Transcript Kindervag_Zero_Trust_Network_Arch_v2

Making Leaders Successful
Every Day
Zero Trust Network Architecture
John Kindervag, Principal Analyst
April 11, 2013
Agenda
The new threat landscape
Next gen security architecture for
traditional networks
Zero Trust – the next generation
secure network
© 2012 Forrester Research, Inc. Reproduction Prohibited
3
Agenda
The new threat landscape
Next gen security architecture for
traditional networks
Zero Trust – the next generation
secure network
© 2012 Forrester Research, Inc. Reproduction Prohibited
4
2011-2013 Notable Hacks
Date
March 17, 2011
RSA
Epsilon
April 1, 2011
Actor
Attack Type
Motive
Data
Impact
Advanced: Statesponsored
APT – Targeted
Malware
Espionage –
Intellectual
Property
RSA
Secure ID
token
source code
Potentially
opens
customers to
attack
Unknown
Not disclosed
Financial
Email
addresses
Brand
damage, could
lead to Spear
Phishing
attacks
Sony PSN
April 19, 2011
“Anonymous”
suspected
Unknown
Hacktivism
Personally
Identifiable
Information
PII
Sony PSN
down: >$170M
hard costs
Lockheed
Martin
May 28, 2011
Unknown
RSA Secure ID
exploited
Corporate
Espionage
Unknown
Brand
Damage
Symantec
February 8, 2012
Unknown perhaps
“Anonymous”
Unknown
Extortion
Source
Code
Brand
Damage
CIA
February 10, 2012
“Anonymous,”
DDoS
Hacktivism
None
Website
Offline
Bit9
February 27, 2013
Unknown
SQL Injection
Create Attack
Vector
Unknown
Companies
using Bit9
were attacked
March 3, 2013
Unknown
Unknown
Data Theft
50 Million
customers
passwords
Password
resets &
possible data
loss
Evernote
Source: CNET Hacker Chart: http://news.cnet.com/8301-27080_3-20071830-245/keeping-up-with-the-hackers-chart/
and http://www.privacyrights.org/data-breach/new.
Frequency of data breaches
How many times do you estimate that your firm's sensitive data was potentially
compromised or breached in the past 12 months?
Once
7%
Twice
6%
Three to five times
Six to 10 times
7%
3%
11 to 25 times
1%
More than 25 times in the past 12 months
1%
25% of companies have
experienced a breach during
the last 12 months that they
know of
No breaches in the past 12 months
56%
Cannot disclose
Don't know
15%
5%
Base: 1319 IT security decision-makers; Source: Forrsights Security Survey, Q3 2012
Data is the new oil
© 2012 Forrester Research, Inc. Reproduction Prohibited
GOOD
OFFER
SELLING
hacked
RDP
Selling
(Worldwide
Cvvs,
Worldwide
Fullz,
IUK,
need
RDP
UK
US
Germany
To
buy
Usa Logins
Worldwide
Dumps,
Usa
GURANTED
24HOURS
UP
TIMEUK,
ONLY
Selling
fresh
vergin wordwide
cvv
NOW
VIA Ebay
WMZ
wana buy 9
Paypal,
10$Accounts...)
Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Data Security And Control Framework
Source: January 2012 “The Future Of Data Security And Privacy: Controlling Big Data”
Agenda
The new threat landscape
Next gen security architecture for
traditional networks
Zero Trust – the next generation
secure network
© 2012 Forrester Research, Inc. Reproduction Prohibited
12
TechRadar™: Network Threat Mitigation, Q2 ’12
May 2012 “TechRadar™ For Security & Risk Professionals: Zero Trust Network Threat Mitigation, Q2 2012”
Agenda
The new threat landscape
Next gen security architecture for
traditional networks
Zero Trust – the next generation
secure network
© 2012 Forrester Research, Inc. Reproduction Prohibited
14
Which one goes to the Internet?
UNTRUSTED
TRUSTED
Zero Trust
UNTRUSTED
UNTRUSTED
Concepts of zero trust
All resources are accessed in a
secure manner regardless of location.
Access control is on a “need-toknow” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the
inside out.
Building the Traditional Hierarchal
Network
Edge
Core
Distribution
Access
Security Is An Overlay
Edge
FW
IPS
Core
Email WCF
VPN
WAF
Access
DLP DB ENC
IPS
Distribution
WLAN
GW
DAM
IPS
FW
FW
NAC
Deconstructing the Traditional Network
Edge
FW
IPS
Core
Email WCF
VPN
WAF
Access
DLP DB ENC
IPS
Distribution
WLAN
GW
DAM
IPS
FW
FW
NAC
Re-Building the Secure Network
FW
WLAN
GW
IPS
WAF
CRYPTO
AM
CF
FW
IPS
AC
NAC
Email
WCF
DAM
DLP
DB ENC
VPN
Packet Forwarding Engine
Segmentation Gateway
NGFW
Very High
Speed
Multiple 10G
Interfaces
Builds Security
into the
Network DNA
FW
AC
Zero Trust Drives Future Network
Design
MCAP – Micro Core and
Perimeter
MCAP resources have
similar functionality
and share global policy
attributes
MCAPs are centrally
managed to create a
unified switching fabric
Management =
Backplane
User MCAP
WWW MCAP
MGMT
server
Zero Trust Drives Future Network
Design
All Traffic to and from
each MCAP is
Inspected and Logged
User MCAP
WWW MCAP
MGMT SIM NAV
server
DAN MCAP
Zero Trust Network is Platform Agnostic
and VM Ready
Creates VM friendly L2
Segments
Aggregates Similar VM
Hosts
Secures VMs by Default
User MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Zero Trust Network Architecture is
Compliant
WL MCAP
User MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Zero Trust Network Architecture is
Scalable
WL MCAP
DB MCAP
User MCAP
APPS
MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Zero Trust Network Architecture is
Segmented
WL MCAP
DB MCAP
User MCAP
APPS
MCAP
CHD
MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Zero Trust Network Architecture is
Flexible
WL MCAP
DB MCAP
User MCAP
APPS
MCAP
CHD
MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Zero Trust Network Architecture is
Extensible
WL MCAP
DB MCAP
APPS
MCAP
CHD
MCAP
User MCAP
WAF
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
ZTNA Supports the Extended Enterprise
WL MCAP
DB MCAP
APPS
MCAP
CHD
MCAP
User MCAP
WAF
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
What about fabrics?
© 2009 Forrester Research, Inc. Reproduction Prohibited
A Traditional Hierarchical Network Will
Evolve To A Flatter, Meshed Topology
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
A Traditional Hierarchical Network Will
Evolve To A Flatter, Meshed Topology
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
Zero Trust Network Architecture is
Fabric Friendly
Source: December 2010 “The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”
Augment Hierarchal Networks with Zero
Trust
IPS
WL MCAP
IPS
WAF
DAM
User MCAP
IPS
CHD
MCAP
WAN
MGMT SIM NAV
server DAN MCAP
WWW
farm
DB farm
IPS
Server
farm
Zero Trust Multi-Dimensionality
Zero Trust Data Identity: Treat data as if it’s living
User identity
(UID)
Application
identity (AID)
Network
User
Transport
Application
Identity
Generates
traffic
Generates
traffic
Context
Data
Information
Data
•Location
•Classification
•Type
Data identity
(DID)
Zero Trust Multi-Dimensionality
Zero Trust Data Identity: Treat data as if it’s living
Transport
User
User identity
(UID)
Context
Network
Application
Application
identity (AID)
Identity
Data
Data identity
(DID)
Monitored
via DAN/NAV
Trust But Verify
Verify and Never Trust
Hard and Crunchy
WL MCAP
DB MCAP
User MCAP
APPS
MCAP
CHD
MCAP
MGMT SIM NAV
server
DAN MCAP
WWW MCAP
Summary
•
•
•
•
•
•
Make the Network and Enforcement Point
Zero Trust — “Verify and never trust!”
Inspect and log all traffic.
Design from the inside out.
Design with compliance in mind.
Embed security into network DNA.
UNTRUSTED
UNTRUSTED
Thank you
John Kindervag
+1 469.221.5372
[email protected]
Twitter: Kindervag
www.forrester.com
© 2009 Forrester Research, Inc. Reproduction Prohibited