Zero Trust

 View Only
Expand all | Collapse all

Zero Trust Proof-of-Concept

  • 1.  Zero Trust Proof-of-Concept

    Posted Sep 20, 2022 05:41:00 PM
    Hi all

    @Philip Griffiths @Jun Yu thanks for your kind responses to my idea for a PoC and being willing to expose the results to public scrutiny.  Actually it is not a new idea. With Juanita Koilpillai as co lead authors of the publication below, we proposed a proof-of-concept.  Nobody took it up.  So perhaps this is a chance to discuss. I am happy to set up an initial meeting next week.   Software-Defined Perimeter (SDP) and Zero Trust | CSA
    CSA remove preview
    Software-Defined Perimeter (SDP) and Zero Trust | CSA
    A Zero Trust implementation using Software-Defined Perimeter enables organizations to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter-centric networking models. Implementing SDP improves the security posture of businesses facing the challenge of continuously adapting to expanding attack surfaces that are increasingly more complex.
    View this on CSA >
    ​​

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------


  • 2.  RE: Zero Trust Proof-of-Concept

    Posted Sep 22, 2022 10:38:00 AM
      |   view attached
    @Nya Murray Thanks for taking the lead on this project. Please set up the meeting and let's get this going. I am confident we will be able to show how ZT and data-centric bring a new paradigm.
    Meanwhile, here is a whitepaper on the evolution of ZT architecture and data-centric model.



    ------------------------------
    Jun Yu
    APF Technologies LLC
    ------------------------------



  • 3.  RE: Zero Trust Proof-of-Concept

    Posted Sep 25, 2022 04:25:00 PM
    Following on from the interesting discussion generated by @boris taratine - that is that there is no such thing as Zero Trust - it is a paradox, I'd like to propose that we develop a Foundation of Trust. This is not a new idea either.  Back in 2000 when I was consulting to Australian Government on Identity Management within the context of Certificate Authorities proposed as the basis for Identity Federation across organisations.  Well that did not happen.  Identity Management drifted through LDAP to Single Sign On, while network security see sawed through network and application layer VPN, to private MPLS, to shoring up TLS while various tokens emerged such as IKE and SAML.  So why am I telling you this story?  BECAUSE NONE OF IT WORKED FROM A SECURITY PERSPECTIVE.  I adopted Albert Einstein as my mentor in high school.  After all, he was a product of a Swiss education system that was in part founded by my Swiss ancestors. "We cannot solve our problems with the same thinking we used when we created them".  The Parable of Quantum Insanity.  
    1. It is impossible to authenticate every access from a Zero Trust perspective
    2. Current thinking is that we take a risk based approach to allowing access to sensitive systems, particularly personal and financial data (because lucrative data is target of cyber criminals as their motivation is money) and essential services such as energy, water and food logistics (for obvious reasons in a time of insane nationalism)
    In parallel with a current thinking on 'Zero Trust', that we require a view of current and emerging technology paradigms for Identity, Device, Network, Application Workload and Data, and all the complex interactions and dependencies between those non exclusive categories, which is being initiated by CSA, I propose the following:

    Establishment of a Foundation of Trust, based on best practice AND least risk probability.  The Foundation of Trust would be a practical demonstration of Use Case examples, using current and emerging technologies, with an analysis of classes of security vulnerabilities evinced by the demonstration deployment.

    This would provide a quantification of risk probability, allowing an evaluation of classes of technology, with an associated matrix of characteristics best fit and lowest risk for securing information technology systems.

    To me, this is the intelligent way to provide a Cybersecurity Maturity Matrix for information technology. 

    So I believe that we require a rigorous way to evaluate technology options based on real-world use cases, with a sliding scale of cost, ease of use and security risk, allowing for apt technology choices for public systems and highly classified systems alike.

    This is the simple set of parameters that any architect requires to provide relevant recommendations in context of business requirements to customers.

    In my view, this requires an application of practical technology knowledge applied to cybersecurity risk, and the cost of implementing technology that accurately addresses risk, in view of mitigation actions should a breach occur.

    This is what would improve the current situation of increasing risk, rising costs of data breaches, and increasingly insecure national power and food distribution systems.




    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 4.  RE: Zero Trust Proof-of-Concept

    Posted Sep 26, 2022 02:22:00 AM
    @Nya Murray >>Following on from the interesting discussion generated by @boris taratine - that is that there is no such thing as Zero Trust - it is a paradox, I'd like to propose that we develop [...]

    thanks for acknowledgement of my humble contrition.

    whatever that [...] will be - we indeed out to start think differently: rationally, logically, scientifically, and, whenever possible, demonstrate that what we built is actually what we claimed that would be or admit otherwise without further speculations and narrative fallacies.

    ------------------------------
    boris taratine
    partner / chief architect
    ecsa
    ------------------------------



  • 5.  RE: Zero Trust Proof-of-Concept

    Posted Sep 27, 2022 04:10:00 PM
    @boris taratine  >>think differently: rationally, logically, scientifically, and, whenever possible, demonstrate that what we built is actually what we claimed​

    The Optus data breach where 11 million Australians (including me) have had personal data, including driver's licenses, passport, and health care card information stolen from a major telecommunications provider.  Optus is a wholly owned subsidiary of Singtel (Singapore Telecommunications Company) is a case in point.

    The scenario?  An Optus customer identity database was opened to a test network that "happened to have internet access."   How common is that scenario?  Companies I have consulted to have all at one time or another committed that basic error, inadvertently or because of business pressure, to release an update into production. 

    Would that scenario have happened if Optus had a Zero Trust policy?  Well, in fact they did have strong security processes and people.  It was clear and simple pilot error. And would not have passed a pen test.  But vulnerability penetration testing are scheduled events, and once the test is passed, the pressure is off. 

    DevOps means that developers/engineers are under a lot of pressure from business owners to release new functionality, meaning that corners are cut in the heat of the moment.

    That is why I advocate a Proof-of-Concept demonstration lab.  Because the reality is that this situation would not have been picked up by any of the current cybersecurity frameworks and maturity models.  The culprit is clearly the business imperatives that caused architects to allow a test environment live data, to allow a test environment a public internet connection.  But the primary sin is that private data was either stored or accessed unencrypted, or with a known decryption key.  To me this suggests a level of carelessness that is beyond belief.

    Off to the Department of Transport to change my Driver's Licence.

    To be frank, my data is on Optus as a past business customer.  I complained about Optus network security and competence to an Australian authority a couple of years ago, before changing my provider. I wonder whether Optus has been leaking for some time.

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 6.  RE: Zero Trust Proof-of-Concept

    Posted Sep 28, 2022 12:37:00 AM
    Edited by boris taratine Sep 28, 2022 12:39:56 AM
    >>Would that scenario have happened if Optus had a Zero Trust policy? 

    nobody knows and never will.
    this is not because it was in the past, but because sufficient conditions for insecurity are unfalsifiable https://www.pnas.org/doi/epdf/10.1073/pnas.1517797113

    also, as Zero Trust is unattainable in principle Optus could have never had it in the first place.

    >>That is why I advocate a Proof-of-Concept demonstration lab

    if a system is broken - we know it is insecure, but we can not draw any conclusion in principle if we could not break the system. this does not mean i advocate against proof-of-concept, but i do advocate we 1) define what that is, and 2) think hard how to interpret the results (i.e., think differently: rationally, logically, scientifically, and, whenever possible, demonstrate that what we built is actually what we claimed​).


    ------------------------------
    boris taratine
    partner / chief architect
    ecsa
    ------------------------------



  • 7.  RE: Zero Trust Proof-of-Concept

    Posted Sep 28, 2022 12:56:00 AM
    What is clear  @Jun Yu and @Philip Griffiths is that data and network risk based policy would have prevented the Optus data breach.

    An EDR capability could have detected the open internet port. 

    However if the network perimeter around the data store was secure, then even with 0.0.0.0/0 open to the world on a data server, an intruder could not have ​penetrated the perimeter. 

    APF Technology 's random encryption key could not have been found to decrypt the stored data.

    And if Verviam IDaaS was integrated into the NetFoundry's SDWan, then unless the intruder had a token generated within 24 hours, with a 5 minute expiry, and logged at the API Gateway ​in the past 60 seconds, then the gateway would be black before reaching the encrypted data store.  :)


    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 8.  RE: Zero Trust Proof-of-Concept

    Posted Sep 28, 2022 01:38:00 AM
    Funny. We were talking about this internally. Use NetFoundry/OpenZiti, and now the unauthenticated API endpoint is not addressable on the public internet. Therefore it cannot be exploited by the malicious hacker - https://netfoundry.io/zero-trust-api/

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 9.  RE: Zero Trust Proof-of-Concept

    Posted Sep 28, 2022 06:37:00 AM
    Hi all,

    @Nya Murray regarding the no. 1 post. PoCs - sure .. we've done hundreds of those - as mentioned earlier, we urge our partners / resellers to try breach as much as they want. We think the SDP architecture has some flaws - and have moved on from there. 

    @boris taratine regarding the no. 6 post ... you're absolutely right. ZT isn't worth anything - neither as a framework nor "when used in a point security context".

    ZT is working (ideally) when you go "all in" - which literately mean, you most likely have to get away from commercially available solutions and create customized (your own) .. which is not a financially feasible road to travel either.

    @Philip Griffiths ... please understand - despite your enthusiasm, the difference between rerouting client traffic over a NetFoundry (or Zscaler or others alike) infrastructure - and when you DO NOT. NetFoundry is providing something much better than a lot of other stuff out there - sure ... BUT you business model (like Zscaler's etc.) is NOT Zero-Trust in that sense - thus NOT part of, at least my ZT-manifest and not part of the Jericho Forum original manifest either.

    Can we please stick to the "Zero-Trust Proof-of-Concept" topic - if not, I will say, I got 'other things' to do. 

    Blunt truth and sorry for being harsh - this American service model has in my mind - only one purpose - to tie clients to your business,model - and THAT's NOT a model I embrace and ZT-conceptually a wrong path. Potentially another SolarWinds nightmare.


    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 10.  RE: Zero Trust Proof-of-Concept

    Posted Sep 29, 2022 06:05:00 AM
    Hey Niels,

    We are focused on the PoC topic. We have a call scheduled.

    For sake of clarity, maybe you misunderstand OpenZiti vs Zscaler. The latter forces you to go through their PoPs and potentially decrypt traffic. Agreed it's not very ZT. OpenZiti and NetFoundry provide an overlay, BUT that overlay is private. Customers bring their own keys or are orchestrated by our platform. Either way, we have no access to their data plane, and we cannot decrypt the data; in fact, the data plane has no value for an attacker, all it does is decrypt meta data to know what the next hop IP on the underlay is, nothing about source, destination or payload. Further, that data plane can be hosted anywhere, by anyone, not just 'our data centres'.

    This is why we open sourced our technology. Yes, we provide a SaaS implementation no one needs to use it. Any other company can (and do) build their own controls around it. I expect others will build competing SaaS offerings and we encourage it.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 11.  RE: Zero Trust Proof-of-Concept

    Posted Sep 29, 2022 07:00:00 AM
    Hi Philip .. huge thanks for clarification - much appreciated and I can sincerely say I appreciate OpenZiti is not matching Zscalers business model :-)

    The rest in your post - I can certainly say you're more in the direction of what we do in a "Cyber-security Made in Europe" context - which again is a step in the right direction (at least from my perspective :-) ... hope I'm not offending anyone too much at least. :-)

    Cheers,

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 12.  RE: Zero Trust Proof-of-Concept

    Posted Oct 04, 2022 07:01:00 AM
    Hi, did you already have the call?
    I am interested in the PoC topic and would like to join if time allows.

    I am from CSA Japan chapter, and was implementing SDP on AWS leveraging Waverley Lab's.

    Takahiro

    ------------------------------
    Takahiro Ono, CISSP, CCSP, CISA
    Japan
    ------------------------------



  • 13.  RE: Zero Trust Proof-of-Concept

    Posted Oct 04, 2022 08:26:00 AM
    Hey Takahiro,

    We have not yet. We are aiming for the end of Oct due to various travel of people involved. We will ensure to include you.

    Regards
    Philip

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 14.  RE: Zero Trust Proof-of-Concept

    Posted Sep 28, 2022 07:20:00 AM
    Timely indeed. Phil's, and openZini's, approach, is and has been the gold standard of cyber security: protect any possible attack surface before it can cause damage. There is absolutely nothing wrong with the approach and it is needed for sure.

    However, this is the time to add a new path to cut the loss ever when the mistakes are made: secure the data so it won't be accessible to the hackers even after they somehow managed to gain the access. In the case of Optus, the sensitive data in the database could have been encrypted or obfuscated, so when the database was opened accidentally to the Internet, nothing is lost. To be clear, APF is not in the business of securing database, although we always encrypt sensitive data in our database and have keys stored somewhere else.

    We are in the business that applies the same logic to secure the unstructured data, AKA files, which are far more prone to be "accidentally exposed".

    To illustrate our approach, this info-graphic by the NSA is the best that we can't top: simply substitute "servers and software" with "file".

    Yes, we are able to provide security and visibility down to every single file, no matter on which device the files are being accessed and by who, on premise, on cloud, or even on the third party partners. To make it better, the friction to the end users, as well as IT are minimal since we will provide our service as SaaS, fully managed by APF. 

    We will demonstrate how this data-centric solution works in perfect harmony with perimeter protection products like openZini in this POC exercise.



    ------------------------------
    Jun Yu
    APF Technologies LLC
    ------------------------------



  • 15.  RE: Zero Trust Proof-of-Concept

    Posted Oct 27, 2022 12:08:00 PM
    Thanks @Nya Murray doe organizing the call and laid the ground work, and thanks for all of you jumping on the call.

    Most are aware of the ZTA demo built by the NCCOE (NIST) with many of the biggest names in the industry, so why another one? I believe that while the NCCOE demo is comprehensive, it doesn't fully address the existing threats. In other words, its demo would not be enough to stop the SolarWinds attack if it happened today.  Among its use cases simulating attacks with stolen identity, the prerequisites involve either the false identity being flagged as stolen, failed MTA, or using outdated credentials.

    In this POC, it is our intention to use a risk-based approach to highlight cyber defense in a more realistic fashion.  Instead of using pre-defined use cases, we want to show how critical resources are being protected when the network is under attack. In the real world, we can never predict how the systems will fail and what assets will be targeted. Unless we can protect every asset, we are protecting none of the assets. After all, the NSA sees that network breaches happen in "regularity."



    ------------------------------
    Jun Yu
    APF Technologies LLC
    ------------------------------