Making Leaders Successful Every Day

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

51 εμφανίσεις

Making Leaders Successful

Every Day

Zero Trust Network Architecture

John Kindervag,
Principal Analyst

April 11, 2013

© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

The new threat landscape

Next gen security architecture for
traditional networks

Zero Trust


the next generation
secure network

3

© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

The new threat landscape

Next gen security architecture for
traditional networks

Zero Trust


the next generation
secure network

4

Date

Actor

Attack Type

Motive

Data

Impact

RSA

March 17, 2011

Advanced: State
-
sponsored

APT


Targeted

Malware

Espionage



Intellectual
Property

RSA
Secure

ID
t
oken
source

code

Potentially

opens
customers to
attack

Epsilon

April 1, 2011

Unknown

Not disclosed

Financial

Email
addresses

Brand
damage,

could
lead to Spear
Phishing
attacks

Sony PSN

April 19, 2011

“Anonymous”
suspected

Unknown

Hacktivism

Personally
Identifiable

Information
PII

Sony

PSN
down: >$170M
hard costs

Lockheed
Martin

May 28, 2011

Unknown

RSA

Secure ID
exploited

Corporate

Espionage

Unknown

Brand
Damage

Symantec

February 8, 2012

Unknown perhaps
“Anonymous”

Unknown

Extortion

Source
Code

Brand
Damage

CIA

February 10, 2012

“Anonymous,”

DDoS

Hacktivism

None

Website

Offline

Bit9

February 27, 2013

Unknown

SQL Injection

Create Attack
Vector

Unknown

Companies

using Bit9
were attacked

Evernote

March 3, 2013

Unknown

Unknown

Data Theft

50 Million

customers
passwords

Password

resets &
possible data
loss

2011
-
2013 Notable Hacks

Source: CNET Hacker Chart:
http://news.cnet.com/8301
-
27080_3
-
20071830
-
245/keeping
-
up
-
with
-
the
-
hackers
-
chart/

and
http://
www.privacyrights.org/data
-
breach/new
.

Frequency of data breaches

5%

15%

56%

1%

1%

3%

7%

6%

7%

Don't know
Cannot disclose
No breaches in the past 12 months
More than 25 times in the past 12 months
11 to 25 times
Six to 10 times
Three to five times
Twice
Once
How many times do you estimate that your firm's sensitive data was potentially
compromised or breached in the past 12 months?

25% of companies have
experienced a breach during
the last 12 months that they
know of

Base
: 1319
IT security decision
-
makers; Source:
Forrsights

Security Survey, Q3 2012

© 2012 Forrester Research, Inc. Reproduction Prohibited

Data is the new oil

I need RDP UK US Germany To buy
NOW VIA WMZ
wana

buy 9

Selling (Worldwide
Cvvs
, Worldwide
Fullz
,
UK,
Usa

Logins Worldwide Dumps, UK,
Usa

Paypal
,
Ebay

Accounts...)

GOOD OFFER SELLING hacked RDP
GURANTED 24HOURS UP TIME ONLY
10$

Selling fresh
vergin

wordwide

cvv

Data Security And Control Framework

Source: January 2012
“The Future Of Data Security And Privacy: Controlling Big Data”


Data Security And Control Framework

Source: January 2012
“The Future Of Data Security And Privacy: Controlling Big Data”


Data Security And Control Framework

Source: January 2012
“The Future Of Data Security And Privacy: Controlling Big Data”


© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

The new threat landscape

Next gen security architecture for
traditional networks

Zero Trust


the next generation
secure network

12

TechRadar
™: Network Threat Mitigation, Q2 ’12

May 2012
“TechRadar™ For Security & Risk Professionals: Zero Trust Network Threat Mitigation, Q2 2012”


© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

The new threat landscape

Next gen security architecture for
traditional networks

Zero Trust


the next generation
secure network

14

Which one goes to the Internet?

UNTRUSTED

TRUSTED

Zero Trust

UNTRUSTED

UNTRUSTED

Concepts of zero trust

All resources are accessed in a
secure manner regardless of location.

Access control is on a “need
-
to
-
know” basis and is strictly enforced.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the
inside out.

Core

Distribution

Access

Edge

Building the Traditional Hierarchal
Network

Core

Distribution

Access

IPS

FW

WAF

DAM

IPS

FW

FW

WLAN

GW

WCF

Email

NAC

DB ENC

Edge

VPN

DLP

IPS

Security Is An Overlay

Core

Distribution

Access

IPS

FW

WAF

IPS

FW

FW

WLAN

GW

WCF

Email

NAC

Edge

DAM

DLP

DB ENC

VPN

IPS

Deconstructing the Traditional Network

Re
-
Building the Secure Network

IPS

FW

WAF

DAM

WLAN

GW

DLP

WCF

Email

NAC

DB ENC

FW

IPS

CRYPTO

AM

CF

AC

Packet Forwarding Engine

VPN

Segmentation Gateway

NGFW

Very High
Speed

Multiple 10G
Interfaces

Builds Security
into the

Network DNA

FW

AC

MCAP


Micro Core and
Perimeter

MCAP resources have
similar functionality
and share global policy
attributes

MCAPs are centrally
managed to create a
unified switching fabric



Management =
Backplane

MGMT

server

WWW MCAP

User MCAP

Zero Trust Drives Future Network
Design

All Traffic to and from
each MCAP is
Inspected and Logged



MGMT

server

WWW MCAP

User MCAP

SIM

NAV

DAN MCAP

Zero Trust Drives Future Network
Design

Creates VM friendly L2
Segments

Aggregates Similar VM
Hosts

Secures VMs by Default

MGMT

server

WWW MCAP

User MCAP

NAV

DAN MCAP

SIM

Zero Trust Network is Platform Agnostic
and VM Ready

WL MCAP

MGMT

server

WWW MCAP

User MCAP

SIM

NAV

DAN MCAP

Zero Trust Network Architecture is
Compliant

DB MCAP

APPS
MCAP

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

Zero Trust Network Architecture is
Scalable

CHD
MCAP

DB MCAP

APPS
MCAP

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

Zero Trust Network Architecture is
Segmented

CHD
MCAP

DB MCAP

APPS
MCAP

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

Zero Trust Network Architecture is
Flexible

CHD
MCAP

DB MCAP

APPS
MCAP

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

WAF

Zero Trust Network Architecture is
Extensible

CHD
MCAP

DB MCAP

APPS
MCAP

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

WAF

ZTNA Supports the Extended Enterprise

© 2009 Forrester Research, Inc. Reproduction Prohibited

What about fabrics?

A Traditional Hierarchical Network Will
Evolve To A Flatter, Meshed Topology

Source: December
2010
“The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”


A Traditional Hierarchical Network Will
Evolve To A Flatter, Meshed Topology

Source: December
2010
“The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”


Zero Trust Network Architecture is
Fabric Friendly

Source: December
2010
“The Data Center Network Evolution: Five Reasons This Isn’t Your Dad’s Network”


IPS

Server

farm

WWW

farm

DB farm

IPS

IPS

IPS

WAN

WAF

DAM

Augment Hierarchal Networks with Zero
Trust

CHD
MCAP

MGMT

server

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

Data

Identity

Zero Trust Multi
-
Dimensionality

Zero Trust Data Identity: Treat data as if it’s
living

User identity
(UID)

User

Generates
traffic

Information

Context

Application
identity (AID)

Generates
traffic

Application

Data identity
(DID)

Data


Location


Classification


Type

Network

Transport

Identity

Zero Trust Multi
-
Dimensionality

Zero Trust Data Identity: Treat data as if it’s
living

Context

Transport

User identity
(UID)

User

Application
identity (AID)

Application

Monitored
via DAN/NAV

Network

Data identity
(DID)

Data

Trust But Verify

Verify and Never Trust

CHD
MCAP

DB MCAP

APPS
MCAP

Hard and Crunchy

MGMT

server

WWW MCAP

WL MCAP

User MCAP

SIM

NAV

DAN MCAP

Summary


Make the Network and Enforcement Point


Zero Trust


“Verify and never trust!”


Inspect and log all traffic.


Design from the inside out.


Design with compliance in mind.


Embed security into network DNA.

UNTRUSTED

UNTRUSTED

© 2009 Forrester Research, Inc. Reproduction Prohibited

Thank you

John Kindervag

+1 469.221.5372

jkindervag@forrester.com

Twitter: Kindervag

www.forrester.com