SlideShare a Scribd company logo

The Zero Trust Model of Information Security

Download as PPTX, PDF
Tripwire, profile picture
Tripwire

The document presents a discussion on the zero-trust model of information security, emphasizing new threats and the inadequacies of current trust models. It highlights a significant case of identity theft perpetrated by an insider, underscoring the need for enhanced security protocols. Recommendations include adopting a data-centric security approach and implementing stricter access controls while designing networks with zero-trust principles.

Technology
1 of 37
Downloaded 381 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
Most read
28
29
30
Most read
31
32
33
34
35
36
37
The Zero Trust Model of Information Security
John Kindervag Forrester Research Cindy Valladares Tripwire, Inc.
Today’s Speakers Senior Analyst
No More Chewy Centers: The Zero-Trust Model Of Information Security John Kindervag, Senior Analyst 4 © 2010 Forrester Research, Inc. Reproduction Prohibited 2009
Agenda New threat landscape Something’s broken New trust models Summary 5 © 2010 Forrester Research, Inc. Reproduction Prohibited
Agenda New threat landscape Something’s broken New trust models Summary 6 © 2010 Forrester Research, Inc. Reproduction Prohibited
What do they have in common? 7 © 2010 Forrester Research, Inc. Reproduction Prohibited
New threat landscape  Question: “Why do you rob banks?”  Answer: “Because that’s where the money is.” 8 © 2010 Forrester Research, Inc. Reproduction Prohibited
Where the money is . . .  Credit card theft  Identity theft/fraud  SPAM/botnets  Web 2.0 (user-generated content) 9 © 2010 Forrester Research, Inc. Reproduction Prohibited
The “Philip Cummings” problem  Philip Cummings was a help desk staffer at TeleData Communication, Inc. (TCI), 1999 to 2000.  TCI is a software provider for credit bureaus such as Experian and Equifax.  Cummings had access to client passwords and subscription codes. 10 © 2010 Forrester Research, Inc. Reproduction Prohibited
The “Philip Cummings” problem (cont.)  Cummings was offered $60 per credit report by Nigerian nationals (organized crime).  Cummings provided a laptop preprogrammed to download credit reports from Experian, Equifax, and TransUnion.  The crimes took place between 2000 and 2003 (Cummings left his job in 2000). 11 © 2010 Forrester Research, Inc. Reproduction Prohibited
The “Philip Cummings” problem (cont.)  Discovered by Ford Motor Credit Company in 2003  30,000 identities stolen  At least $2.7 million loss (FBI data)  Cummings sentenced to 14 years in prison and $1 million fine  Biggest identity theft in US history 12 © 2010 Forrester Research, Inc. Reproduction Prohibited
13 © 2010 Forrester Research, Inc. Reproduction Prohibited
14 © 2010 Forrester Research, Inc. Reproduction Prohibited
Agenda New threat landscape Something’s broken New trust models Summary Other item 15 © 2010 Forrester Research, Inc. Reproduction Prohibited
Plenty of controls Home Users Internet Business Parters Remote Wireless Users IDS Tap Router Firewall IPSEC VPN SSL VPN Two-Factor Switch IDS Tap Web Application Authentication Firewall Web Server Farm IDS Tap Patch RNA Console Management IDS Tap IDS Tap Content Filtering FTP Server Email Server Intrusion Security Switch Detection Information Server DMZ Console Manager Switch Wireless Gateway Wireless Anti-Virus Management Console IDS Tap Console Internal Users Management Segment Corporate Wireless Network Internal Server Farm 16 © 2010 Forrester Research, Inc. Reproduction Prohibited
What’s broken? 17 © 2010 Forrester Research, Inc. Reproduction Prohibited
Which one goes to the Internet? UNTRUSTED TRUSTED 18 © 2010 Forrester Research, Inc. Reproduction Prohibited
“Trust but verify?” 19 © 2010 Forrester Research, Inc. Reproduction Prohibited
What’s broken? Trust model 20 © 2010 Forrester Research, Inc. Reproduction Prohibited
2010 breaches — malicious insider 21 © 2010 Forrester Research, Inc. Reproduction Prohibited
The cost of a breach Source: April 10, 2007, “Calculating The Cost Of A Security Breach” Forrester report 22 © 2010 Forrester Research, Inc. Reproduction Prohibited
TJX accrued expenses (10k) — 2008 Source: January 11, 2010, “PCI Unleashed” Forrester report 23 © 2010 Forrester Research, Inc. Reproduction Prohibited
How do we fix it? 24 © 2010 Forrester Research, Inc. Reproduction Prohibited
Agenda New threat landscape Something’s broken New trust models Summary 25 © 2010 Forrester Research, Inc. Reproduction Prohibited
Zero trust UNTRUSTED UNTRUSTED 26 © 2010 Forrester Research, Inc. Reproduction Prohibited
Concepts of zero trust  All resources are accessed in a secure manner, regardless of location.  Access control is on a “need-to-know” basis and is strictly enforced.  Verify and never trust.  Inspect and log all traffic.  The network is designed from the inside out. 27 © 2010 Forrester Research, Inc. Reproduction Prohibited
Inspect and log everything IPS WAF IPS Web IPS Server farm farm WLAN GW IPS DAM DB farm IPS SIM NAV MGMT DAN server WAN 28 © 2010 Forrester Research, Inc. Reproduction Prohibited
29 © 2010 Forrester Research, Inc. Reproduction Prohibited
30 © 2010 Forrester Research, Inc. Reproduction Prohibited
Agenda New threat landscape Something’s broken New trust models Summary 31 © 2010 Forrester Research, Inc. Reproduction Prohibited
Strong perimeters = new threat vectors  The threat landscape is changing — beyond the perimeter.  Organized crime is bribing insiders.  Security must become ubiquitous throughout your infrastructure. 32 © 2010 Forrester Research, Inc. Reproduction Prohibited
Recommendations  New paradigm — data-centric security  Zero trust — “Verify, but don’t trust!”  Inspect and log all traffic.  Design with compliance in mind. 33 © 2010 Forrester Research, Inc. Reproduction Prohibited
A blueprint for making it real The next 90 days • Eliminate the word “trust” from your vocabulary. • Find your critical data, and map your data flows. • Tell people you will be watching their data access activity. • Review who should be allowed specific data access. 34 34 contents © 2010 Forrester Research,Reproduction Prohibited Entire © 2010 Forrester Research, Inc. Inc. All rights reserved.
A blueprint for making it real Longer term • Create a data acquisition network (DAN). • Segment your network to ease your security and compliance burden. • Begin rebuilding your network to reflect the zero-trust concepts. 35 35 contents © 2010 Forrester Research,Reproduction Prohibited Entire © 2010 Forrester Research, Inc. Inc. All rights reserved.
Thank you John Kindervag +1 469.221.5372 jkindervag@forrester.com Twitter: @Kindervag www.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
John Kindervag www.tripwire.com Forrester Research E-mail : jkindervag@forrester.com

More Related Content

PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
PPTX
Zero Trust Model
Yash
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PPTX
What is zero trust model (ztm)
Ahmed Banafa
 
PDF
NIST Zero Trust Explained
rtp2009
 
PDF
Microsoft Zero Trust
David J Rosenthal
 
PPTX
Zero trust deck 2020
Guido Marchetti
 
PPTX
Zero Trust Framework for Network Security​
AlgoSec
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Zero Trust Model
Yash
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
What is zero trust model (ztm)
Ahmed Banafa
 
NIST Zero Trust Explained
rtp2009
 
Microsoft Zero Trust
David J Rosenthal
 
Zero trust deck 2020
Guido Marchetti
 
Zero Trust Framework for Network Security​
AlgoSec
 

What's hot (20)

PPTX
Zero Trust
Boaz Shunami
 
DOCX
What is zero trust model of information security?
Ahmed Banafa
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Zero Trust Network Access
Er. Ajay Sirsat
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PDF
Introduction to MITRE ATT&CK
Arpan Raval
 
PPTX
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
PPTX
Endpoint Protection
Sophos
 
PDF
Zero trust in a hybrid architecture
Hybrid IT Europe
 
PPTX
What is Zero Trust
Okta-Inc
 
PDF
Vulnerability Management
asherad
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PPTX
4_Session 1- Universal ZTNA.pptx
aungyekhant1
 
PPTX
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
PDF
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PDF
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
PPTX
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
PDF
Cyber Security Maturity Assessment
Doreen Loeber
 
Zero Trust
Boaz Shunami
 
What is zero trust model of information security?
Ahmed Banafa
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Zero Trust Network Access
Er. Ajay Sirsat
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Introduction to MITRE ATT&CK
Arpan Raval
 
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Endpoint Protection
Sophos
 
Zero trust in a hybrid architecture
Hybrid IT Europe
 
What is Zero Trust
Okta-Inc
 
Vulnerability Management
asherad
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
4_Session 1- Universal ZTNA.pptx
aungyekhant1
 
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
Cyber Security Maturity Assessment
Doreen Loeber
 
Ad

Viewers also liked (20)

PPTX
The Software-Defined Network Story: Automation, Agility and Security
Sirius
 
PDF
Business Model For Information Security
Marco Raposo
 
DOCX
PEST Analysis for Security
Davide De Bella
 
PDF
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
PPTX
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
PPTX
Web application security: how to start?
Antonio Fontes
 
PDF
Leverage Micro-Segmentation to Build a Zero Trust Network (Forrester)
VMware
 
PDF
IoT And Inevitable Decentralization of The Internet
Paul Brody
 
PDF
Patterns and Antipatterns in Enterprise Security
WSO2
 
PDF
The End of the Fortress: The new Approach to Cybersecurity
Marc Nader
 
PDF
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
PPTX
Modelling Security Architecture
narenvivek
 
PPTX
Improving web application security, part ii
Kangkan Goswami
 
PPT
Information security policy_2011
codka
 
PDF
Simplifying the secure data center
Cisco Canada
 
PDF
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Anish Mohammed
 
PDF
From Business Architecture to Security Architecture
Priyanka Aash
 
PPTX
Application Security Architecture and Threat Modelling
Priyanka Aash
 
PDF
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
The Software-Defined Network Story: Automation, Agility and Security
Sirius
 
Business Model For Information Security
Marco Raposo
 
PEST Analysis for Security
Davide De Bella
 
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Web application security: how to start?
Antonio Fontes
 
Leverage Micro-Segmentation to Build a Zero Trust Network (Forrester)
VMware
 
IoT And Inevitable Decentralization of The Internet
Paul Brody
 
Patterns and Antipatterns in Enterprise Security
WSO2
 
The End of the Fortress: The new Approach to Cybersecurity
Marc Nader
 
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
Modelling Security Architecture
narenvivek
 
Improving web application security, part ii
Kangkan Goswami
 
Information security policy_2011
codka
 
Simplifying the secure data center
Cisco Canada
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Anish Mohammed
 
From Business Architecture to Security Architecture
Priyanka Aash
 
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
Ad

Similar to The Zero Trust Model of Information Security (20)

PDF
Cat6500 Praesentation
Sophan_Pheng
 
PDF
S series presentation
Sergey Marunich
 
PDF
IBM Infosphere Guardium - Database Security
ebuc
 
PPT
Fast Pitch Forum (VANTOS)
Washington Technology Industry Association
 
PDF
Identity systems
Jim Fenton
 
PPTX
Juniper Provision - 13martie2012
Agora Group
 
PDF
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
IMEX Research
 
PPTX
Data Breach from the Inside Out
The Lorenzi Group
 
PDF
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
PDF
SmartCard Forum 2011 - Evolution of authentication market
OKsystem
 
PPTX
Sådan undgår du misbrug af kundedata og fortrolig information
IBM Danmark
 
PDF
Securing UC Borders with Acme Packet
AcmePacket
 
PDF
Bapinger Network Security
Djadja Sardjana
 
PPTX
F5's IP Intelligence Service
F5 Networks
 
PPTX
Track 2, session 5, aligning security with business kartik shahani
EMC Forum India
 
PDF
Cisco tec chris young - security intelligence operations
Cisco Public Relations
 
PDF
Telesemana ce nominum:mef
Rafael Junquera
 
PDF
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
PPT
Information Security
Mohit8780
 
PDF
F5 Networks: architecture and risk management
AEC Networks
 
Cat6500 Praesentation
Sophan_Pheng
 
S series presentation
Sergey Marunich
 
IBM Infosphere Guardium - Database Security
ebuc
 
Fast Pitch Forum (VANTOS)
Washington Technology Industry Association
 
Identity systems
Jim Fenton
 
Juniper Provision - 13martie2012
Agora Group
 
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
IMEX Research
 
Data Breach from the Inside Out
The Lorenzi Group
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
SmartCard Forum 2011 - Evolution of authentication market
OKsystem
 
Sådan undgår du misbrug af kundedata og fortrolig information
IBM Danmark
 
Securing UC Borders with Acme Packet
AcmePacket
 
Bapinger Network Security
Djadja Sardjana
 
F5's IP Intelligence Service
F5 Networks
 
Track 2, session 5, aligning security with business kartik shahani
EMC Forum India
 
Cisco tec chris young - security intelligence operations
Cisco Public Relations
 
Telesemana ce nominum:mef
Rafael Junquera
 
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Information Security
Mohit8780
 
F5 Networks: architecture and risk management
AEC Networks
 

More from Tripwire (20)

PDF
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
PDF
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 
PDF
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
PPTX
Tripwire Energy Working Group: TIV Demo
Tripwire
 
PPTX
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
PPTX
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire
 
PPTX
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
PDF
World Book Day: Cybersecurity’s Quietest Celebration
Tripwire
 
PDF
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire
 
PDF
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Tripwire
 
PDF
The Adventures of Captain Tripwire: Coloring Book!
Tripwire
 
PDF
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Tripwire
 
PDF
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
Tripwire
 
PDF
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire
 
PDF
A Look Back at 2018: The Most Memorable Cyber Moments
Tripwire
 
PPTX
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Tripwire
 
PDF
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
PPTX
Defending Critical Infrastructure Against Cyber Attacks
Tripwire
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
Tripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Tripwire
 
The Adventures of Captain Tripwire: Coloring Book!
Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Tripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
Tripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Tripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Tripwire
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

The Zero Trust Model of Information Security

  • 1. The Zero Trust Model of Information Security
  • 2. John Kindervag Forrester Research Cindy Valladares Tripwire, Inc.
  • 3. Today’s Speakers Senior Analyst
  • 4. No More Chewy Centers: The Zero-Trust Model Of Information Security John Kindervag, Senior Analyst 4 © 2010 Forrester Research, Inc. Reproduction Prohibited 2009
  • 5. Agenda New threat landscape Something’s broken New trust models Summary 5 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 6. Agenda New threat landscape Something’s broken New trust models Summary 6 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 7. What do they have in common? 7 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 8. New threat landscape  Question: “Why do you rob banks?”  Answer: “Because that’s where the money is.” 8 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 9. Where the money is . . .  Credit card theft  Identity theft/fraud  SPAM/botnets  Web 2.0 (user-generated content) 9 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 10. The “Philip Cummings” problem  Philip Cummings was a help desk staffer at TeleData Communication, Inc. (TCI), 1999 to 2000.  TCI is a software provider for credit bureaus such as Experian and Equifax.  Cummings had access to client passwords and subscription codes. 10 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 11. The “Philip Cummings” problem (cont.)  Cummings was offered $60 per credit report by Nigerian nationals (organized crime).  Cummings provided a laptop preprogrammed to download credit reports from Experian, Equifax, and TransUnion.  The crimes took place between 2000 and 2003 (Cummings left his job in 2000). 11 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 12. The “Philip Cummings” problem (cont.)  Discovered by Ford Motor Credit Company in 2003  30,000 identities stolen  At least $2.7 million loss (FBI data)  Cummings sentenced to 14 years in prison and $1 million fine  Biggest identity theft in US history 12 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 13. 13 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 14. 14 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 15. Agenda New threat landscape Something’s broken New trust models Summary Other item 15 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 16. Plenty of controls Home Users Internet Business Parters Remote Wireless Users IDS Tap Router Firewall IPSEC VPN SSL VPN Two-Factor Switch IDS Tap Web Application Authentication Firewall Web Server Farm IDS Tap Patch RNA Console Management IDS Tap IDS Tap Content Filtering FTP Server Email Server Intrusion Security Switch Detection Information Server DMZ Console Manager Switch Wireless Gateway Wireless Anti-Virus Management Console IDS Tap Console Internal Users Management Segment Corporate Wireless Network Internal Server Farm 16 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 17. What’s broken? 17 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 18. Which one goes to the Internet? UNTRUSTED TRUSTED 18 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 19. “Trust but verify?” 19 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 20. What’s broken? Trust model 20 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 21. 2010 breaches — malicious insider 21 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 22. The cost of a breach Source: April 10, 2007, “Calculating The Cost Of A Security Breach” Forrester report 22 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 23. TJX accrued expenses (10k) — 2008 Source: January 11, 2010, “PCI Unleashed” Forrester report 23 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 24. How do we fix it? 24 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 25. Agenda New threat landscape Something’s broken New trust models Summary 25 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 26. Zero trust UNTRUSTED UNTRUSTED 26 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 27. Concepts of zero trust  All resources are accessed in a secure manner, regardless of location.  Access control is on a “need-to-know” basis and is strictly enforced.  Verify and never trust.  Inspect and log all traffic.  The network is designed from the inside out. 27 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 28. Inspect and log everything IPS WAF IPS Web IPS Server farm farm WLAN GW IPS DAM DB farm IPS SIM NAV MGMT DAN server WAN 28 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 29. 29 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 30. 30 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 31. Agenda New threat landscape Something’s broken New trust models Summary 31 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 32. Strong perimeters = new threat vectors  The threat landscape is changing — beyond the perimeter.  Organized crime is bribing insiders.  Security must become ubiquitous throughout your infrastructure. 32 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 33. Recommendations  New paradigm — data-centric security  Zero trust — “Verify, but don’t trust!”  Inspect and log all traffic.  Design with compliance in mind. 33 © 2010 Forrester Research, Inc. Reproduction Prohibited
  • 34. A blueprint for making it real The next 90 days • Eliminate the word “trust” from your vocabulary. • Find your critical data, and map your data flows. • Tell people you will be watching their data access activity. • Review who should be allowed specific data access. 34 34 contents © 2010 Forrester Research,Reproduction Prohibited Entire © 2010 Forrester Research, Inc. Inc. All rights reserved.
  • 35. A blueprint for making it real Longer term • Create a data acquisition network (DAN). • Segment your network to ease your security and compliance burden. • Begin rebuilding your network to reflect the zero-trust concepts. 35 35 contents © 2010 Forrester Research,Reproduction Prohibited Entire © 2010 Forrester Research, Inc. Inc. All rights reserved.
  • 36. Thank you John Kindervag +1 469.221.5372 jkindervag@forrester.com Twitter: @Kindervag www.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
  • 37. John Kindervag www.tripwire.com Forrester Research E-mail : jkindervag@forrester.com

Editor's Notes

  • #14: Source: Justice.gov (http://www.usdoj.gov/usao/gan/press/2009/09-16-09c.pdf)
  • #15: Source: Justice.gov (http://www.usdoj.gov/usao/gan/press/2009/09-16-09c.pdf)
  • #22: Source: Data Loss (www.datalossdb.org)