5 steps to a zero trust network - from theory to practice
TRANSCRIPT
Five Steps To A Zero Trust Network
John Kindervag, Vice President and Principal Analyst
March , 2015
© 2014 Forrester Research, Inc. Reproduction Prohibited 4
› The Year in Review
› Zero Trust is the answer
› The 5 Steps to a Zero Trust Network
© 2014 Forrester Research, Inc. Reproduction Prohibited 5
› The Year in Review
› Zero Trust is the answer
› The 5 Steps to a Zero Trust Network
© 2014 Forrester Research, Inc. Reproduction Prohibited 8
Cloud, virtualization, SDN, and BYOD are changing your network
© 2014 Forrester Research, Inc. Reproduction Prohibited 9
› The Year in Review
› Zero Trust is the answer
› The 5 Steps to a Zero Trust Network
© 2014 Forrester Research, Inc. Reproduction Prohibited 13
Which one goes to the internet?
Untrusted Trusted
Concepts of zero trust
All resources are accessed in a secure manner regardless of location.
Access control is on a “need-to-know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
© 2014 Forrester Research, Inc. Reproduction Prohibited 16
Zero Trust is scalable and segmented
CHD
MCAP
DB MCAP
APPS
MCAP
WL MCAP
MGMT
server WWW MCAP
User MCAP
SIM NAVDAN MCAP
Firewall Breaches Data Center Automation
5% Vulnerabilities
95% Misconfiguration
The Security Management Balancing Act
20
Security
Agility
Prevent Cyber Attacks
Enable Business Applications
Resource Time to Provision
Server Minutes
Storage Minutes
Security Access Days/Weeks
Business Applications
Security Infrastructure
Managing Security at the Speed of Business
Confidential 21
AlgoSec Security Management Suite
Application Owners SecurityNetwork Operations
Faster Security Provisioning for Business Applications
Align Teams for Improved Agility and Accountability
Gain Total Visibility and Control of your Security Policy
© 2014 Forrester Research, Inc. Reproduction Prohibited 22
› The Year in Review
› Zero Trust is the answer
› The 5 Steps to a Zero Trust Network
© 2013 Forrester Research, Inc. Reproduction Prohibited 23
The 5 steps to create a Zero Trust network1. Identify your toxic data sources
2. Map the transaction flows regarding toxic data
3. Architect a Zero Trust network based upon the toxic data sources and the
way it's used transactionally
4. Write your rules on your segmentation gateway based on the expected
behavior of the data and the users or applications that interact with the data
5. Monitor the network; inspect and log the traffic; and update rules based up on
the visibility and intelligence that you get from your security analytics system.
1. Identify and classify your toxic data
Source: April 2013 “Strategy Deep Dive: Define Your Data” report
© 2014 Forrester Research, Inc. Reproduction Prohibited 25
2. Map The Data Flows Of Toxic Data› Locate and map each of
the application's
dependent network and
computer objects
›Redesign a more optimal
flow if necessary
Automatically Map Application Flows
Confidential 26
Application-Centric Policy Management
Focuses on What the Business Cares About
the Most
Topology-Aware Network Analysis
Confidential 27
Network Level Policy Visibility
Simplifies Network Operations
Vulnerability Scanner Integration
Confidential 28
Application-Centric Risk View
Prioritizes Vulnerabilities Based on Business Context
© 2014 Forrester Research, Inc. Reproduction Prohibited 29
3. Architect Your Zero Trust Network›Place microperimeters
around toxic data
›Segment your
microperimeters with
physical or virtual
appliances
Network Segmentation Enforcement
Confidential 30
Complete Network Visibility
Network Segmentation Easily
Defined and Enforced
© 2013 Forrester Research, Inc. Reproduction Prohibited 32
The 5 steps to create a Zero Trust network1. Identify your toxic data sources
2. Map the transaction flows regarding toxic data
3. Architect a Zero Trust network based upon the toxic data sources and the
way it's used transactionally
4. Write your rules on your segmentation gateway based on the expected
behavior of the data and the users or applications that interact with the data
5. Monitor the network; inspect and log the traffic; and update rules based up on
the visibility and intelligence that you get from your security analytics system.
4. Create Your Automated Rule Base
Write your rules on your
segmentation gateway
based on the expected
behavior of the data and
the users or applications
that interact with the
data
© 2013 Forrester Research, Inc. Reproduction Prohibited 34
4. Create Your Automated Rule Base
› Be identity-aware
› Have application layer visibility
› Leverage firewall auditing and change control
tools
› Connect network segments with your SG
Change Workflow Automation
Confidential 35
Automated, Intelligent Change Workflows
Ensure security, compliance, and
network segmentation change after change
Change Workflow Automation
Confidential 36
Intelligent Change Design
Ensure the optimal, and most secure implementation
© 2014 Forrester Research, Inc. Reproduction Prohibited 38
5. Monitor Your Zero Trust Ecosystem›Ability to diagnose
application problems
more easily
›Accumulation of
knowledge necessary to
update rules
›Reduction of auditing
efforts
Policy Audit and Analysis
Confidential 39
Complete Visibility of Every Change
Validate Changes were Performed Correctly, Flag "rogue" Changes
Policy Audit and Analysis
Confidential 40
Tighten Rules Based on Actual Usage
Eliminates Any/Any Rules without
Impacting Users
Stakeholders Embrace Zero Trust
› Zero Trust is data-centric
› Zero Trust is collaborative
› Zero Trust is global
Untrusted Untrusted