Event Recording

Zero Trust Journey, How We Moved from an Immature Organization to Zero Trust


Log in and watch the full video!

This is the story of our journey to Zero Trust, from the initial analysis to its technical and effective implementation. As many organizations our starting point was not the best one (lack of proper asset management, mixed permissions, etc) but when we started to work on a Zero Trust implementation we were able to overcome these and also solve some unforeseen problems and offer major security also through Human Factors and Risk Management. The aim of this talk is to inspire security leaders on what is a Zero Trust Architecture (which is not an off-the-shelf solution and desn't require massive initial investments) and how they can reuse their internal knowledge and tools to deliver it.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So welcoming. Thanks everyone to be here. So this one is the zero cross journey. We can have a, let's say an amazing journey like Siemens, we gain kaki so it was a little bit easier, but our, let's say the company where I work for was quite immature from the security bank of view. So about me. So I'm now a security board and advisor. I work works in one sector former of InfoSec Plano companies. And I'm working from zero cross on zero cross. From 2017 I was man by John Inberg, the go father of Zero cross. My kiss also zero cross for I. So go from Siemens was actually quite inspiring for me. Disclaimer. So I'm not part of the company anymore. I, so that's why I will not mention the company. The time allow is quite strict. So I cherry picked some topics but people discuss further and this is not the only way.
There are plenty of ways to implement zero cross. This is just what we thought was necessary one. Now when I joined the company, that was situation. So it was really a green field, but it was just a lot of problems on the CO and a lot of U issues at the Bacom, which you cannot see. So it was quite funny to join. Problems goes from everywhere, from access to infrastructure and you will see how we tackle that. When we start zero journey, we decide to have some principles. So not only get, let's say the class principle, we want to secure the cia, we want to go back and get back. We want to improve the user experience. Otherwise basically the user will bypass deck. So it's not going to be nice. Now gone is better than known evolution. Evolution change will always be present. So we were not, we were aiming perfection, but we were not expecting perfection. The first try, it was more a journey. So we decided that evolution will always be in the architecture and we accept that excessive complexity, punishment for organization accountable to make decision. That's not my folk buck is pretty crude. So we decide to make it simple. It will be simple to build, to grab, to explain it and so on. We try to use what we can. If you saw my previous presentation, I think companies have at least 5% of all the components for making a zero cross architecture. Just a mega of orchestrate goal.
If this sounds strange, people have a talk about and something that probably a lot of architects forget is security calls may fail. So that's why we design our security mechanism with a failure weak, sorry, week of failure, weak assumption that if, if the fail will be gang get case, we will follow the same execution package is allowing the operation. So now the first point where we tackle, and it was the easier one I have to say, was the join process. Why get because, well we were directly impacted. We spent one month to get all the access that we need. Similar in over companies in Za King had took two months and we get in average 20 kikis per we where a lot of kicks in the back load. So what we decide, we decide to use HR support and IAM analyzer for the infrastructure. Actually I am analyzer ons is not working very nice.
We work only on certain services. So I may suggest Cloud Lake for get. And we decided to do a role based profiles with minimal privileges. The benefits, well the media productivity reduction of cases in technical support and it was around Turkey percent more or less. And on top of that what we had, we had a risk profile. We, we tried to implement human factor for cyber security. So in get the risk profile allowed us also to make decision based on risk per single. Per on. Which I mean it was pretty nice. And, and on top of g we are the trust score for, for a Yankee for in, not for agan, but for in.
So I was thinking about MFA here while I was bragging his likes. I go, okay, probably I have to do something also on the Uber life equation. So about Frank Fafa gig there, certain techniques and while I was talking about zero cross this MFA gig come to the mind. So it's, I mean that's just a box or quick win. That's one example. How can mitigate MFA gig infrastructure to the best, to the best practice within the company. We had share credential within Slack and so on. So we had breach and it's never pleasant to assume breaching a company, but it's one of the principle of zero cross. So we start a new infrastructure form scratch, we can different accounts and also we, we privileges what we give here. We work how we design infrastructure. There was no right privileges. Everything works out to make it through the pipeline.
So the developer is pushing the code, is making a security test and then if it approves, it goes to the various stage. So development, production, development stage in production in all the various stage developer has no right access accepting development of course. And that's why we and want to give, get permission. We also make just in time credentials and during a creation, the infrastructure we pay attention to get talk parts, local movements. And so if you're not familiar with cock packs, it's something that it allow you to visually see what, how an attacker can move through the infrastructure to the cloud. There are some nice article on Asia cock packs, ons and j p not many back like, like being and less work can help you get. So it's, it's something I probably suggest you to see. Crack intelligence, I apologize, it's not nice as I wanted, but I spend the last two weeks in afield. But so crack intelligence is actually something that we wanted to integrate in our product, in our infrastructure, in our company. Why? Well we are, we were just three people making, making the security for entire company. So it was impossible to manage everything. So we decide welcome, make as much as we can. So cracking kas was used mostly you see across all, all and bio, I mean infrastructure, mean devices and so on. So all of the that we see, all of the decision that we see, it was mostly our commission.
He, so we make a cost, cost analysis and we decided equals not efficient for us to have cueva source. So we, we create our so infrastructure, so we create our oven driven infrastructure. You will see in what I mean by that. So the entire, all the systems in in the infrastructure were connected to SAU. And SAU was connected to the policy decision point. What is important here is that if we, so was also executing decision based on the, on the cross core and we had two cross core, one for a Yankee and one for the device and everything and every feed it was received by the PPP was effectively taking account for the trust core.
Now access to resource is, so basically we have user base pre and to user base ized user base. What I mean by preta user base. So I'm an engineer one co access the system for coke, for Coke development. That's normal. I am an engineer. I want access the system from geco developer from a phone or where I am on vacationing whatever place in Pavia, I'm forget. So GE actually allow to reduce the footprint of also the operations sector made by by the policy decision point and by the policy enforcement point. So there was no impact to the users and that come back to the principle that we saw. We want to improve the user experience. We don't want to basically to destroy the user experience in inferior security we saw security mostly as a poly function, not as a, not only as a security function, that's why we were spending so much time on the human fuck or cooking with people and try how make everything but try the impact of what we decide.
Now cooking together, that's our policy decision point architecture design. So there is our Yankee, there is the multifactor MDM and si one thing in particular I like to con si is that most of the companies they consider si as a or consider the blog simply as a law collection. A is much more than that. So you have automation you can correlate and this is is not always used in the maximum of potentials method. So of course everything is Google nice but work about the method. So how we cook with bo, how we call quick with my manager with the C, we decided to, when we started the journey there was not so much document, not so many documents. So we take a look at the customer maturity model. It's linked here really nice actually goes from traditional advance optimal, it was too technical so it's not the best way.
So our own metrics, I develop our own metrics. We came out with three set of metrics, tactical, operational, strategic. So tactical is about verified effectiveness of controls and provide insight on the stacks of zero cross transition. So yeah, basically you have all device network infrastructure. So and everything could basically see the readiness of the of zero cross operational deck was used by us by both security for operation and park on security posture. And then you have strategic, so basically the one that is focusing on risk and resilience is giving high level metrics for the security posture kicking. So as I mentioned, companies already have 85% of the good need for zero cost architecture. I talk about zero cost architecture in my previous talk. So it's, I'm not going to focus on that buying, deploying or building a solution represent only 10% of the for conductor confirmation. That is unfortunately there is a lot of familiarization selling of zero cross to to the various legal stakeholders. And so, and the rest in study is revising processes, policies and workflow. So again of gge moving from your VPN to fancy new to implement, implement zero cross is not going to work is about changing the mindset and culturing the anchor enterprise deck will do. And we get a finish in time. Yes. So I have time for a question.
Thank you Rio. Maybe we can look at the online questions first. Yeah,
Sure.
Actually no questions from from here. So maybe from the audience Ah me. Okay. Yeah how
You built your, so by yourself. So if you can share some insights. Yeah, it was really I grieving architectural. So first of all you have to basically to select your source. In our case the source is the source where basically the one that we really care about, I suggest you to start with with a couple of sorts mostly to troubleshoot basically all the flow. So basically you have the input, you have the output. And so once you select the SOS is we and everything works API grieving cause otherwise we cannot do something like that. I mean also our endpoint controls were basically based on api. So we have api, most of of the stuff we're reporting from cloud console. So once we select get and once we select few events, we select also how and correlates to gagan and correlates to everything. Again, we select what kind of actions we want.
By the way the the reaction, so the basically reaction from the so is not static. So it's not if gang out, I mean they considered the trust and the trust was effectively gig. So there was several levels we gig and go for some more fancy solution. I know that some banking groups were talking about machine learning and so on. Again, consider that simply because we wanted to fix the fundamentals, we want to fix the basics. I mean if you input mass in a machine learning system, what you will get is even more mess. So machine learning is not gonna solve the problem. We decided to fix the basic and then sort and then make everything to, so you can use function as a service. So we were basings, so it was mostly Lambda but you can use open Whisk for example. Gki will give you function as a service also in place.
So you can use a container for G. So it's really as in the first slides about the principles reuse what you can, it's not about technology but it's also taking consideration into the resource is an expertise you have in company. So I have one other question. Go ahead. So how you calculated the device scores? So did you used only one solution or it's combination? No, it's a combination of pool. So we were using a car cup to basically grab data as, so it's DR let's call this way. So because it was monitoring network endpoints and so on. And then we also couple the we, we can overco that grabbing more system code. So on that you can, for example, you can use opensource schools like Qua or you can, so you can use commercial cooks like K bo, Google get great job actually I'm a big fan of OS query. So it's, I mean if you want to implement something as a poc, I suggest you to use that. So
What will you consider as a good practice for policy administration? So as an IM guy, I would say well let's do everything in iga. However, if you manage let's say firewall rules or rules that in SEA should be calculating log events, that looks quite different. So what are all the, the building blocks there?
Yeah, sure. So the architecture, so zero cross architecture as a building blocks is really simple from a 10,000 policy review is you have the policy, you have the p p. So the policy decision point and a policy enforce point that can be your, I don't know, GLP can be your firewall and everything in, in my opinion should be API driven or anyway you have, you need to have certain degree of our commission deck. Coming back to your question, as we decided to have as a policy adjacent file that was easy to in for, for us and was easier to right for, for the people that were managing the policy. Everything was then one thing about the policy itself is that it should reflect your, your security framework, your decision and that was usually what I, what I see is not matching more traditional companies. So you have the policy here that is usually a doc work document and then is not reflecting to technology gag. We were a small team, so we were seven overall in the security team including grc. It was easier to manage in that way and gag we had everything in the cloud was also simplified. I have, I have to be honest, the greenfield was somehow easier manage
One question,
I mean if we are out of Skype we can even discuss later going no problem. Okay,
Very sure. So what particular workflow s would you be using? Well having, having a CHAS file is not very useful if you have thousands of users and external contractors and you need to specify which IP with which identity, with which role set is admissible.
Yes. So in that case, so the Jason file was only to write the policy. You're right. So it's exactly, so the policy decision point is taking several inputs. So it can be your vpn, it can be your web gateway, it can be your cars. And so, so the what you're giving the input in the policy decision point gang will reflect according to the very sensor you have. So Jason O was most of the policy that we've written we right, sorry and gang was little bit of hacking around the GET policy. I mean I'm American, I love G So sorry,
One last question. So it seems like a central point of this infrastructure was the pdp, the policy.
Well I should be,
Yeah. One of the challenges in most organizations is that a very small percentage of their application and infrastructure, the port external real time authorization, you
Pdp. Yeah
This, So this really for a unique situation, a unique infrastructure or how much of this would apply to a typical organization and their application landscape would you say?
It is a really good question. So well get was specific for the company. So when I was working different organization like goberg, they were for example, there is also mainframe equal be definitely different topics. So now one thing that I will say is that a policy decision point is effectively a combination of system. You not, you have only one system is the application that you're talking about is allowing external ip. So you can synchronize for example with Octa or we Azure gig where again you can specify the different level of organization while in that case you basically, you solve the problems, right? So, but again, it's really, you have, there is not only one way to specify, have zero cross architecture. So it can be for example on agent level certain teams and you can block the access to the application itself. So it really depends. But if you have a very specific use case that people go privately and we can try to find a solution for you.
Sure. Yeah. I think we just, we always all struggle with trying to find a solution that fits a large
Percentage. Yeah, exactly. I mean I I was lucky after the greenfield go was a iceberg, it works in some way very technology driven and get, help us a lot and if I, there was, there was no security function before, it allows us to basically to whatever we like, like cool stuff. Yeah, exactly. Well thank you Forio, thanks to you.

Stay Connected

KuppingerCole on social media

Related Videos

Interview

Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00