Download - The Zero Trust Model of Information Security
![Page 1: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/1.jpg)
The Zero Trust Model of Information Security
![Page 2: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/2.jpg)
The Zero Trust Model of Information Security John KindervagForrester ResearchCindy ValladaresTripwire, Inc.
![Page 3: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/3.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Today’s Speakers
John Kindervag
Senior Analyst
Forrester Research
Cindy Valladares
Compliance Solutions Manager
Tripwire, Inc.
![Page 4: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/4.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited4 © 2009 Forrester Research, Inc. Reproduction Prohibited
No More Chewy Centers: The Zero-Trust Model Of Information Security
John Kindervag, Senior Analyst
![Page 5: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/5.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited5
New threat landscape
Something’s broken
New trust models
Summary
Agenda
![Page 6: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/6.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited6
New threat landscape
Something’s broken
New trust models
Summary
Agenda
![Page 7: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/7.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited7
What do they have in common?
![Page 8: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/8.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited8
New threat landscape
Question: “Why do you rob banks?”
Answer: “Because that’s where the
money is.”
![Page 9: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/9.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited9
Where the money is . . .
Credit card theft
Identity theft/fraud
SPAM/botnets
Web 2.0 (user-generated content)
![Page 10: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/10.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited10
The “Philip Cummings” problem
Philip Cummings was a help desk staffer at TeleData
Communication, Inc. (TCI), 1999 to 2000.
TCI is a software provider for credit bureaus such as
Experian and Equifax.
Cummings had access to client passwords and subscription
codes.
![Page 11: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/11.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited11
The “Philip Cummings” problem (cont.)
Cummings was offered $60 per credit report by Nigerian
nationals (organized crime).
Cummings provided a laptop preprogrammed to download
credit reports from Experian, Equifax, and TransUnion.
The crimes took place between 2000 and 2003 (Cummings
left his job in 2000).
![Page 12: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/12.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited12
The “Philip Cummings” problem (cont.)
Discovered by Ford Motor Credit Company in 2003
30,000 identities stolen
At least $2.7 million loss (FBI data)
Cummings sentenced to 14 years in prison and $1 million
fine
Biggest identity theft in US history
![Page 13: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/13.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited13
![Page 14: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/14.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited14
![Page 15: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/15.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited15
New threat landscape
Something’s broken
New trust models
Summary
Other item
Agenda
![Page 16: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/16.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited16
Plenty of controls
Internet
Router
Web ApplicationFirewall
Two-FactorAuthentication
SSL VPN
Content Filtering
Home Users
RemoteWireless
Users
Corporate WirelessNetwork
Business Parters
Wireless Gateway
Anti-VirusConsole
Intrusion Detection
Console
SecurityInformationManager
Patch Management
RNA Console
Firewall
Switch
IDS Tap
IDS Tap
Management Segment
Switch
Internal Users
Internal Server Farm
IDS Tap
IPSEC VPN
IDS Tap
Server DMZ
FTP Server Email Server
Web Server Farm
IDS Tap
IDS Tap
Switch
WirelessManagementConsole
![Page 17: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/17.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited17
What’s broken?
![Page 18: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/18.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited18
Which one goes to the Internet?
UNTRUSTED TRUSTED
![Page 19: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/19.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited19
“Trust but verify?”
![Page 20: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/20.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited20
What’s broken?
Trust model
![Page 21: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/21.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited21
2010 breaches — malicious insider
![Page 22: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/22.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited22Source: April 10, 2007, “Calculating The Cost Of A Security Breach” Forrester report
The cost of a breach
![Page 23: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/23.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited23
TJX accrued expenses (10k) — 2008
Source: January 11, 2010, “PCI Unleashed” Forrester report
![Page 24: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/24.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited24
How do we fix it?
![Page 25: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/25.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited25
New threat landscape
Something’s broken
New trust models
Summary
Agenda
![Page 26: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/26.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited26
Zero trust
UNTRUSTED UNTRUSTED
![Page 27: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/27.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited27
Concepts of zero trust
All resources are accessed in a secure manner, regardless of location.
Access control is on a “need-to-know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
![Page 28: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/28.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited28
Inspect and log everything
MGMTserver
IPSWebfarm
Serverfarm
DB farm
IPS
IPS
WLANGW
IPS
IPS
WAN
WAF
DAM
SIM NAV
DAN
![Page 29: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/29.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited29
![Page 30: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/30.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited30
![Page 31: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/31.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited31
New threat landscape
Something’s broken
New trust models
Summary
Agenda
![Page 32: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/32.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited32
The threat landscape is changing — beyond the perimeter.
Organized crime is bribing insiders.
Security must become ubiquitous throughout your infrastructure.
Strong perimeters = new threat vectors
![Page 33: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/33.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited33
Recommendations
New paradigm — data-centric security
Zero trust — “Verify, but don’t trust!”
Inspect and log all traffic.
Design with compliance in mind.
![Page 34: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/34.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited3434Entire contents © 2010 Forrester Research, Inc. All rights reserved.
A blueprint for making it real
The next 90 days
• Eliminate the word “trust” from your vocabulary.
• Find your critical data, and map your data flows.
• Tell people you will be watching their data access activity.
• Review who should be allowed specific data access.
![Page 35: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/35.jpg)
© 2010 Forrester Research, Inc. Reproduction Prohibited3535Entire contents © 2010 Forrester Research, Inc. All rights reserved.
A blueprint for making it real
Longer term
• Create a data acquisition network (DAN).
• Segment your network to ease your security and compliance burden.
• Begin rebuilding your network to reflect the zero-trust concepts.
![Page 36: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/36.jpg)
© 2009 Forrester Research, Inc. Reproduction Prohibited
Thank you
John Kindervag
+1 469.221.5372
Twitter: @Kindervag
www.forrester.com
![Page 37: The Zero Trust Model of Information Security](https://reader033.vdocument.in/reader033/viewer/2022061204/547e9187b4af9fef158b5661/html5/thumbnails/37.jpg)
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
John KindervagForrester Research
E-mail : [email protected]