Understanding and Getting Started with ZERO TRUST

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to talk about xero trust something that's very hard to have any discussion about this topic coming up so i want to really talk about what does this really mean and what might we need to do to help embrace this idea of xero trust as always this is useful a like and subscribe is appreciated and hit the bell icon to get notified of new updates i want to start off by saying xero trust is not a product i buy it's an architecture it's a strategy and yes there will be products that help me in that architecture that help me in that strategy but it's really unlikely i'm going to go and buy hey zero trust v 1.3 extra and i'm done it's really a whole way of shifting how we think about things now the best way to think about that shift is to think about where we came from and i'm going to use my own history with computers to help kind of put this into perspective now i started off in technology a long long nearly 30 years ago my first job was at logica as a vax vms systems administrator so i could think about the actors that were involved well there was obviously me so there was the idea that i as a person had a certain identity i had a certain log on on the system now to access those systems i had a certain client device this was a vt 220 and a 320 then a 420 then it became a windows machine but i would connect to a certain device now that device would connect to certain infrastructure so there were certain servers running and on those servers we had certain applications and those applications would use data now how did how did we get to these various things well that was a piece of wire we had a piece of wire that my endpoint was connected to that the infrastructure was connected to that the data was connected to sometimes that data may have been part of an actual set of maybe systems something locally but the whole point of this is it was this intranet there was this internal environment that essentially gave me an island i was completely isolated so i i sat inside this idea of an island i had this perimeter this walled garden that if i was inside the building maybe i had an access badge to get in the building if i was connected to that wire i was inherently trustworthy i was on there i was in that ward perimeter i was good to go now things changed though so in the beginning didn't connect to any other systems but over time i started to have connectivity to other things you started to think about hey we had mail services going back and forth i looked at news groups then we browsed the web and now if we think about it today as an organization we actually have this huge number of cloud services now they're made up of different things it might be software as a service solutions so a complete business set of functionality it might be something that i build maybe it's an infrastructure as a service like virtual machines in the cloud maybe it's a platform as a service i could be using kubernetes services in the cloud serverless technologies and various other things but nearly every company is now using these types of cloud services additionally as a person now most of us are not sitting in that corporate island anymore i expect to be able to work from anywhere i might be at home at a relative's house in a an uber in a plane a starbucks whatever that might be and in addition to i'm from anywhere i'm using a whole set of different endpoints i'm not using this very controlled endpoint the company provided us on that corporate network i may now be on my own personal machine i might be on a tablet on a phone whatever that might be so it could be could be a corporate device corporate laptop could be a personal pc a personal laptop a personal tablet a personal phone whatever that might be so there's an expectation now that i should be able to work from anywhere on anything so now we have this scenario so yes we may still have that corporate environment we probably do but more and more to actually perform as a business i'm using systems in the cloud my users are not in that island they're using different types of devices that i don't have absolute control over so we have this shift now of yes things in the internet but also a lot of things on the internet and when i start talking about xero trust what we're going to see is the focus is really around the idea that i'm going to design for the internet and then i'm going to enforce that on the internet and the intranet i'm not going to treat it any differently i cannot think of the network as the security perimeter anymore it's just not practical can i even in my office control the network well people bring their mobile phones they have data plans and again most of the things are actually not in my network perimeter anymore so we have to shift away from that so when i think about shifting away from that so let's really think for a second okay so what is zero trust now there's a whole set of different considerations around this but there's three key ones we're going to really focus on so we have the idea verify explicitly so what verify explicitly means is that for every single aspect we are constantly revalidating the identity could be a user it could be a service principle used by an application everything now this includes the devices as well no longer do i just accept and don't worry about the device in these worlds of iot i don't want junk data being fed into a system so yes i'm going to validate any identity of user security service principles but also is that really the end client is that really someone i should be talking to i'm going to constantly verify every access and make sure it's within any policy constraints that i'm going to define i'm going to be looking for anomalies and then understand well what is that anomaly what risk might that be introducing so i'm going to verify explicitly for every single session to every single resource i want to think about least privilege we think about reducing any kind of lateral movement i don't want any permission or access to exist that doesn't need to be there for whatever resource we're talking about requires to do its job i think micro segmentation i'm going to break networks down into very small chunks and only allow communications through that have to be there for things to work when i think about permissions for users for service principles i only have enough to do what they absolutely have to do and only when they need to do it so we think just enough administration we think just in time so they get it for a limited duration when they want to do something assume breach i remember before i heard this thing it's like there are companies that know they've been hacked and then those that don't know they've been hacked the assumption is assume you have been breached assume there are bad actors on the network if we go from that base understanding we assume there were bad things bad actors on our network that's why we're constantly going to verify explicitly we're constantly going to think about least privilege to reduce any attack surface that may exist and through everything we're going to do so with all of these things we are constantly going to verify verify the health verify the risk of a user of a device verify hey as much as we can locations validate the traffic constantly as every resource is accessed now if i think about all these different parts right here the user the device the infrastructure the network there are signals and by signals it could be metrics it could be logs we're going to use those constantly one of the things we're going to talk about again and again is making sure we gather those signals we gather those logs to assist them so that we get as much knowledge as possible as many of those signals and the more signals we get well then we can apply things like machine learning to gain insight into what's happening and then learn well when something happens that isn't normal when we see some anomalous behavior saying outside the normal pattern we can flag that so i want to get all of these signals and then be able to make decisions from those signals based on policies i'm going to define and enforce them now i want to bring up something right from the stocks it always comes up we talk about hey we're not trusting the network as a perimeter anymore we talk about users and devices not in our corporate network so it always comes up okay make everyone vpn make everyone vpn into the network so if we think about what with vpn remember it creates a tunnel so the vpn would create that encrypted tunnel to our network and then i'm trying to access some service that let's say it doesn't exist in our network let's say i'm going through that path so i'm here pinning through my corporate network now for one thing this adds latency and in today's world latency equates almost to broken so i'm going to add a whole chunk of latency going through this corporate network i'm doing a certain amount of encryption from this device to my network and the edge of that vpn device but then it's not encrypted for the rest of the flow and if i think about what are my key tenets of this i want to constantly verify explicitly i think least privilege assume breach and so really putting them on my corporate network doesn't do me really any big benefit i'm not gaining anything i'm adding complexity and complexity is typically the enemy of security the more complex i make something well it makes it harder to actually secure it so that's not a good thing and i'm not solving a problem because if i want to verify explicitly if i'm assuming breach well i still have to validate the end point validate the user i'm still going to have to do all of these things this has not really bought me any benefit it's just added a whole bunch of complexity i'm going to have to add clients on the endpoint i now have to maintain additional certificates i'm going to have to check and it really just goes against the point of zero trust that being said there will be times i might want to do a vpn now i'm going to talk about this later on the fans are kind of going on the way out just the reality of the situation but maybe i have some service that i can't make available via a proxy uh maybe i'm not hosting it in the cloud i can't host it via a vdi so sure there may be times i do a vpn but if i do a vpn it should be very explicit it should be a selective set of traffic from the client that only sends it to the vpn if the target is in that network i don't want to just by default grab everything and hair pin it and go from there historically vpn is actually one of the more popular ways to attack a network to break in and if you look at the recent cyber security trends it's one of the things that's actually going cold it's not saying that's really pushed anymore so this generally in a xero trust world doesn't bias very much i'm only going to use it if i explicitly have to use it to get something in my network it's not a default pattern i'll make the vpn in that gets me good trust it doesn't it doesn't really buy me anything so what does buy me things now like most things in technology patterns don't wildly change we have the same actors so i think about xero trust if i think about the actors we had before well they're the same actors so i can think about for a second okay the identity this is huge when i think of xero trust the identity becomes the front door it becomes a new boundary when i want to get access to a resource if i think verify explicitly the identity becomes one of the most critical actors in that now when i say identity this could be a user and remember a user could be an employee it could be a partner it could be a customer it could be a guest it could be an application we have service principles for applications to run at we have things like manage identity and azure now i'm not going to try and be super microsoft or azure specific in this but obviously i do focus on microsoft technology so when i demo something i'll i'll talk about microsoft technology but realize there are other ways to add technologies in to solve certain aspects of my xero trust now when i think about these identities a huge thing remember is just enough they only get the permissions to do what they need to do for any particular task and as i need it now what i don't want is a ton of different identities we had this idea of we used lots and lots of cloud services today and there may also be some things on premises when we first started using the cloud we had an identity on each one of them and that's a terrible thing if i have 20 30 different identities how do i secure those i want one identity i want a single identity that i can use for everything so when i focus on this i'm going to think about sso now you might say well that's terrible what is that one account is compromised realize if i give users 20 accounts do you actually trust your users to use 20 different passwords and identities for those 20 different accounts most will not most will pick a username and password and use it on the same set of accounts so if one was compromised they're all kind of compromised anyway by bringing them into a single account and making everyone trust that single identity well now i'm getting the signals from all of them i'm getting all those 20 apps they're all coming through one place so i can now focus that intelligence and learn the normal behavior and assess risk across the entire landscape and what it's going to let me do hey if they leave the company if i need to lock it down i now do it in one place now with azure ad there's thousands and thousands of enterprise apps just built in it makes it super easy i can create my own apps i can take apps from on-premises and use azure id through azure ad application proxy i can pre-authenticate against that even to apps that normally would not be able to use azure ad so this gives me the ability to get all those better signals in to help me make it more secure remember we're creatures of habit we generally work the same way we sign in at the same time we use the same machine so by getting all the signals in one place it makes it easier for me to detect those anomalies so i can learn what's normal i can also add strong risk based authentications so at minimum i'm going to think about multi-factor authentication now this could be i send a text message i get a phone call the better option is to use authenticator applications they're they're more secure maybe it's 502 keys there's different solutions to these and as soon as we introduced mfa into an organization phishing attacks go to almost zero it's been shown in the studies we kill those off now the next attack surface becomes social engineering so there's still user education there's still considerations but this one thing alone can really help defeat a whole bunch of types of attack now in an ideal world we can actually go passwordless again it could be the authenticator application different types of keys hello for business and let's also remember giving me a better end user experience they're not constantly being prompted for credentials and if they ever get prompted for a password it's going to seem really suspicious if i see some site wanting a password from me as a user i'm like that's not normal and it will flag things and make me think twice about giving them that password so again it helps protect me from lots of different types of attack i want to think about disable legacy authentication once again this is one of the biggest attacks surface people say like imap for example legacy authentication protocols are used in about 90 of these types of attack because someone just hammer it to try and find the credential and once they get it they can go and use it as other types of service so if we disable these endpoints if we disable that as a way in it helps give us really good protection from that now when i think about this identity then the next thing i really want to do is remember we talked about role-based access control what they can do and to what and i want to think about remember just enough and just in time i things like produce identity management i have to go and elevate up to get maybe a higher set of permissions as part of that elevation maybe it makes me do a strong authentication so definitely definitely we only get the permissions we want to do we make sure we have hey just in time just enough and i can hopefully use these all the way through not just for control plane but for data plane access i don't want to have to have access keys or these special types of separate signatures as much as possible i want to be able to use that identity for data plane access as well so i really think about this single identity that i can really learn all the behavior of so i'm going to be able to add machine learning and help identify risk when things are outside that normal behavior then the next part of this was the endpoint and we still have that so now i can add on endpoint now remember when we talk about endpoints there are many types of different endpoint corporate device personal device tablets phones pieces of equipment we may have iot devices there's a huge scope today now realize when i said that word equipment i mentioned that because it kind of takes me back to when i used to do tours of certain data centers and there were these huge multi-million dollar generators that were running xp still so we'll talk about getting to modern operating systems removing legacy things sometimes you can't sometimes it's not i can't upgrade the operating system on this multi-million dollar piece of equipment that generator sometimes we have to work around it that's when things like micro segmentation the network would come in i'll isolate off that generator so it can only talk to a few things that it has to in order to operate but by and large i'm going to mitigate the risk that's introduced by having that legacy operating system running so when i have all these different types of endpoints and equipment and once again i want to think about knowledge and confidence in that device so how can i get assurance that that device is safe that it's secure now many endpoints they have things like tpms trusted platform modules that have kind of anti-hammering uh capabilities that can be used as part of things like windows hello for business to do as part of the authentication process i think about device certificates that i use to validate and these are really useful as well because when i start talking about applications and that verify explicitly but if i have device certs i can now add things like mutual tls not only does i as the client validate who i'm talking to their certificate is valid that's really them they can validate i'm really who i say i am so once again think of the world of iot and all these sensors talking or if i get a bad actor they could feed in bad information that skews what i do so i want to make sure i'm really talking to someone that's really that person and now if there is something suspicious i can revoke the certificate and essentially cut off that device so i want to be able to use things like that if it's stolen i report it the search revoked it's gone now when i think about these end points remember there's home user devices tablets in addition to corporate so we start thinking about well i want them to register i get some basic knowledge about the device but then ideally i want to move on to some basic management so they become managed once they become managed i can apply maybe just some basic policies to help me check it's going to depend on the device is it patched that's one of the biggest things we can do to help protect systems make sure they're updated is the firmware up to date is it not jailbroken does it have a firewall running has it got up-to-date anti-malware definitions i can now require those things and then as part of that if all of those are true well i can mark it as compliant and this is like a huge thing that i want to be able to say about the devices that are connecting in yes i want to be able to validate the identity but i also want to be able to do checks about what's the health of the endpoint because remember if the endpoint gets compromised things can be lied about and as part of those tpms you'd also think about things like a secure and trusted boot hey secure boot from the uefi to the start of the os loading make sure there's no kits in the way of that everything is signed trusted boot takes over from there and then all the way through to me logging on again nothing's got in the way there's no bad actors getting as part of that complete chain so i know from the hardware through to the operating system that device has not been compromised that's an important thing and when i talk about this management there are different solutions there's microsoft endpoint manager intune for cloud-based machines um configuration manager for my on-premises machines there are other solutions uh defender for endpoint to get richer intelligence into hey look if there is some compromise this is the path that attack took so there's many different things i can do that and of course all of those can report into that management to come into my overall compliance state so this is a super important thing what else did we have we had a network now i talked about xero trust we don't trust the network but doesn't mean the network goes away it's still important we always think defense in depth just because something is not the answer anymore doesn't mean it's not part of the solution so network is still a very important component we're going to still have things that maybe live on some specific network so network is absolutely still something we care about it's just that we don't inherently trust something because it says it's on a certain network anymore that's the part that's gone away this could be a public network my network at home it could be a corporate network a key point here is it doesn't change my behavior again we designed for the internet we implement on the internet and the intranet every interaction is still validated and encrypted remember we're assuming breach we're assuming there's bad actors on our network we're not going to trust anything so i'm not equating intranet to trusted every flow on the network must be proven i want end to end encryption so from the end point to the resource it's talking to i want it encrypted which again is why the vpn is not that great the vpn encrypts from there to some endpoint of the vpn the vpn gateway but but then it's not so it doesn't solve the problem i still have to add encryption on top of that to be encrypted to whatever the end target is it doesn't solve that problem for me so i want that end-to-end encryption this could be tls it could be ipsec there are different solutions i'd be super concerned if you ever see say the super proprietary there are very good standards out there ideally things would be using those standards as soon as it's proprietary it's like maybe alarm bells ring a little bit but it's going to depend on the service now we likely still have that intranet it's probably not gone away we may have these certain systems that have to stay on premises or they've got some anchor like a mainframe so it can't move but once again i'm not just inherently trusting it we're probably going to have layers so what we're going to think about is we might have layers of different types of service or tiers we have really critical workloads and what i want to do is you have this idea of like micro segmentation not just internet dmz internet even within our intranet i'm going to divide things up and allow only the various network flows through that have to be there for it to do the job if that port that protocol is not required why let it be there someone might then go and use it for something bad so i want that ability to restrict the flow through different parts network for different types of devices to be only those that are required and that meet the policies i am going to lay out which might be different parts network it might be certain devices now when i think about my network initial entry point hey if it's public facing i think standard disputed denial of service protection i think hey azure front door for global balancing with web application firewall in front of it to give me protection from those common types those osp types of common attacks azure app gateway i'll let layer seven can have web application firewall on it as well again additional layers of protection stop people may be trying to do a sql injection attack things like that so that micro segmentation is going to depend on where you are in the solution you're using if it was azure for example hey things like network security groups and application security groups that let me apply a tag to a nic and use that tag on the nick to control what traffic can flow and not have to worry about exactly which ip subnet it's in i might think about things like azure firewall those next generation other times that layer seven i can even do tls inspection so it can sit in the middle of the flows and inspect even tls encrypted traffic of the full uri so it understands the fully qualified domain name and the path and then i can apply categorization and use rules to do i allow or block that i can have intrusion detection built into the azure firewall so i'm going to have those types of technologies but these micro segmentations are huge there are things like adaptive network hardening that will go and look at what are the normal flows again machine learning and then recommend hey we should change based on what we see as the normal things we're actually having one of the key parts you you assume breach our rule is we assume breach but if they can't get out is it a breach if we have the mechanisms in place to stop them actually getting out maybe we're in a stalemate we've drawn the game so that's a huge focus for what we want to do i want to collect now i use the word signals i like the word signals we talk about log so i want the network to give me abilities for this micro segmentation so that's why network is so important but i also want all the equipment to be able to send me signals i want to collect these signals because i want to collect them for everything i didn't write it on endpoint and identity but i'm collecting signals from them as well logging about what they're doing as part of that all up set of capabilities i want to be able to log and inspect the traffic now remember when we think end-to-end encryption it does get harder to inspect the traffic yes with azure firewall i can do that tls inspection because i sit in the middle of it but sometimes we can't and that's where you may have to start pushing some types of intelligence and monitoring to the end device because as soon as i encrypt end to end when i start to limit what on the network i can do to actually inspect the traffic regular network sniffing it's not going to show me very much and again if i was talking solutions things like azure sentinel azure central is going to be that solution that i can bring in those signals and apply that machine learning to start to detect when things are happening so so far all i've really talked about is this idea of okay identity endpoint network what do i do with all of that think about what we now know we know everything about the identity we understand normal behavior we can identify a certain amount of risk same for the end point we understand elements of the network where it is on the network so all of these things together what does this actually give me so what it gives me is context all of these bits of information feed in to give me context about what's happening which includes the risk is it outside normal behavior hey there's a certain enhanced risk because ultimately what i want to do i have those policies i want to control based on the context based on the risk based on what i'm trying to get to i'm going to control i might allow it i might want a stronger authentication i might block it i might impose limitations so control could be hey stronger authentication it could be session controls things like sharepoint for example enable me to specify hey look i'm going to let you access this but you can't print you can't download but i can view things online i might block and there's other types of action i might take so how do i do all of this well conditional access now i'm talking about this obviously in a microsoft world that's the solution in a microsoft world for how i do all of these things this is the mechanism i use if every single interaction has to be verified explicitly and i'm using the identity and it's least privilege well azure ad is that identity for the microsoft cloud and remember all those partner clouds thousands of different apps trust it every single authorization every time i try and get access token to talk to something it goes through that conditional access now that might be hourly with the regular short-lived access tokens there's things like continuous access evaluation where it's a long-lived token but now there's an understanding between the resource being accessed about hey here are the policies there's locations allowed i have the ability to revoke tokens if need be so i get this massive amount of control so let's actually take a quick look just to give you some idea about this so see this is azure active directory now i mentioned about enterprise applications and there's literally thousands of applications built in so i could search these applications and you'll actually see straight away things that you might think about well these are competitors to azure and microsoft well they're right there there's thousands and thousands of applications if i search for the app i'm probably going to find it within this gallery i can build my own applications against it i can add on-premises applications i can use azure ad app proxy to publish applications from on-prem pre-authenticate them with azure ad so i have all of these abilities to integrate azure id with pretty much all of the services i might want to use both in the cloud and on-premises but what i want to focus on is if i jump back i want to talk about conditional access so go security conditional access i'm just going to go ahead and create a new policy but there were templates you might have seen that there were templates to get me started now i can apply these to specific users specific roles i could apply them to service principles workload identities i can target all apps i could target specific applications so any application that trusts my azure id again it could be through azure radio proxy a third party i could create a specific policy for it then i have all of these different conditions notice user risk signing risks so the user's overall risk based on what we've observed both real time signals from sign-ins and maybe we found credentials leaked on a dark web sign-in risk hey you're using an anonymous ip a tour browser um it's not a typical time and behavior we see of you target particular platforms i can define locations based on public-facing ips based on different geographies i could target particular client applications hey legacy auth i could block those with this i can even filter for devices so if we think about layers and defense in depth what i could have here is maybe i have secure access workstations and what i could do i could actually look for a certain property of the machine maybe a tag on it that says hey you equal saw i'm just making this up but i could check hey that attribute is set on the machine for this policy to be able to go and apply it to me and i can add exclusions for all of these and then i can grant controls now remember hey i could block access that's obviously very severe but i could grant but when i grant well maybe i'm going to grant but i want a strong authentication maybe the device has to be marked as compliant so those health checks we talked before about the device i want that maybe has to be hybrid azure adjoined i it's joined to ad and registered in azure id so group policy is applying to it maybe it has to be an approved client application i require app protection policies maybe i wanted to change their password i'm approving a certain terms of use and i could require all of them or one of them maybe it's a choice maybe the device is marked as healthy and compliant or they do an mfa i can add choices in there i can even add session controls so this is the idea that maybe you know i am going to enforce some app restrictions and notice it tells you the apps that can do this things like sharepoint online exchange online and give them a token that they can view but they can't download they can't copy i can have additional app controls i might have continuous access evaluation i have all these different things i can do as part of the token it's going to get that's going to give it the access so all of those different signals i'm getting gives me that context and i'm using conditional access to then go and actually enforce it and you probably saw as i was doing that i can run it in a report only mode initially so when we get started we're probably not gonna just be like hey okay i'm gonna turn all these things on and don't know what impact it's gonna have i'll run it in that report only mode first get confidence about what it's going to do and then enforce but this is my control that's what's going to give me these capabilities so this is huge that idea right here i'm taking all that knowledge those health all those considerations to give me the context to help me create policies to do the control now let's do other elements remember we had the infrastructure so what i do when i think about the infrastructure so i think infra and that has some similar considerations to the end point once again i think about that secure trusted if it's in azure for example the generation v2 skus they're based on uefi they have tpms i can turn on secure boot i can turn on trusted boot if it's on premises i want to try and use those capabilities make sure i've got updated firmware on all of my devices in the cloud i use azure policy to put guard rails around to make sure things are deployed to my requirements to my specifications on an application like kubernetes disabled privileged containers for example i want to think about limiting admins and even when i do have administrative capabilities it should be just in time it should be just enough administration so i use things like pim so i get the permission only when i need it now this just in time also applies to think about accessing the machine i can think infrastructure okay well maybe i want to rdp to it or ssh to it or management ports to it i don't want to leave them open all the time even considering on that local internet because we don't trust the network anymore so i can use things like just in time so it only opens up rdp or open up ssh through integration with that micro segmentation of the network it's only gonna let my ip talk to it for two hours when i go and make that request up it's part of the microsoft defender for cloud enhanced security that seems like azure bastion for manage jump box for things in azure even things on premises now so make sure you are updating your firmware make sure you disable insecure default configurations that may apply use that mutual authentication as much as you can make sure it really is who they say they are for everything and once again i want signals i want to collect the logs from these systems into things like azure sentinel to get that all up view of everything that's happening microsoft defender to help detect those attacks and the movement throughout those systems so i have all of that running now remember when i was doing this control what is that control ultimately to well ultimately what we really start to care about most likely is an app if i'm accessing data it's probably via an app so all of this is about getting to my application as we talked about ideally i don't want to be relying on some vpn even if it is on premises is there a way that i can maybe use something like azure adiak proxy to make it available externally but pre-authenticating with azure id maybe it was a vdi type environment if again it has to be within a certain network i really want to try and move to that if it's a sas solution look at what its capabilities are as much as possible i want security policy at the service so when i think about my applications where i can i want security policy at service it has in its own native capability it has an api to interact with it to say these are the controls i want these are the behaviors i want to look for this is an account i want to block or disable because remember network access is not practical as more and more of these moves to the cloud i can't use the network so rather than trying to pull services into some network pocket what can i do at the service it's going to give me better and more granular controls i have a greater fidelity of what i can actually do now what about if it doesn't have it there are things like microsoft cloud app security through conditional access i can say hey to use this you have to go through cloud app security and what that will do is it will then gather intelligence about what's happening and if need be it can then start to block continued access because it will disable the ongoing access with whatever application that is if it detects strange behaviors hey you're downloading 5000 documents that's a bit sus don't normally do that i'm going to block you so it gives me the ability if the service doesn't have its own native solution there then it's not as ideal but maybe i can do some kind of proxy vdi to still give me control as part of that overall solution i want to find shadow i.t there's always a balance you can be secure and out of business i think mark manasi said that you can point so much security that you're locked down but the business can't function that's obviously unacceptable if i'm so secure my business can't function i'm going to go out of business it was kind of pointless the business will find a way to function if you lock things down and make it so hard to use most of them has credit cards the business leaders they care about functioning they'll authorize just go and buy the service use your credit card go and buy it we'll sort this out later that's terrible for me as an i.t department because now i've lost that control and all of this falls apart so i need to be able to find that shadow i see if it's there again things like cloud app security microsoft cloud app discovery can find those things and what you have to do at that point don't just block it they'll find another way to you i mean it doesn't work you need to work with them explain the why find a mutually at least acceptable path to bring it into the control that enables them to do the job you have to have that cooperation and partnership well these things are just doomed to failure but we we need to find that and bring it into the fold now all of this ultimately if i look at this picture for a second the user the endpoint the infra the app the network and the data what's the bit we actually care about the most as a company the data in a zero trust world that's the ultimate sure the identity might be the new front door but it's the data we have to think about all roads lead to the data i want protection on the data i want my protection to follow the data so sure i have my apps i have my infrastructure but ultimately everything we're going to do is based around the data so i want data driven protection and i need that data protection to travel with the data now that might be things like information protection it's going to depend on where the data is and the type but i need that data protected so okay great data is the most important part where is it what's the data that matters do you know that some companies may most will not most will not be able to say this is the data that really matters this is the data with sensitive information on this is where it is we just don't know it so the first critical thing we have to do is know the data i care about and protect it so step one is discover i have to find the data so i then have to inventory it and once i inventory i have to think about classifying and labeling it accordingly hey it's pii hi hey it's this sensitive project whatever that might be and most likely when i start to think about these things again it's machine learning machine learning comes up so much if you think about the sheer scale and all the signals it becomes impossible for a human being to just go and look at logs from 100 systems and so yeah i'm seeing something weird there it's not going to happen we have to leverage machine learning to start to learn and be able to find the patterns that we just cannot do so i want to look at those strange behaviors as part of this so once again a huge part is going to be those signals signals are going to feed in to look for downloading a thousand documents doing something strange bulk download bulk copies whatever that might be so i want to classify and label so this is going to let me do things like protect now protection comes in different ways yes least privilege it might be data masking so i only see bits of data like you hide the social security number apart from the last four digits i want protection from things like data exfiltration limiting combinations of system access so i can't take it from one and put it on something else i think about encryption and once again we think about at rest but also on the wire maybe also in use you think about is confidential computing and it's always encrypted it's actually encrypted at the client for example and even in the database it's encrypted even a dba can't get to it it's always encrypted there's now different types of skus of compute but even in the memory it's encrypted so it depends the the types of data i have and the sensitivity how i'm actually going about protecting this now that classification may be users you might have seen in office sometimes i can label a document it's always risky trusting the user again i want to use policies and have guidance on what patterns we look for give tool tips saying hey this should probably be this or just automatically set it to help protect the data but for all of this every single access to data should be validated i don't care where it is i'm validating that access to the data now if i'm having trouble even with these types of things that seems like azure purview azure purview is a solution that will go and find our data in the cloud on premises it can give me a complete map of my data landscape discover classify even give me the lineage how this data is moving and then i can think about applying those various encryptions on top of that so it's really key to understand that for all of your data once you've done this inventory you have to really understand two things about it so what is the criticality of that data and what is the probability of some exposure and once you understand the criticality and the probability you kind of multiply those things together to understand where i should prioritize if it's really critical data it's got a high probability of being attacked or exposed yeah yeah i'm going to start with that so that's really important things to think about so that's the high level thinking about zero trust we're moving away from really caring about the fact that i'm on some island so oh i'm good to go to verify explicitly least privilege i'm assuming breach end-to-end encryption validate every single flow of every single resource access a good rule is designed for the internet implement on the internet and the intranet remove any insecure protocols deliver over https if you can over tls have a fantastic process around identity remember identity was the front door so get really good processes in place for onboarding for updating someone changes roles so as principal changes its behavior so it only has the group memberships the app access the permissions it absolutely needs at that moment in time get really good identity processes in place for everything signals signals signals signals signals everywhere with signals get all of the signals into a solution whatever it might be in a microsoft world it's azure sentinel get all the signals in and then i can get machine learning to understand what those mean understand anomalous behavior understand things that are outside normal behavior so now i can understand a certain risk and maybe modify my controls accordingly to mitigate that risk that's zero trust so you want that sim that source solution yes to highlight things to me to bring my awareness maybe automate responses it might automatically block everything from certain ips or disable an identity so think about yes all of these signals coming in but i really want them going to some kind of again i'm not going to be specific but i want some sim solution some source solution to take those insights because again these are all the signals that i have go into here and then this lets me action them automatically so again this is azure central in the microsoft world but get something to get everything coming in so now i'm not just oh something's happening gathering data is fantastic it's good for forensics but just gathering it without being able to gain insight is pretty useless in an operational sense so i need something to be able to examine all those signals and gain insight and draw conclusions from it machine learning and then maybe even automatically action where my degree of confidence is high enough so that that's zero trust uh i kind of hope i hope that was interesting as always a lot of work goes into these videos so a subscriber like would definitely be appreciated but with all that said be secure be safe again verify explicitly least privileges soon breach until next video take care you

Info

Channel: John Savill's Technical Training

Views: 130,927

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud

Id: hhS8VdGnfOU

Channel Id: undefined

Length: 57min 10sec (3430 seconds)

Published: Tue Mar 01 2022