How Zero Trust improves security and the user experience

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Josh green I'm an enterprise solutions engineer from the duo security business unit of Cisco today we're going to talk a little bit about network access we'll start by looking at the way it's done traditionally and then talk about how zero trust can both improve the security of your infrastructure as well as improving the user experience for your end-users so in the traditional model we've got our apps that are potentially in the cloud and we've got our apps that are and servers and services that are on-premise and users who are going to try to access those on-premise services traditionally use a VPN so here in the DMZ of our network most often there's a server and that servers providing VPN services that users will dial into so here's our VPN and our users going to connect to that now we're going to do some kind of verification there traditionally that was just username and password then two-factor authentication was invented that helped us to do a little bit of extra verification on our users and now we have what we call MFA or multi-factor authentication we might be looking not just at the user but also at their device however regardless of what we're verifying and how we're verifying it once that's done this VPN is going to give this user an IP address at that point the user is effectively on the internal network and they can start accessing applications and services and they can go really wherever they want additionally one of the challenges with VPN from a security point of view is say I've logged into this SSH server I can now use that to pivot to other places in the network and unless I've got something else on the network here that's providing some kind of mitigating control that can become a real dangerous vector for a potential cyber attack because attackers oftentimes don't want what they find on the first machine they arrive on on the internal network they actually want to move around the network looking for things like payment card data so what we're going to do with Xero Trust is we're going to look at how this network architecture changes and we're going to talk about how that helps not only prove security but also the end-user experience so now we're going to talk about how this changes in the world of Xero trust so not only do we have to address what's going on on-premise but the other thing is that in that previous mall when we were talking about the VPN we didn't address this side of the picture at all where users are actually going directly to cloud applications that means that they're gonna have different usernames and passwords the requirements for the security that these applications could be completely different and we don't get any visibility in that model as to what's going on here and that's really a problem because as app as companies move towards cloud first architectures a lot more sensitive stuff is being stored up here so we really need to get visibility into what's going on there so these are things that are addressed by the zero trust model so in this model we're going to put two things here the first thing is going to be a reverse proxy and the reverse proxies job is going to be to broker that access into the internal network that we had previously with the VPN the other thing we're going to put here is a single sign-on gateway that's going to use a protocol called sam'l to help us sign into those cloud apps that we really weren't addressing before so these two are going to talk to each other and we'll talk about how that works so now what's going to happen is our user wants to access something on-premise just like they did before with the VPN what they're actually going to connect to via their client or their browser is the reverse proxy the reverse proxy is going to send them to the single sign-on gateway the single sign-on gateway is going to talk to some source of identity that might be in the cloud it might be on premise in this case we'll say it's on-premise so it's going to talk to our directory on-premise to authenticate that user now what happens next depends whether that application is in the cloud or on-premise if it's in the cloud there's no need for this user to ever come anywhere near our internal network we're gonna send them right back out to a cloud application via this single sign-on gateway but there's a really key change here because we've done that authentication on a gateway we control we get to determine what policies are applied for access to these cloud applications and this actually works just as well if that user has gone to the application in the cloud first because of the way that sam'l single sign-on works these applications will know that we want to use our gateway to do the authentication and they'll send the user right there for us so that allows us to apply the same policies to our cloud apps that we would like to apply on-premise so now what happens with those on-premise apps well when we saw that it was a cloud app we just sent the user right back out to the Internet no need to come to the internal network now however if we know that that users trying to access something on the internal network the proxy won't send them out to the Internet it will actually tunnel them to each individual app that they want to access so now this has two really fundamental changes to how we do the networking the first is that from the end user's point of view they can't tell the difference between what's in the cloud and what's on-premise they're going to chthonic eight exactly the same in both cases when they connect here they don't need to use a VPN client so they're gonna feel that this web application internally hosted is actually exposed to the Internet same with this SSH server so the user experience is actually much much easier and our non-technical end-users will simply think everything's in the cloud now there's a huge advantage for security as well what we're gonna do on the internal network here is we're going to say that none of these applications will accept any connections that didn't come through the proxy which means that although this user may be authorized to come into the SSH application if they were to try to do that same pivot where they move down here or went off to some other application we're not going to accept that connection so now what we're doing is we're verifying not just who is the user who is their device but also what are the individual things they should be able to do and the same is true in the cloud right because we're getting the ability to verify that within our own gateway as well so this represents a pretty fundamental shift in in how we're going to do the networking it allows us to simplify from an end-user point of view how the login process works while also securing things and that is the first step towards a true zero trust model
Info
Channel: Cisco Nederland
Views: 21,964
Rating: 4.9047618 out of 5
Keywords: DUO, Zero Trust, MFA, reverse proxy, Visibility, Context
Id: -Why_ZjJUhg
Channel Id: undefined
Length: 6min 45sec (405 seconds)
Published: Mon Jun 03 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.