"Trust me, I'm an insider" - Diving into Zero Trust Security

What is the work that you're doing today in your day-to-day job?

Deepank: We're working as network security engineers at Cisco. Our job roles are very related to each other. I work in AAA technology and solutions, which involves engaging with customers who are often network engineers themselves and bring very specific issues that are encountered in their live network environments. I’ve been addressing customers’ issues in various AAA verticals such as - Deployment, RADIUS/TACACS Authentication, Authorization and Accounting, Profiling, Posture, BYOD and MFA etc. Overall, it's an adventurous job. In one case, you might be solving a query and in the next one, you may be working against the clock to solve a network outage. So we get to have both ends of the spectrum.

Sindhuja: In addition to that, we work with customers with their security deployments. I specifically work with VPN, cryptography, and Public Key Exchange, so handling VPN is my core job, but I do work with firewalls and IAM servers for secure management as well. So our job role is totally the code of zero trust. We work on its principles and help customers implement zero trust values such as performing Multi-Factor Authentication, working on privilege accesses, how encryption schemes, identity and access management etc play an important role in Zero Trust and moreover, how customers can implement it.

What are your goals for this talk? What do you want the audience to walk away with from your talk?

Sindhuja: I think we just want them to be more security aware than they were before the talk, that's our primary goal. So we will be speaking on what's currently not so good about the security standards inside an organization or the software developers that work with sandboxing, access control etc. And then we begin to explain why that doesn't work, and what and how can this be better with zero trust. And they can walk away with things like what they can do to make their security infrastructure better. They can learn about what they should do at each level of organization, how they can incorporate zero trust values within their organizations and within their teams. It could be as simple as changing their passwords more frequently or as complex as redesigning their network to include security best practises, orchestration, automation, threat hunting etc so that they can eliminate any attacks that they might encounter because of their current security infrastructure.

Your talk title mentions zero trust security. Can you give us a quick overview of what zero trust means and specifically is it multifactor? Is it getting rid of VPNs?

Deepank: Zero Trust is about addressing the concerns we’ve had with the traditional style of security. Through this talk, we want to show how Zero trust security juxtaposes our seemingly outdated security practices which are still implemented to a great extent. Our traditional idea of security is that we assume a perimeter around the organization network outside of which everything is untrusted, and inside are all good devices that are automatically granted access. We assume that some request originating from within the enterprise perimeter has to belong to one of our trusted corporate devices, so they are a trusted user. Hence we give them the best possible access as we do for any internal corporate user or device. But due to a vast number of cyberattack incidents that were reported to have originated from a malicious source within the organization, Zero trust attempts to update this notion of security. It sets an even ground where everyone has the default low/zero level of access no matter where they’re coming from, and they have to prove their identity through the same amount of grilling before they can get network access. It doesn't matter where the traffic originates from - be it an inside user, outside user, VPN user, or a BYOD visiting user, they all have to go to the same set of policy sets and condition checks that are imposed by the network administrator. Only after a thorough assessment of their identity, do we allow/deny them any sort of access. That's what zero trust does, it puts us all in the same field, and every device starts from zero and gains trust as it passes the checks.

Sindhuja: To sum it up, zero trust is “never trust, always verify”. Either it's a resource like a docker application, a webpage or an endpoint, or even a user. 

Some basic values we can say about zero trust is that always verify the endpoints, grill them. If they are indeed verified, don't give them any kind of default privileges. So, rather deny access by default than allowing the endpoints any unmonitored level of access. The most important one is to monitor them throughout their connection attempts. So basically, do threat defense, see where the traffic is coming from, where is it headed? Do they have any malicious traffic that they're trying to infect the network with? If there is any malicious activity going on, detect and take action immediately instead of waiting for the endpoints to get disconnected or something worse to happen, so, do minimize lateral movement of attacks. That's what zero trust is looking for. 

And when it comes to the VPN part, I do cover that part in my talk where I say there are a couple of myths with VPN, but zero trust doesn't have any core values of encryption or ciphers or cryptography on its own. It rather depends on the services and products being used to implement encryption schemes for networks to incorporate Zero Trust. One such solution happens to be VPN. So with that, to always think that networks are always on public platforms, whether or not they actually are, that is, to think they're always vulnerable, is when you can incorporate encryption, integrity, authentication, stuff like that. And that makes them less vulnerable to attacks. We also call this something called CIA, Confidentiality, Integrity, and Availability. Because of public-key cryptography, everything comes with VPN and not intuitively with zero trust.  VPN also doesn’t talk about giving full access by default which is another misconception. So in case someone is trying to build zero trust, they don't have to eliminate VPNs. They can leverage Zero Trust and build over existing VPNs, for example, for your remote users when you're working from home, and you have important resources that you're trying to access, say, your accounts data which is highly confidential, or if you're a government organization, military organization, you don't want your resources to be public. For that, you do need a VPN to be established and VPNs don't always mean you are connecting from outside. That's another myth, what it means is two parties are talking to each other with some encryption scheme, and that's what VPN does. And it has a lot to do with services and capabilities that come with different products. So you can have a hybrid culture, you can have remote access, and you can still have zero trust values within. So, it just enhances Zero Trust.