HOW ZERO TRUST CHANGES IDENTITY & ACCESS

BeyondCorpSF Meetup - Mar 9th 2017

Ivan Dwyer - ivan.dwyer@scaleft.com | @fortyfivan

90%of organizations

vulnerable to insider threats in 2015

80%of security breaches

involve privileged credentials

23 Authentication

events per person every day

Source: ForresterSource: Technavio Source: NIST

Mitigating insider risk is a top priority for every organization

Mission: To have every Google employee work successfully from untrusted networks without use of a VPN

1. Connecting from a particular network must not determine which services you can access

2. Access to services is granted based on what we know about you and your device

3. All access to services must be authenticated, authorized, and encrypted

Google really got it right with BeyondCorp

Zero Trust: Google Security for Everyone Else

First we need a new concept of Enterprise Identity

* Insert gross overgeneralization disclaimer here

Employees have traditionally been placed into two buckets*

Privileged User Non-privileged User

IT Function Business

Infrastructure Resources Applications

Terminal Workflow Web

Admin Role Group-based

Key or Cert Credential Password

Rotation policy Added Layers MFA

PAM Product Category IAM

Building a dynamic user and device profile

Is the user in good standing with the company?

Does the user belong to the Engineering org?

Is the user on Team A working on feature X?

...

Is the device in inventory?

Is the device’s disk encrypted?

Is the device’s OS up to date?

...

Enterprise Identity = You + Your Device at a Point-in-Time

Identity is still King, but Access is the Throne

What do we really want from Access Management?

➔ A unified solution for authentication, authorization, and auditing

➔ A common access policy definition for ABAC & RBAC

➔ The ability to make intelligent access decisions in real-time

➔ A consistent, streamlined workflow for both privileged and non-privileged users

➔ Identity governance decoupled from the system of record

➔ To eliminate the need for network segmentation and static credentials

Revitalizing the AAA Framework

Authenticate Authorize Audit

Verify Identity is who they say they are

Verify Identity is allowed to access the resource

Verify Identity is doing no harm (intentional or not)

The basis for

a common

Access Policy

definition

➔ User attributes

➔ Device attributes

➔ Location-based rules

➔ Time-based controls

➔ Groups and roles

➔ Federation capabilities

➔ Resource-specific rules

Access Gateway

IdP

Why was I denied access?

Yes

No

SSH

RDP

HTTPS

Access Policies

MFA

Grant?

All requests flow through a centralized access gateway

Request resource

CA

Policy Engine

Some questions to ponder

➔ How will all the components integrate with each other?

➔ How to balance coarse-grained policies with fine-grained policies?

➔ Where do the access policies line-up with the shared responsibility principles of IaaS?

➔ What’s the best way to incorporate approval workflows to specific resources?

➔ Can the Identity system of record exist in the cloud?

➔ How to support legacy protocols and specifications consistently? (Should you?)

➔ How to track and monitor all the devices (managed and BYOD) their employees use?

Zero Trust is Security Transformation

The big picture

Zero Trust security measures encourage better overall practices

➔ Keep devices up-to-date with the latest software

➔ Maintain an inventory of employee devices

➔ Monitor all endpoints & log all traffic

➔ Only communicate over fully encrypted channels

➔ Incorporate multi-factor auth

➔ Eliminate static credentials

We will start to see significant market effects

➔ A new category of Cloud Native solution providers are emerging that are disrupting the

legacy security companies who focus primarily on strengthening perimeter security

➔ Defined market categories such as IAM and PAM will converge into a single Access

Management category that works across privileged and nonprivileged users

➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active

Directory start to break through into the enterprise market

➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero

Trust model that places less (or no) emphasis on network protection as a security measure

Where does ScaleFT fit in the picture?

ScaleFT is the leading Zero Trust Access Management provider

Architecture Reviews Platform Implementations Community Efforts

We work closely with you to design the

right Zero Trust architecture for your

organization

The ScaleFT platform can be operated as a

SaaS or as a dedicated deployment in any

cloud environment

We are leading the BeyondCorp

movement, further educating the market

about Zero Trust

THANKS!!

Get in touch: ivan.dwyer@scaleft.com | @fortyfivan

www.scaleft.com

www.beyondcorp.com