP – Micro Core and Perimeter MCAP resources have similar functionality and share global policy attributes MCAPs are centrally managed to create a unified switching fabric User MCAP WWW MCAP MGMT server Management = Backplane

25 Zero Trust Drives Future Network Design
All Traffic to and from each MCAP is Inspected and Logged User MCAP WWW MCAP MGMT server SIM NAV DAN MCAP

26 Zero Trust Network is Platform Agnostic and VM Ready
Creates VM friendly L2 Segments Aggregates Similar VM Hosts Secures VMs by Default User MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP

27 Zero Trust Network Architecture is Compliant
MGMT server WWW WWW MCAP User MCAP SIM NAV DAN MCAP WL MCAP

28 Zero Trust Network Architecture is Scalable
MGMT server WWW WWW MCAP WL MCAP User MCAP SIM NAV DAN MCAP DB MCAP APPS MCAP

29 Zero Trust Network Architecture is Segmented
WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP

30 Zero Trust Network Architecture is Flexible
WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP WWW MGMT server SIM NAV DAN MCAP WWW MCAP

31 Zero Trust Network Architecture is Extensible
WL MCAP DB MCAP User MCAP APPS MCAP CHD MCAP WAF WWW MGMT server SIM NAV DAN MCAP WWW MCAP

32 ZTNA Supports the Extended Enterprise
WL MCAP DB MCAP User MCAP APPS MCAP CHD MCAP WAF WWW MGMT server SIM NAV DAN MCAP WWW MCAP

33 What about fabrics?

34 A Traditional Hierarchical Network Will Evolve To A Flatter, Meshed Topology
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”

35 A Traditional Hierarchical Network Will Evolve To A Flatter, Meshed Topology
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”

36 Zero Trust Network Architecture is Fabric Friendly
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”

37 Augment Hierarchal Networks with Zero Trust
IPS Server farm WWW farm DB farm WAN WAF DAM CHD MCAP MGMT server WL MCAP User MCAP SIM NAV DAN MCAP

38 Zero Trust Multi-Dimensionality
Zero Trust Data Identity: Treat data as if it’s living User identity (UID) Application identity (AID) Network User Transport Application Identity Generates traffic Generates traffic Context Data Idea: treat data as if it’s living Information Data Location Classification Type Data identity (DID)

39 Zero Trust Multi-Dimensionality
Zero Trust Data Identity: Treat data as if it’s living Network Transport User identity (UID) User Application identity (AID) Application Data identity (DID) Data Monitored via DAN/NAV Idea: treat data as if it’s living Identity Context

40 Trust But Verify

41 Verify and Never Trust

42 Hard and Crunchy WL MCAP DB MCAP User MCAP CHD MCAP APPS MCAP
WWW MGMT server SIM NAV DAN MCAP WWW MCAP

43 Summary Make the Network and Enforcement Point
Zero Trust — “Verify and never trust!” Inspect and log all traffic. Design from the inside out. Design with compliance in mind. Embed security into network DNA. UNTRUSTED

44 Thank you John Kindervag +1 469.221.5372 jkindervag@forrester.com
Twitter: Kindervag - If you would like to include social media info (Twitter, blog, etc.), please add new lines below the address but above the Web site.

Download ppt "Zero Trust Network Architecture"

Similar presentations

Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Stonesoft Roadmap WHAT FEATURES WILL COME IN 2013-2014.

Stonesoft Roadmap WHAT FEATURES WILL COME IN
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.

© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
1 1©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |

1 1©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google