In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
Automating Google Workspace (GWS) & more with Apps Script
Why Zero Trust Yields Maximum Security
1. Why Zero Trust Yields
Maximum Security
Questions about Zero Trust Every Executive
Should Be Asking
2. 2
Greg Touhill, CISSP, CISM
• President, Appgate Federal
• First Federal CISO of the US
government
• Director, National Cybersecurity and
Communications Integration Center
• Retired USAF Brigadier General
• Carnegie Mellon University, Heinz
College faculty
• ISACA Board of Directors
• Splunk and Intel Federal Advisory
Boards
3. 3
What is the Zero Trust
Security Model?
• Reinvents security for a hybrid, multi-cloud world
• Moves beyond outdated perimeter security model
• Eliminates “default trust” that leads to attacks
from within the network
• Designed to address internal and external threats
• Makes security continuous and adaptive
4. 4
Does it Work Everywhere I Need It?
Our data is everywhere
• On-premises, Hybrid Cloud, Co-located
datacenters, SaaS platforms, etc.
I need a Zero Trust solution that works
everywhere my I am:
• Office/Mobile/Home
I need a Zero Trust solution that works on any
device and operating system
• E.g. Windows, Linux, Unix, iOS, MacOS,
Android, etc.
I need a Zero Trust that protects my IT, OT, ICS,
and IoT
I need a single Zero Trust solution that
simplifies my security
5. 5
Why Zero Trust?
• IT Changed. Security Didn’t.
• The perimeter is dead
• Security built around networks,
not users, is failing
• Inherent over-entitlement
• Broad attack surface
• Costs continue to soar
• Complexity impedes agility
• Attackers have the advantage
6. 6
Do We Have a Zero Trust Mindset?
• Zero Trust is a strategy
• Our team understands why it is
important
• It applies wherever our data
resides
• It is embraced by the entire
organization
• It enhances our business and its
strategic & operational
objectives
Frederick the Great:
“He who defends
everything defends
nothing”
7. 7
Where is Our Data?
• On-premises
• Private Cloud
• Hybrid Cloud
• Mobile Devices
• 3rd Party venues
• Operating Systems
• Windows/Linux/Unix/MacOS/iOS/
Android
• ICS/IoT/OT
Your Data
Lives
Everywhere!
8. 8
How is Data Access Controlled?
• Focus on the user, not the IP
address
• Integrate with IDAM, RBAC,
and directory services
• Strong authentication,
authorization controls, & policy
compliance
• Business and risk-context aware
Role and Group
Operating System
Location
Time of Day
Network
Device Posture
External Systems
9. 9
How is This Better than What We Have?
• Live Entitlements replace
dangerously vulnerable
Static Rules
• Dynamic and context
sensitive
• Extensible and scriptable
• Continuously monitored
10. 10
How Does this
Better Protect Us?
• Secure encrypted
communication
• Connects user to only
authorized resources
• Eliminates problem of
lateral movement
• Access adjusted in real
time as necessary
• Support for hybrid IT
with multi-tunnel
capability
11. 11
Is it easy-to-use?
• Complexity is the bane of security
• ZT Solutions that add complexity add risk
Touhill’s Rule #12: Users learn in 5
mins, operators master in 5 days
• Don’t buy any ZT solution that doesn’t help
you retire old technology
Touhill’s Rule #17: Buy one, retire
three
• If it isn’t easy for the user and the operator,
it does not get used, or used correctly
12. 12
Do We Understand Our Data?
• Data is an asset of great value
• Understand your high value
assets (aka Key Cyber Terrain)
• Define who owns and controls
your data
• Define who should be granted
access to your data
• Define the conditions that
govern access to data
• Only make your data visible to
those authorized to see it
Sun Tzu: “Know your enemy and know
yourself and in a thousand battles you
will not be defeated.”
13. 13
What Performance Should I Expect?
Implementing Zero Trust should
increase your effectiveness,
efficiency, and security
• Reduced manpower
• Reduced training
• Reduced s/w & h/w costs
• High-speed network performance
o e.g. Cloud private access @
8Gbps
14. 14
What Are the Costs and Benefits?
Zero Trust solutions should reduce your
costs while improving performance
Be a smart consumer
• Check references
• Compare costs, schedule,
performance, and security
• Test against use cases
Have a plan
• Start small, think big, and scale fast!
15. 15
Can Zero Trust Grow With Us?
Your Zero Trust solution needs to
be “extensible”
• Designed to allow the addition
of new capabilities and
functionality.
It needs to easily, quickly and
economically scale as you grow
• Minimal use of hardware
appliances
• Maximum use of software-
defined capabilities Time
Value
16. Government certifications require independent third-party
testing and demonstrate capabilities, performance, supply chain
risk controls, configuration management, and other controls
16
Is it Certified?
Products that are certified by rigorous
standards and testing reduce your risk
exposure
Ask about certifications from:
o Government testing
o International standards
• e.g. Common Criteria
o Major OEM organizations
C O N T I N U O U S
D I A G N O S I S
A N D
M I T I G A T I O N
P R O G R A M
A P P R O V E D
P R O D U C T
C O M M O N
C R I T E R I A
C E R T I F I E D
O N L Y S D P
O F F E R I N G
F E D E R A L
I N F O R M A T I O N
P R O C E S S I N G
S T A N D A R D
C E R T I F I E D
P R O D U C T
FIPS
140-2
A D V A N C E D
T E C H N O L O G Y
P A R T N E R
S E C U R I T Y
C O M P E T E N C Y
17. 17
Who Else Has Adopted Zero Trust?
Numerous public and private
sector entities are on the Zero
Trust journey
Size does not matter!
The Zero Trust security
strategy applies to all
organizations, in all sectors
18. 18
Where do I Learn More?
Forrester Research
• Independent leader in Zero Trust
research
• Authors “The Zero Trust Wave”
• Lead researcher: Dr. Chase
Cunningham
• “Dr. Zero Trust”
Gartner
• Created their new “Service Access
Service Edge” (SASE) model that
includes ZTNA
• “Magic Quadrant”
• Lead researcher: Neil MacDonald
Appgate (www.appgate.com)
B R O A D E S T
F E A T U R E S E T
S O F T W A R E -
D E F I N E D
P E R I M E T E R
////////////////////
G A R T N E R P E E R
I N S I G H T S :
4 . 8 O F 5 S T A R S
L E A D E R
Z E R O - T R U S T
E X T E N D E D
E C O S Y S T E M S