Zero Trust in a World of Everything, Everyone, Everywhere, All at Once

So I'll keep it light. I'll just start with this video. So, so what happened here, right? So this guy was running through a bridge thinking that he was protected, right? If he knew he was in danger, he probably never have run through it, right? He will know it's, this is stupid, I will not do it. Thinking on the harness gave him the illusion of security, right?
And this, if we relate to this, this relates to, to us in our everyday work, right? We trust, right? We trust, we don't really verify our security. We nev we should never run just because someone says so, right? We shouldn't trust anyone and we should always investigate ourselves. I'm really trying not to move around. I was told I'm being filmed, so I cannot go there. So that's why you see me moving behind the podium. So this is a sentence from the, I like to put sentence from this, this book, the best defense is the, the supreme Art of War is to subdue the enemy without fighting. So the idea is here is really to make sure our securities and our defense are ready and we don't need to fight the battle, right? And we have been good at it. We are extremely good building walls, right? And we transported that to the cyberspace, right? We built our own small farm with some firewalls and we built our walls and we have our data protected, right? But we trust too much, right? Someone will do some dumb stuff, someone will press the wrong button. I saw someone, someone once pressing a button that changed the billing system of a whole company, the telco at the time. And he crashed the whole system, the billing system, just because he pressed the wrong button. We trust too much. We give too much permissions. We never really check after we giving the permissions.
We are very busy trying to protect the front door. And we have, we always forget that the back door is open and they'll just leave with our own data. No matter how many defenses we have, people will always find a way, right? Look, this is in the middle of the war and farmers were stealing tanks in Ukraine. They thought they were protected. This guy, this guy, just delete the database every time he gets a ticket. They thought they were protected. And of course we did. We have great hacks, right? And I just put the most recent ones right? The CSO was arrested, Uber Csil was arrested. Okta, I think the third time now had a breach. Boeing had a major hack. So these are big companies investing a lot in security and they have this and they get arrested. What's going on here? So this is what has been happening. Over time, our attacks got more complex and easier to execute. We can now hire ransomware as a service in the dark web. And, and as you can see, we don't even need skills anymore. We just hire. So the attacks are getting really, really complex. Remember DDoS, it was a problem not long ago. We just hired online and destroyed some company. Now we're getting into the ransomware and ransomware as a service, as I said, and new attacks coming every day. New vectors. And we have to keep this in mind. It might take 20 years for us to build our own reputation,
But a few minutes to destroy it. There are companies that if they get attacked, game over Okta is the third time and they're managing identities for a lot of customers. And that's a problem. And on top of that, we had our small farm with walls, but our environment changed and now we have everything, everyone everywhere, all at once. How do we secure ourselves, right? This is the problem. So this is my take on it. Don't take me on it. Always assume that you are always compromised. So when I deploy something, I always assume that I am compromised. So my take is they're here. How can I secure my data, right? Hack it ourselves. So don't just trust that something is secure just because a vendor said. So
For that, build a red team. So some of you might know this is the wheel of the InfoSec wheel. And right now major companies have their blue team, the sock, their logs, their everything. They might have some engineering or architecture team, but they don't have a red team. And the idea is to become a purple team. So soc architecture logs everything working and the red team penetrating the systems working together to create this, this offensive way of working. For example, this is from the Pentagon. Yes. So yeah, I forgot the name. Yeah. So this is their way. Of course this is for worse, but it can be applied for us, right?
We can be offensive, but be defensive at the same time, right? And as I said, we need to have a good architecture, good logging, and a good soc, a good red team to create this purple way of working. And, and if you think architecture is, is expensive, try bad architecture, right? It's speaking of logs and architecture. This is data from last year. If I, yes, and this is basically companies have cmms but they don't look at it, right? They just disable out of the box things because they're generating too much logs. It's too much noise. Have you heard of the Analyst burnout? The guys that are the first line in the socks, they have burnouts because too many logs. So companies just go around, yeah, we have the, we're good, we we are compliant. Let's just disable some logs because they're generating log too much noise. And this is, is basically what I said, right? There's no one size fits all for any company. That's why do it yourself.
Our, our network within this cloud paradigm is, is becoming big and too many data sources creating this burnout, right? And of course there's manual and error prone process and because the teams are expanding, sometimes we don't hire the best of the best because there's none on the market or because they're too expensive. You name it. And again, how do we fix this? Well, this is my take again, besides the red team, zero trust. Absolute zero trust. And that's my idea, right? If you have zero trust where they can be in the network, and I know, and believe me, I had some big discussions with a lot of Cs about this because they don't, don't have the same view. But if you have zero trust, complete zero trust, I can access my data anywhere, everywhere. I don't care where my data will be protected. And that's the idea.
So I will transform my net network in a because way of just like the internet, anyone is playing around because my data is protected, encrypted, double encrypted, like I'm showing here, right? How do we achieve this? This? So understand your crown jewels. If you don't know what's crown jewels, basically it's, I'm pretty sure you know, but there are crown jewels. So they're the systems that will stop the business from working, right? If without it we cannot do business, the company cannot work. Very simple example, the identities, right? Okta, again, encrypted, double encrypted because we're in Germany. So I like to call the lawyers in Germany, data protection on steroids.
And believe me, we speak a lot. Why? Because of the cloud, because of frames too. There's some strange law that says no US company can have our data. So we have to double encrypt it and using our own keys, as I said, keys in the cloud. Use your own, never the providers. Four eyes. What is four eyes? Never trust. So don't let one person alone access the systems, have another set of eyes looking at what that person is doing. It can be achieved with some systems. Well, is it critical? Well, don't put it in the cloud, but if you really want to do it, use confidential computing. So Amazon now supports it. Azure now supports it. Confidential computing means, and these are true conversations I had with lawyers. Let's say someone has access to the machine, physical machine. Let's suppose that person carries with them some nitrogen. These are real conversation I had with lawyers, right? Let's say he deep freezes the memory of that system. He will be able to transport the memory of that system and steal their data. This is possible and it was proven. So confidential computing will make sure that even that process is encrypted. It's expensive though.
Cloud as I keep talking about cloud, right? So it's the solution, right? Everyone talks about cloth. Well for that. I put this slide here, how tech companies compare protecting your digital rights. So you can see there Microsoft is pretty good at protecting digital rights. Google is pretty good. And then we have the telcos, right? I work for the top one. That's why I put it here. No, I joke just because it's, it's a good slide to make a point. So as you can see, they're rated, right? Who is the biggest cloud provider? AWS doesn't even show in the list. Think about it. Everyone is putting systems in the cloud. AWS is the winner. Doesn't even show I think the last, last year one. Now they show somewhere in the, in the list. And these are companies. So what what does it mean is there are some warrants. Companies will fight for the rights, privacy of that customer. So, so for now you're, we establish zero trust is the way, right? So things to consider, right?
So there's no cloud, right? An attacker, as I explained, can have physical access because it's someone else machine, it's sitting somewhere, somewhere in the data center, right? There's also these attack paths. The four I principle, right? There's a guy working, this is North Korea, but could be anywhere else. There's a guy accessing the system. There's some set of eyes looking at it. So let's keep it protected. This is another attack path that existed and still exists. Not that common anymore. What is going on here? So cloud providers, how do they make money? They share the hypervisor, they share the machines, right? I can be in guest one and my friend can be in guest two. I can do this. I can jump from guest one to guest two and keep this in mind. So that's why I say zero. Trust keep, doesn't matter where they are. The data is always secure. Also, there's another way of achieving this. Negotiate your own farm with the, with the cloud provider. But then why cloud?
This is pretty basic, right? So this is another attack part authorized to to, to this operating season. We all know what's going on here, right? Again, if we encrypt and double encrypt shouldn't be a problem. This happens a lot. Frames two is the law. That's every data protection lawyer in Germany talks about. If we double encrypt, we should be okay and well this is okay. Attacker has access to the codes here, all bets are off, right? The only things we can consider here if they have access to the code is double encrypt and access control. A proper access control to it, right? To recap. And how much time? Four minutes. It's still good. It's not rocket science, right? But it's probably as expensive. We all know by now and trust no one, not even anyone. And I'm ending with this. Be prepared for any attack because, yeah, 'cause the question is not if, but when. Thank you.