Towards Zero Trust Architecture

so hello everyone uh i'm glad that i'm here to present here the zero towards zero trust architecture today i'm glad that uh i'm presenting this first kosovo besides uh uh pristina conference i'm shkomen sanaya and i had a chance to present and to participate in many flosk events and mainly those that have been like the first one uh in the past i participated in software freedom days and software freedom conferences organized by flosk i at that time i was the manager or took a leading role to localization of open open office in albanian language so also i've had a chance to be one of pioneers here in kosovo on implementing open source solutions mainly intranets uh and

for government for mainly for municipalities um and it was based on uh [Music] apache php uh mysql so there have been some of the first implementation of open source in government [Music] otherwise with security i got to say as an i.t of course you got introduced with security but like 20 years ago one of my first training on internet and internet security and once you get into it you get some kind of paranoiic into it and it takes you always will be like with you later on i also had some say certification on information systems management on iso 27001 as lead lead audit implementer and certification so and i'm glad and during this journey i had a chance

a looking for some of the especially like say in governance level like some of the say of the best solutions or something that will be quite comprehensive and one of such things is zero trust architecture also with all the audience today for some i see many professionals that some of you thinks will be trivial to you but i see also some students and that i hope that at least one or two things will get out of this presentation uh or even others to get it and or to refresh their uh knowledge and practice it so risks on cyber security are everywhere it's uh there is an anecdotally about a thief a century ago when the police catched him after

several time after after he robbed the banks and they said hey why why the banks and he said but because there is the money and so even today like why the hackers and thieves and bad actors go after the data because there is the money money today and the risks are another in another side are because this we simply want to access our systems and computers and everywhere and with any kind of devices so mobile laptops uh it's uh it's a time that i haven't seen in offices rarely like uh for those classical desktops mainly i see laptops everywhere so they take it home take it so and they want this kind of freedom then

and the the other thing is complexity all the types of devices all the uh so here there is a number of uh number of new vulnerabilities and iot uh internet of things devices so which is totally like say relatively new thing and so huge number of vulnerabilities and that's based on ibm report also it's here based on ibm data average cost of data breach it's for those that they have served based on their in in index report of last year it's 4.24 million u.s dollars while for u.s companies it's nine mil it's above nine million uh dollars so it's uh and for example uh from i.t governance report in march have been found 88 publicly

disclosely security incidents for which account for almost 4 million data records and that's so for last month that is like most say recent reports while for this quarter this uh of uh it have been 75 million breached records and that is what is publicly disco disclosed and now we know that the number of undisclosed is at least this number of dub or double and imagine the number of unidentified breaches and incidents so it's uh the risks are everywhere and so what was the solution is that uh like uh several years ago it was uh at the jericho forum in 2004 uh publicized the idea of the parameterization uh limiting the implicit trust based on a

network uh and the at john kinderweg for first research uh have coined or first uh say develop this zero trust model based on the seeing that uh seeing that uh the devices and what is happening in network it cannot be trusted anymore so while there was this saying or it's still in finance audit trust but verify so we're low but later we see that some someone behaves bad then we will cut access or so on but no with this approach it's like a inverse that model directs it teams guiding the principle that don't trust anyone we know that traditionally still there are networks that within enterprises and government and elsewhere that or that once you see the net network cables

you can plug your uh device and you will almost be able to see all or to scan the whole network and you will have access to most of it but with this approach so because so once you plug it because assume that okay you are one of us and you need a legitimate access so you can uh you are allowed to uh to access all those resources based on this uh say zero trust elsa google have done beyond corp uh developed had some activities and uh uh but uh and also in 2020 the national institute of science technology of us have uh developed have developed or published a special publication on zero trust uh architecture which is the core of what i

will uh present the next slides uh there is uh this picture of what at kindergarten proposed to seeing that uh all of the firewalls and uh wireless gateways and the and database encryption are not sufficient and to move everything uh uh actually to limit access to all of those uh within the some zero trust model so here i'll is provided the official uh uh definition of that their trust architecture is an enterprise service security architecture that is based on uh zero test principles and designed to prevent data breach and limit internal lateral movement so zero trusts you heard already from pranvera in her great presentation and so she so you already got the idea but uh

so as you see here the one of key things that i see here it's the limit internal uh lateral movement as we saw in the previous presentation very interesting one the interesting device and so on it's uh with those but really we don't have a chance on security if it gets into my table really i will be all my say all my protections and bank account and say social media accounts and the emails every everything will be compromised while the idea is that okay i will be compromised with zero trust uh let it say not good for me but it's not uh that shouldn't mean the end of the company as well the idea is that to

be limited only on those to say on my computer and my uh access resources that i have so not to be able to to the mage across the to across the enterprise the crisis across the institution uh wherever i have access

so zero trust it's a framework so it's uh not some kind of uh product uh that you can buy off on the shelf or uh or uh or that can be developed so it's a framework for securing infrastructure and data with this principle that organization should not trust any any entity inside or outside so it's uh in their perimeter at any time so by default if let's say that i plug my laptop over my computer into the network cable of uh of a company uh that doesn't mean that i will have access immediately or vb will be able to scan but as you will see later based on uh access logical access controls so simply i will not be able to

see anything and so never trust always verify that is like say uh the main idea or maxime that it's uh followed through the zero trust uh uh network zero trust architecture uh so and to achieve that as the requires visibility and control over the environment and users the and traffic and that is all the time so it's set of paradigms that move from static network based to that focus on users assets and resources and that dynamically and so the three of uh principles i presented there so never trust always verify assume breach so it's uh no matter that i'm an employee and have legitimate access and so on uh still there my access all the time will be monitored

and and visible to during my activity and implement least privilege uh we know that so it's to give the minimum needed minimum needed privileges or access or at the banks as they call it need to know basis so only for those if i work at hr i will have access only to hr records or if i work at some let's say that we are a multinational company if i work at pristine office in kosovo i will have only those to those records uh access and not uh it's not needed right to be to have access to hr records uh for my colleagues in alban and albania so it's uh let's say there is we have office there so it's uh

implementing least privilege for that is one of uh say principles that it's being applied at maybe at other levels or business processes but to say also at it processes that is say at many corporate softwares that is regulated uh say by rules and roles and groups and but but still we know that uh the bad actors usually will be able to elevate privileges and through say business processes so what we are what is the zero trust support is to to increase it at another another level uh so zeotrust have seven principles presented here so that data source and computers computing services are considered resources so it requires it it requires that all assets be identified

but at a deep level also like which process they are for they are needed and all are considered resources even uh even say external bring your own devices so our say phones and whoever access the network resources systems uh that is considered a resource all communication is secured regardless of network location so no matter if i access it from internal network or through externally no matter if it's left from vpn or with multi-factor application and stuff like that or as external let's say that users internet users of the system for all those communications should be should be secured and say possibly with highest so let me basically encrypt it but possibly with the highest standards

uh access to individual enterprise resources great is granted on uh certain peer session basis so let me that for example let's say that with that zero keyboard i get access to company email and stuff like that or at some as hr system as i mentioned as an example but i need also some extra i will try to elevate my privileges or uh or for some other reason uh uh also that might be let's say that for business purposes might be a load with some um with uh with some authorization but uh that will be per session basis so that in that case that or let's say that it's uh my account have been hacked or destroyed

or whatever but uh so it will be very limited so will that be will not have access to let's say or to file server to download a ban to download the terabytes terabytes of data or gigabytes but per session the the idea is to limit the uh as the principle assumes a breach is even if it's that's happening and even if that's happening really it's to minimize uh to minimize the impact so access resource that determined by dynamic policy so there are policies but those might change based on uh you know behavior let's say that as i mentioned uh for example i access usually like every day like 30 50 hr accounts per day or financial

transactions i make and one day i make 200 transactions or access records and dynamic basis the policies will identify these issues and will limit the access yeah okay and so that base is based also based on the fifth principles that enterprise monitors measured the integrity and security posture of all owned and associated assets uh the resource altercation and authorization dynamic and strictly enforced before access is a load so it's uh not any more simple uh the username and password but also with uh positive this multi-factor application and as you will see later possibly with uh say some enterprise level over the cloud and uh enterprise collect as much information possible with current state uh network infrastructure and com as it

used to improve its uh security posture so it's uh uh that means that uh it will not rely only on the let's say on current as we know for example let's say at uh firewall rules and antivirus definitions and stuff like that but possibly will evolve with on using this uh machine learning artificial intelligence uh to to learn about the new dynamics for dynamics on our in our resource our systems uh also there are six defined uh view of network uh with uh that is with basic uh assumption that f4 connectivity it utilizes zero trust architecture so it's uh they are very much linked with uh uh their implementation is linked with the uh principles or seven tenets that's uh

presented before so third for example i like that actually all they are important no resources inherently trusted so it does mean that for example yesterday through this computer i was a legitimate user that today still i will need to authenticate and authenticate and uh and again for uh for legitimate use of the system so it's uh it's not let hey save my password and save my session uh for like say for forever uh here's the logical uh components of the trust architecture this is one of the models that by based on the next proposed model and the policy engine and the policy administrator that makes uh like the rules that uh are ortho core that will

allow the system uh and to allow the legitimate use of uh to achieve the level of trusted to enterprise resources access and those they are uh supported by continuous diagnostic mitigation systems uh industry compliance systems gdpr hipaa and others different standards threat intelligence feeds that will update not based on the current say threads but through the newly detected uh say new detected breaches and stuff like that will update this information activity logs uh that will be uh say uh constantly monitor it data access policies based on rules of business cases that will be used uh cryptography publicly infrastructure id management about the users and their identities and system information and event management systems that collect the logs and

visualizes and as well for for current and for future activities so migrating to zero thrust architecture currently even globally there are cases where there is a pure zero trust architecture that can be achieved with say if it is green field of or from the scratch system and within a good design and team yes but uh more say commoner hybrid zero transactive architecture and parameter based architectures so it's that taking uh elements of zero trust on the current uh say networks uh to enhance with zero trust elements so this say also that long time was coined only like in recent years have been say well documented also it's uh say nowadays as a marketing buzz board is being used by by many

companies they are just adding this this product can do zero trust and like bot elements there because as we mentioned it's not a product but there are elements that need to to work at all levels so it's uh in migrating to zero trust assessment it's the key so it requires a lot of preparation system of inventory but what devices we have what they do within these business processes user inventory so the users and their roles and and the business process review that is like i think the most time consuming and most critical because uh the business process when they go through zero trust say because many cases business process are designed with or also as

i mentioned at the design it's difficult to design or rarely we see the security in mind all the time at all at at all the points uh so it's business process review to be identified and to then to see the risk assessment for those processes and to start deploying possibly with small processes hr again as i mentioned uh to follow that example might be like a good candidate for let's say to pilot within one unit let's see for office at pristina but and then to expand the scope and as well we seem to say organization to expand with other processes as well so uh apart from uh nist uh the since i have developed another usa

agency have developed from the zero trust maturity model and that is a about identity devices network environment application workload and data i kept the official there official to say oops uh their official figure and that is those five pillars are based on visibility automatic automation orchestration and the governance and as i said the the official figure i saw other figures and which i would prefer more that data is at the center uh through and i think there where it's and all the other pillars are around around it and of course supported with visibility analytics and other elements yeah and so zero trust can be evaluated so the there's a uh their maturity model from traditional

where many things are uh manual policies manual uh setup of identities and and management of the data then towards the more advanced when several processes are automatically automated and or automatically through inter let's say for example cm and other inclusion ips ideas systems support the environment and going towards the optimal where it's continuous validation and continue many things are automatically through uh support of ml artificial intelligence and for example newly extended extended detection and response platforms many challenges are there but just as valmir saying that i will here highlight only the end user training many see that on new policies that should happen if it is with zero trust or no matter if the organization has to want to

do the zero trust so end user trainings and policies that should be continuously in uh nowadays so to wrap up uh it's uh as is there is a picture of uh the hurdles uh track like if i have to run and nobody will run through hurdles but will go all around all around it so to go faster so strength of zero trust is that we'll build strong user identification access policies segmentation of data and resources security orchestration remote and user remote and and office users are treated the same uh limit lateral movements and make make attacks harder so like in the second so second picture so we want to make them harder or like if there was a door

another another idea to put the order with many locks the idea is that like our organizations our institutions to have as many locks or as many hurdles to to achieve up to our data so and they will go elsewhere but at least we will be protected okay thanks