Zero Trust Masterclass - From beginner to mastery

1. Introduction: Hi, hello everyone. My name is Pamela is long and I'm the creator of this course, which is the Zero Trust masterclass, how to implement zero-trust architecture using this special publication, 800 to 07. Now, this is a topic which I'm very passionate about. Zero-trust security philosophy. It's a set of principles which if you apply them and you take them together, they can bring about a very huge change and yell at your company approaches security and how they implement security. And the results can be very, very beneficial, both for security teams and for businesses. But the problem about Zero Trust is it's very broad in scope and it can become very overwhelming. So that is why I made this course. So my promises, whether you're a small startup or maybe like a Fortune 500 discourse was specially created to help you implement zero-trust. And it's based on my own understanding, years-long experience of implementing this particular security model. I know how Zero Trust works and how to practically implemented. That is the whole point of making this course to share this knowledge with you, to help you in your Zero Trust journey. Also about me, my name, renewals or timers law. I have over 20 plus years experience in technology risk. I'm also an author, a blogger, and an instructor. I'm also cybersecurity career coach. I have a YouTube channel called the Cloud security guy. When I talk about things like cloud security, AI in general, career advice. Okay. So currently I'm based out of London. And basically my career throughout my like my journey, how it has been Ivan like multiple awards within the industry legacies of the year. The best security team, those sorts of awards from the industry recognition. But the last couple of years I focus more on teaching and writing and given back to the community as much as I can. I've published two books. One is on artificial intelligence covenants in cybersecurity, the other one is on the Cloud security, how to make your career. Both of them are available on Amazon. So this is just to show you my own, like what I've done. You should listen to me or not, but they do have those credentials or not. So now, when I talk about Zero Trust, which is a topic of our course. Now the thing is, enterprise security is hard, right? This is because ID and application infrastructures are very, very complex. They can be very broad and users are accessing them very fast. And of course, the way that people are attackers always trying to get inside the environment that most enterprise networks are very, very open by the implement. If you've heard the concept of least privilege, which is to give access only to those people who need it. Most companies, I would say the vast majority of companies they apply this principle. They do apply and they apply it when it comes to applications. They apply it when it comes to database, servers, whatever. But when it comes to the architecture, when it comes to the design of their networks, they do not apply it. And what happens is they leave them incredibly open to attacks. And this is true for both internal networks and for public-facing networks, right? You have VPNs which are completely exposed to every person on the internet. And you would never design a system like that. But let, the way traditional security and networking has worked, it has continued, this model has continued. So this is where zero-trust comes in, which is the subject of this course. And it brings a modern approach to security. And this enforces the principle of least privilege for networks and applications that we'll talk about how this is unauthorized users. If you implement zero-trust, they will have no access to any enterprise resource and authorized users will only have the minimum access necessary. And if you implement zero-trust properly, you'll have a safer, more secure, and more resilient metric. That's been improvements in efficiency and effectiveness. Because you want to, you're doing is you're automatically enforcing dynamic policies and we'll talk about those. Okay? So this is what I wanted to give the background on. It is a very important and highly visible trends, you know, trust within the information security industry. And I think it has become some marketing buzzword. So many vendors are using it to market their applications, but it is a very valid standard. It's not a product, it's a philosophy and an approach and a set of guiding principles. And we'll talk about this. And that means there are many, many ways to interpret zero-trust because they, every enterprise is different, right? But there are some very fundamental and universal principles, then every zero-trust architecture must follow. So that's what the whole point of this course I'm going to be. Why didn't you these guidelines and recommendations for zero-trust based on my experience working with many, many companies of different sizes and maturities throughout their journey. And very, very important guys, this is a journey. This is not like a onetime thing and you forget about it, but an ongoing and evolving initiative. That's why I made this course to give you these recommendations and be a guide to you along this journey. So let's go market like they're usually the definition of Zero Trust is it's a security framework recording all users, whether inside or outside the network. There'll be authenticated, authorized, and continuously validated first security configuration and postures before being granted or keeping access. To applications and data. Now if you read about, if you read this definition and this is a reaction, I don't blame you. You might be thinking, what's the big deal? This is the same thing I've heard 1 million times the vote. This is something probably already doing. So you might be thinking, okay, what's like him and I already do this. But this is where the other part of zero-trust comes in, which is Zero Trust has used there is no traditional network edge. Networks can be local in the Cloud, Oracle Cloud or a combination. What hybrid with resources anywhere as well as workers in any location. Okay, so this is where Zero Trust differs a bit from your traditional. It assumes everything is potentially malicious in nature. This is where the whole like differentiating comes in. How a Zero Trust model differs from other security models and from the traditional network perimeter model. So what Zero Trust is not like your it's not like a product I've said before, but it does provide you guidance on for companies to how to continuously mitigated and how to use the new already existing solutions to protect it. You might use your company. You might have a very strong security baseline. You might only need minor refinements for a successful deployment of zero-trust, or you might not have anything and you need to build these elements from the ground up, okay? To have implement this model. So it doesn't matter where the starting point is. Just to be very clear, zero-trust is usually it takes time. It might be a multiyear, like multi-stakeholder project which requires a lot of investment of time and money. But the benefits, they really do come and you really see it. If something happens, some compromise happens. You can see the Zero Trust model kicks in. And it stopped that compromise from moving any further. But I was talking about these things, the background, if you look at it in 2020, we had like a like a world changing event that was like you are already aware of it. And what happened was every company what compelled to go remote, implement VPNs, implement bring your own device. And you can really see the importance of zero-trust coming in because employees are going remote VPN, so getting breached. More and more VPNs are getting breach or overwhelmed. And digital transformations are happening like every other company was jumping on the digital organelle, the digital transformation, going to the Cloud. So implementing zero-trust AT versus a mandate to verify and secure everything which is connecting the health of the device, the security health of the device in force, least privilege and capture, analyze all the logs to veterans kinda environment, right? And governments and businesses worldwide. They recognized the importance of Zero Trust because of this event. And they accelerated the adoption of a zero-trust strategy through supporting. Like. That's the whole point to myself. I've read and I've done a lot of research and I've helped a lot of people so many deployments and seeing the threat landscape. So that's the reason for this course to show you why the need of Zero Trust is there, okay? So this is where the differentiated comes into zero-trust, which I call the concepts. There are certain concepts of Zero Trust. Now, might be, you might be reading something on Zero Trust which might be slightly different from this. But remember, zero-trust, these principles, they evolve and they change. But at a general sense, they will always be like this only these are the ones they might diverting my change. Instead of five, they might be three or four. But these are the universal principles. The network is always assumed to be hostile, okay, then there is no trusted thing there. And external and internal threats are existing on a network at all times. Okay? So just because you are on the network, it is not enough for you to be trusted. And every device user network flow is authenticated and authorized. The policies must be dynamic and then calculate it on the fly from as many sources of data as possible. So you might be thinking, yeah, there's all this looks really nice. How do you actually implement it? So this is what I'm going to be talking about in detail in the course. But remember, in a nutshell, it is zero. Trust is a set of evolving principles. Sand slowly, it moves the environment away from static, network-based perimeter to focus on users assets. And it assumes there is no implicit trust. Okay? And just because they're your best, whether you're on the network or the network, and you do authorization based on multiple things, multiple policies, multiple threat intel sources, right? So like I said, it is a response to a lot of trends which happened like remote users bring your own device, Cloud-based assets which are not within your control, right? So this is what helps zero-trust sell to their location. The network location is no longer seen as like a V of trusting it. And remember, it's not like a single architecture, it's not a single product. It is these principles which will help you improve. And transitioning to zero tos is like a, it's like a multi-year journey which will really help you. You can't just replace your technology and say, Okay, I've implemented a product that says zero-trust. Now I have zero trust, no, it doesn't work like that. This is why many organizations fail in the Zero Trust strategy or they don't get the full benefits. So if you're a company, and I'll talk about this later when we talk about practically implementing zero-trust. You should seek to slowly, slowly implement zero-trust principles, process changes, and technology solutions that protect your data, right? And we will look at multiple use cases. Most companies nowadays they are operating in a hybrid like a parameter based model, and they're continuing to invest in IT. So zero-trust can really, really help you out here. So that is the whole point of this course, guys. And what are the problems? What are the challenges? I have seen myself and I've seen other peoples also encountering when it comes to zero-trust, first of all, the material is too vague. They tell you what the Zero Trust is amazing. Zero Trust is that how do you actually implement it? There is no practical advice, or even worse, Zero Trust is amazing. Please give us X amount of million dollars and implement a product and you will have zero trust no, it doesn't work like that. No single solution can magically implement zero-trust. So that is a challenge that I have seen across the board. That material is too vague or what he called practical advice, how to implement it and the too much focused on products. That is the whole point of this course to help you give you practical advice in how to implement zero-trust based on my own experiences and my own implementation advice. So what will this course cover? I hope you understand now why you should learn Zero Trust. And I'm going to teach you zero-trust from scratch. And I'm going to explain to you how it works, what the model works, what are the principles? And we'll go into detail and it'll give you deep dive into these concepts and in detail. And I'll give you a roadmap for implementation also. And like I said, practical advice. So we're going to look at a few case studies. I'm not just going to say, yeah, this is Zero Trust, please go implemented. We look at a few companies and how one I'll do myself and when I asked you to do and you can share across your results, okay? So who is this course for? Well, like I said, Zero Trust is the future. It's going to become more and more important as time goes on. And as a security professional, as a seesaw, you have a responsibility to push, pull, and like your company towards adopting this new approach, which will greatly help your company in this resiliency and will help you to grow. Also, it might be, you might be a risk professional, an IT professional, IT auditor. Zero-trust wins the future. The more you understand it, the better you are geared towards like auditing and implementing this model, which will help you in your current position also, and it definitely help you in your future position as the industry evolves, as the industry moved towards this. So all of this will be beneficial to you only, and knowledge not applied is lost. So that's why it's so important always to have some sort of a project. So this is what I've done. There is a class project here. And what is their class project? You're going to have a case study. I want you to go to the case study in this course and create a Zero Trust Architecture based on the standard. We'll talk about this, of course, how to do it, how to go about it, and what are the key features here. I hope you understood now guys, what is, what is the whole point of this course? I hope it gives you a good idea what this course is about. Why you should learn Zero Trust and what are the key benefits of it? Like I said, the whole point of this course is going to give you practical advice. I'm very happy you're going on this journey with me. So let's get started and I'll see you in the next lesson. Thank you for choosing this course. And I hope it is beneficial to you. If you have any feedback, please go right ahead and share it with me. Thank you very much and I'll see you in the next lesson. 2. The Need for Zero Trust : Hi friends. Welcome to this lesson. In this lesson I'm going to do a little bit of a deep dive into the need for zero-trust. Now we have talked about this before in a previous lesson. Why Zero Trust as needed, but I really wanted to do like a more detailed analysis why we need zero-trust. Now the thing is, the threat landscape is continuously changing rate. Mu and Nu are toxic coming out. More and more sophisticated threats are coming out. And basically simply put, your traditional perimeter based security model is no longer sufficient to protect against these advanced type of attacks, right? And like basically the controls you've put in, then they will longer able to defend. Because the security that the enterprise architecture is changing and the perimeter simply does not exist like it used to do before. So let's take a look at what we're talking about here, right? So zero-trust, when we talk about Zero Trust, It's an attempt to address some of the weaknesses of what we call the more traditional security architecture. So let's describe it all security architecture first as the like, the older form, like little like the good old days, you know, like all people we talk about the good old days. So in a traditional security architecture, broadly speaking, you have like a hard perimeter defined by fireballs. Maybe you have a VPN for remote access. You might have a centralized authentication like a single sign-on for Azure Active Directory, some other products. But basically that identifies the user and it grants you access, right? So this is how it usually looks like. I mean, of course it won't be so basic because I've made this diagram deliberately brought. You will have, of course, subnets within these environments, you will have subnets and you will have more firewalls within the network. But generally speaking, once an authenticated user is inside the security perimeter, they have very few controls placed on them because they like what you call a trusted zone. So now they may access file servers. We may connect to other nodes within the network. They use services and so on. And like I said, enterprises are not stupid. They are security people there. And they have been aware of the shortcomings of this approach for quite some time, right? So they will be parameters within the network, parameters within perimeters. And you will probably reauthenticate body he called. You will put your most sensitive servers within a more private subnet like that. And we might have multi-factor authentication. But overall, the general rule is the, it's hard on the outside and soft on the inside, and that has remained pretty much the norm for the past, like I would say, 20 years or so, I would say. But yeah, it's usually described as a walled garden. So the was supposed to keep the bad people out. But inside you are free to do whatever you want. Whatever we might picture this. There are several downsides, of course you can imagine, right? The main downside is what if an attacker can get through the perimeter? Usually they have pretty much unrestricted access to explore, right? I'm not saying they will become the admin, but they can do lateral movement. They can attack machines inside the perimeter. And they can of course, attempt to elevate their privileges without that much chance of being detected. And usually there's little attention paid to the behavior of an individual. Authenticated identity. User's authenticated. They may do things that are pretty much out of character and they might not get detected. You have products coming in which can like behavioral products which are there, but generally, the overall lack of granular access control. It allows the users, you might be malicious, you might not be malicious to allow access data and services. They don't have a need to. When you move to, especially when you move to a cloud and a hybrid, maybe like a BYOD or remote working partners, all these things coming up. So this is what I wanted to talk about. Sorry. As you got more and more complex, a typical enterprises infrastructures become more and more complex unfortunately. Now, nowadays, because of all the trends which are coming out a single enterprise, you might have multiple networks, multiple branches. You might have bought companies which have their own networks. You might have remote offices. You might have a remote or mobile individuals. You might have Cloud services infrastructure as a service, software as a service. This complexity is outstripped. The legacy method of perimeter base network security because there is no single or easily identifiable parameter for the enterprise. Perimeter base network security. It's also insufficient because once the attacker, which is the perimeter, like I said, your lateral movement is pretty much on stopped. You can pretty much move around and try to find. And if you're a good hacker, you won't be able to step up any security alarms, okay? Of course. So this is how today the landscape, this is how many trucks you have your internal network and you will have remote users. Cloud services, you hide infrastructure services you have BYOD, basically increased remote work. Let's take a look at these trends. You have increased and more and more remote work with the green trade-off remote distributed teams. You need like a security model that can adapt to different environments, right? And that can protect data regardless of the user's location. And of course you have clouded option. So companies are increasingly adopting more and more Cloud and the traditional perimeter goes away. So zero-trust will provide a framework to protect data and applications in the Cloud regardless of your location. Byod, many organizations are allowing companies to bring their own personal devices for work. And of course, that brings additional security risks. Also, zero-trust will help to mitigate this risk by enforcing policies and security policies. And access control based on the user's device and contexts. And of course, insider threats are, not all the threats are coming from external. Insider threats can pose a significant risk. And zero-trust help to minimize the distance by applying least privilege access onto the network. Onto the architecture itself. Uses only have access to the resources they need. Within the network itself. Usually lease privileges done on the database level or the application level or the server level, but not within the network architecture itself. And a lot of regulatory comments also come out. They say you need to have this type of models which are there. And we'll talk about this more in the next lesson. And of course, better visibility and control within this network, it becomes very difficult to have that visibility. Zero Trust provides you that visibility into the user behavior and the overall posture. And this allows you to get more, allows to detect and respond to security threats more effectively. Okay? So this is what I wanted to talk about. Zero-trust will be a famous care for securing your infrastructure and data for today's modern digital transformations, right? The, all these challenges which are coming out, you have to secure remote workers, hybrid Cloud ransomware and God knows what all of these things can do. Zero-trust can help you mitigate it. Okay. Why the perimeter is just a very simple you might be saying no, no, I have like multiple subnets and everything, right? And even though the perimeter model is still very good, I'm not saying it's like gone. It is the most popular model by far. The baby rely on it is flawed write complex attacks and cell-like weekend networks. And they happen every, every day, right? Attacker can drop like a social engineer up to person within the network and get remote access and start moving laterally. And the perimeter firewalls are good, but they will not stop these things. And even if you have a firewall, there are always exceptions, right? You have firewall exceptions. These exceptions are tightly controlled, but your web developer might want SSH access, read-only access, access to the production. Or maybe your business users might need access to that, charge the database to run some queries rate your machine-learning data scientists might need access. And what happens, you can configure these firewall exceptions, permitting traffic from that individual IP address to the particular server, right? What happens? So the more exceptions are created, The more pathways are created, right? These are very static exceptions like source and destination and allow this IP, right? So what happens if you are like, What do you call it? An attacker and you want to Trump would try to compromise this environment. You might try to attack the application layer directly, right? And once you're there, you might have, because of those open firewall ports, will have a direct pathway. Or you might be smarter. You might simply strike a social engineer that people who have access like the eye chart, like the database admin give them malicious link, send them phishing emails. And one of them might be gullible enough to click on the link, allowing the attacker to install malware. Malware will then provide the attacker with a session on the null compromised employees machine. Now, you might say no, no, no, the access is very restricted. Okay. So the access is restricted. But he might be able to laterally move within that production server until he sees somebody he can compromise, right? So then you carefully examine it, guys. You see that it's very obvious that this network perimeter model is not enough. Bypassing is very easy with malware, zero-day attacks and firewalls. Firewalls that you have between the subnets are the zones. They consider nothing more. Maybe they go to source and destination and making these decisions. And well, parameters still provide you value in network security, you cannot rely on them as the main control by which you are looking at your network security standards. So the first set will be, what do you do now? So what can you do now? Because this is all these problems were coming with their trust, which users are giving weight. So this is where zero trust comes in and it helps to stop this sort of attacks, these sort of lateral movements by implementing several key principles and controls. And we'll talk about most of it is least privilege. You will, within the network usage will only have the minimum level access. So even if an attacker boss could compromise, it will really limit its ability to move laterally. Because getting access to one account or that does not automatically granted access to other sensitive resources. And we'll talk about it more, but something called micro segmentation. In a zero-trust architecture, Netflix are divided into smallest, smallest segments, each with its own set of access controls and security policy. This segmentation makes it very difficult for an attacker to move laterally within the network as ramus bypass multiple security barriers, right? And you have contexts over Controls. Zero Trust will take into account a lot of contexts. Whether users coming from what is his role, what is its destination and all that, right? So these are the, this is what I wanted to talk to you guys about. So what are the key takeaways of this lesson? Traditional electric perimeter is not enough. And modern trends are changing how users are accessing networks. And attackers can easily compromise the pedometer and move laterally, move internally to other networks, right? And this is where zero-trust comes in, non-linear. Next lesson, we'll talk about zero-trust and foster history. The Zero Trust model is evolving. It hasn't come in a vacuum, right? It hasn't suddenly appeared out of nowhere. It, there has been an evolution and a gradually increasing importance of this model. This is what we'll talk about. I hope you've appreciated now, y zero trust is so important. So let's move on to the next lesson. Thank you. 3. Zero Trust - A brief history : Hi everyone, welcome to this lesson. Now, in the previous lesson we talked about the need for zero-trust, right? Why do you need it and why it's so important now, in this one, before we dive, deep dive into zero-trust and how it works, I want to give you a brief overview about the history and evolution of zero-trust, how this concept has evolved across the industries and some of the major players, some of the key events and the major players that have boosted it. So that way you will really appreciate how much this model has evolved. Hello much importance, it's now gotten right? So one thing I want to be very clear about Zero Trust is not an entirely new concept, but it has become more and more important in recent years, right? And the term Zero Trust was first coined by John. John can debug, I hope I said that name, write a formula for a service such analysis in 2010, right? But the core principles of Zero Trust, such as we talked about least privilege, Netflix segmentation. It can be traced back to earlier security best practices, right? Even, not even security, the core principles and concepts of Zero Trust. And they had been long been applied in military and defense organizations. You know, how to segment, how to authenticate continuously monitor. However, what has happened in the last recent years, the widespread adoption of cloud computing, increasing remote work, and the growing sophistication of cyber attacks. They've highlighted the traditional limitations of that. We talked about the parameter model, right? And these developments have made zero-trust more relevant and necessary in today's complex IT environments, right? It environments are becoming more and more and more complex. So you need a model which can really adapt to the changes. As a result, the Zero Trust concept has evolved over the past decade. Newer technologies have come out and methodologies have been developed to help organizations implement zero-trust architecture. And the fundamental principles have remained the same. The implementation and understanding of zero-trust, they have mature, it has matured. It has become more and more comprehensive. Motor was so which is pretty awesome honestly. It's not like a static standard or static model. It keeps evolving and Kilby becoming more and more refined over time, right? So when you talk about the history of zero-trust 2010, we talked about Forrester Analysts, John, when he introduced the term Zero Trust. In then there's a very influential paper, no much we centers introducing the Zero Trust model of information security. Write. This paper, captured ideas that have been discussing the industries for many years, right? And this document is for us to document. It described a shift away from a hot perimeter and towards an approach that required understanding and respecting the elements within the network before they could get something like a level of trust and access. So overtime and this model has evolved, but we can trace it back to 2010. Honestly speaking properly van, which is pretty amazing. It's been so long leg. It's been almost like 13 years, like more than a decade now. But this is pretty much the whole, like you can say, the story started and the conversation around Zero Trust. So this was like the pioneering thing which really started the whole thing. It's still an amazing paper. And around that time, of course, Google also became their internal beyond copy initiative. I link it here also, which implemented as employees version of Zero Trust. And it put in place foundational zero-trust elements that effectively removed, like the enterprise network boundary and Google very, very strongly influenced industry. They released a series of articles documenting the whole groundbreaking internal implementation, right? The beyond corpse primary goal was to enable secure access to Google's resources and applications without relying on those traditional VPNs. Our network segmentation instead, it focused, like we talked about earlier, about verifying the user's identity, the device security posture, and the context of access before granting get any access within a network. It inspired many, many companies to adopt a zero similar zero trust model. The security and some of the underlying technologies developed for beyond cop. They have been made available as part of Google's cloud-based security offerings. In the Cloud. Google workspace, Google Cloud Platform, all of these things. So this was another major milestone which started out. Another major thing which happened, which is always like Initiative, which is the National Institute of Standards and Technology. They released a special publication in 2020, right? The zero-trust architecture. It was a special publication released by them in, I guess 2020. And this document basically provides guidelines and best practices for designing and implementing zero-trust architectures. This is what I'm going to be using as the basis. I really want you to understand the National Institute of Standards and Technology zero-trust architecture publication. Because first of all, it's free of charge document and it's absolutely amazing. It really deep dives into what you have to do. And it aims to help companies better understand the principles of Zero Trust. What are the key components? How to apply them to enhance your cybersecurity posture. And some of the main areas which recovered. We'll go into more detail, but Zero Trust principles and concepts. The document explains the fundamentals of zero-trust, such as least privilege, Netflix segmentation, continuous monitoring, the Zero Trust architecture components. The publication provides an overview of the core components that make up a zero-trust architecture, such as policy engines, policy Administrators, data sources, threat models and scenarios. The discusses various threat models and scenarios that can be addressed by implementing a zero-trust architecture. And also it goes into details about the deployment models. So the document presents the different types of deployments. Like I said, Zero Trust is not a one-size-fits-all. Every company is different, right? Every company might have a different model and it goes into detail about how to implement zero-trust in different types of architectures. You might have a single Cloud, you might have a multi-cloud, you might have a hybrid environment. You might have an enterprise with separate branches, right? But in summary, nist SP 800 to 078, it is a very comprehensive and excellent guide for companies who want to adopt zero trust and build a more robust, adaptive and security environment. And the best thing about it is free. This is not something you have to pay for a pair of render or pay somebody is completely free, anybody can access it. And that is the document itself can be a little bit complex sometimes, which is the reason I've made this course help people understand from the ground-up. So that's what I'm trying to do to really make your pretty sure Zero Trust and Javier beach DID. And just to give you an idea of how important this publication is, if we had something called the executive order from the White House, Executive Order 14028, it was titled improving the nation's cybersecurity. It was signed by the President Joe Biden on May 24th, I think Metro 2021. So very recent executive order, the whole point of this was to strengthen the cybersecurity posture of the United States by addressing various shortcomings and vulnerabilities in the company's cyber defenses white. It was issued in response because they have a lot of high-profile cyber incidents. And they really realized that you need a more robust and coordinated approach to cybersecurity. And they wanted to modernize the government cybersecurity. The order mandated federal agencies to adopt advanced security technologies and lexico factors, move to the Cloud and of course, implement zero-trust architecture. So they were, they specifically mentioned, adhere to it and it was used as a required step for Zero Trust implementation. They talked about other things also like software supply chain security because we had attacks like software supplying a log for J and all those other things. What is the order? We basically it directs the development of new standards for securing the software supply chain and addressing this. Apart from that, they also talked about developing a national cybersecurity workforce. You have more skilled people, but just to give you an idea, but it is a very this executive order 14028. You can access it. It's a very comprehensive effort to boot the country's cybersecurity posture and address the evolving threat landscape. It emphasizes collaboration between the public and private sector and how to modernize your service security infrastructure and enhance the nation's ability to prevent, detect, and respond to cyber threats. The point we're focusing in on, of course, as this, which is the order it specifically mentions this, which is to keep pace with today's dynamic and increasingly sophisticated. So I've entered environment. They said that the federal government must adopt security best practices and advanced towards a zero-trust architecture. And how do you do that? There? The whole point is they want agencies to adhere to the nist 800 to 07 as a required step for Zero Trust implementation. So just to show you how much Zero Trust has become important. This is just to give you that background, how a zero-trust started from Forrester report on which to Google and onwards, goodness releasing. And now this n, Of course, we'll have more and more coming out. Of course, right? So this is what I wanted to discuss about guys in this lesson. What are the key takeaways? Zero Trust is not a new concept. It is not come from a vacuum. It's not suddenly appeared. And it's driven by the changing landscape because it's changing. And governments that are adopting this and auditing agencies could do the same, right, because of this and other best practices. So now I hope you appreciated the whole background. This was a very brief history lesson. Now we're going to move into, in the next lesson we're going to talk about the advantages and disadvantages of zero-trust. I don't want to just keep on saying zero-trust is amazing and there's no disadvantage. Know, like everything, there are pros and cons. So we've talked about this in the next lesson. Thank you. 4. Pros and Cons of Zero Trust : Okay, Welcome to this lesson. Now, in this particular lesson, what I want to go over is zero-trust and what are the pros and cons? Because I don't want this to be a course in which I'm just going on how awesome Zero Trust is a new concept all know, like everything. They have benefits and drawbacks. And I want to go with the drawbacks also along with the benefits, of course, right? What are the challenges? What are some of the realistic expectations we have? Because a lot of people, they think zero-trust is like a switch. You can just flick on and everything is secure. And again, you can flip back off if you don't like it. No, it doesn't work like that. So it's very, very, I've seen a lot of people who have this expectation of what Zero Trust, and then they're not able to implement it. And then hence, they go back on it and you have to start zero-trust projects with a properly, proper expectations in mind. So this is the whole purpose of this particular lesson. So what am I talking about here? So now, I think we've understood zero-trust rate. I hope you've gotten that understanding. First of all, it's a mindset or a discipline, but you have to understand, right? We've talked about what it isn't in the next slide, but it's a mindset. Like I said, it's an evolving set of principles that move your differences from static to network-based to like focus on users, assets, and resources, right? It assumes that there is no implicit trust. Nobody is trusted by default to users and accounts rate based solely on where they are. And it doesn't matter where you are. Your local or on the internet, are based on enterprise like asset ownership, whether you have a corporate laptop or a personal laptop, right? And like authentication and authorization, whether you are a user on a device and they are performed before a session is established. It's a response to trends like remote working BYOD Cloud-based assets, right? So this is just summarizing what we talked about. That load network location doesn't matter anymore. Your network, what device you own doesn't matter anymore. And it's not like a single architecture, but it does set of principles that are evolving over time. And I showed you the history and how you have to implemented incrementally to really see the benefit coming out. Now, let's go back to what it isn't. And this is very, very important because a lot of times people have this mistaken assumption about zero-trust. So what is Zero Trust is not, first of all, it's not a product to please anybody, any vendor who's coming to you saying please buy, buy $1,000,000 product. And once you turn it on, you will have zero trust security that is completely bogus. It doesn't work like that, will help you in implementing zero tos. Absolutely. Absolutely. There are a lot of products out there which are built with Zero Trust in mind, but there is no single magic product with urine implement. And then you are going to be like zero trust certified. And a lot of people do not know that a lot of IT and security tools, like they might be already supporting zero-trust. You just have to configure them in a particular way, right? You have to look at them from the zero-trust lens. But identity at the cover and whether they can enforce context-driven policies. Like a lot of vendors are revising the products to make them inline with the Zero Trust specifications. Like I said, it's a fundamental shift in how you approach information security. So the industry is changing and it's like you have to really look at that. So another thing is not a certification, please, please you have to understand there is no certification. It might come out and you can implement this, but it's not like PCI, DSS, ISO. You can say I know zero-trust certified, please. There's my certificate. No, it doesn't work like that. Like I said, it's an evolving set of principles. So two things, you have to be very off. It's not a product, it's not a certification. Another thing very, very important, It's not a silver bullet on, it's not a magic solution to all the cybersecurity challenges. Please. Very, very important here guys, it's not a magic solution that you can just implement and then say, okay, a non-zero certified and not everything has been resolved. No, it's going to definitely help you out. It's going to make use of secure, right? But you have to understand it's not a onetime tasks, not a onetime, one-size-fits-all solution that you can just purchase, install, and everything is completed, right? Another thing which I've talked about before, of course, it's not static. It keeps evolving, the industry keeps evolving. You are taxa coming out. And from based on that, That's the beauty of zero-trust, right? So more and more refinements have to be done. This time zones are defining. So remember this case, so very important, it's not single technology, product or service that you can just implement and forget about it, right? It's not, and it's not a onetime tasks. So keep these things in mind, very, very important, please, before you're starting, if you have these things in mind when you're studying Zero Trust, believe me, you will be disappointed. And you will say, Hey man, why did I implement this? I should go back because you didn't start with the proper goal in mind. So this is setting the expectations realistically. Now, what are the benefits? Benefits are tremendous actually. So first of all, increased security, yes, absolutely. It will help your organization be more successful in stopping, limiting security incidents. And as opposed to say your perimeter based security models which are very ineffective now, you can really get a better understanding of your security architecture because it provides a more structured in this glitch approach to implementing cybersecurity. And a side benefit. It also facilitates a greater degree of understanding of your corporate assets and resources because for implementing zero-trust, as we're going to see later on, you will need to get our visibility into your environment. What you have, what you don't have, okay? And it gives you a great visibility into the corporate network. You know, who are the authorized users, devices and services and gives you a better situational awareness. And later on that hillside or so. And especially as the workforce to a hybrid group, godless working models, zero-trust can allow workers to securely access the corporate network and resources, whether they are on-prem or off. This new way of doing things, it addresses many of the gaps which are there. In the previous module. We talked about lateral movement by attackers. So if an attacker, whether it's inside or outside, can get inside, they will be continually confronted with various checks we're going to see when we talk about nist in more detail, it continuously, they're gonna be checks and balances coming into gain to stop them from getting further access, they will have to reauthenticate, improved their identity constantly for each resource. Okay? So because zero-trust uses behavioral analytics entities whether whereas your traditional firewall based or access control model, it only uses a set of credentials, right? So user parameters such as the time of day, pattern of access, location, data transfer size, and many other other data. It's not evaluated, but zero-trust evaluates this to determine if the entity that is attempting to access is doing so in a secure manner and acceptable manner. If somebody, a device or a user starts attempting access that we usually don't do other times of the day. There are not working. These behaviors will trigger an alert and possibly change the policy. So it gives you an excellent risk-based decision making and provide it to implement it properly. So you can actually completely remove the external perimeter. And remote workers don't need to connect to VPN access. They can simply be granted access only to those resources required. And you can even remove the VPN entirely. Although that's usually done from what I've seen in Cloud environments and where the Zero Trust has become much more mature. Okay. So it can be done. I'm just saying don't do it, don't get in the first try it. But once you implement zero-trust and you continue to improve upon it, you can actually do it. Okay, So sorry. And of course, what are the challenges? So zero-trust does have its challenges. It's not like I said, a onetime thing. This is a radical departure from traditional architecture. So it comes with a cost and an effort. However, I mean, it takes and it takes some time for your security administrators and security team to adapt to it. Actual and the actual implementation, it usually does require a significant investment. You might have to buy new controls, training, support cost. Integrating zero-trust architecture is complex. And maintaining it can be complex as well. If you don't know what you're doing because it is an entirely different model of access grunting. And many more places where monitoring you have to take place. We'll have to implement your controls. Advantages. I've already talked to you about what advantages might offset the difficulties and the complexity and behavioral analytics easily it takes some time to implement it, and it's not easily divide. And of course, when you change the architecture and a large architectural change, it will cause a balance between keeping the business running and translation into new architecture. So you need to, we'll talk about this later on when you talk about implementation. The move to a zero-trust architecture. It requires careful planning, change control, a great deal of time and effort. And like I said, the benefits are not immediately apparent. Take some time and then you can the benefits coming out. So be realistic nor the challenges. Note the benefits know the cons so that you are aware of what you're getting into. Please don't just bind to the hype. Yeah, Zero Trust is going to solve everything. Let me just go ahead and jump and blindly start implementing zero-trust. Like that. The project will fail and they actually have more difficulty later on. Okay, So we've reached the end of this lesson guides to what are the key takeaways. Most importantly, Zero Trust is a mindset. It's not a product, it's not a certification. There are advantages and disadvantages and challenges there. The advantages always we'll take a, we'll be more than the disadvantages Absolutely. Provided you implemented properly. And like I said, Zero Trust needs to be treated as a project. You need to invest time, invest money, invested resources. We need to make sure what you're trying to implement is like clear right from the outset you have management backing provided, you do all these things. Absolutely. You will see the benefits of zero-trust coming out right? Now. I hope you've gotten a high-level understanding. Now we're going to jump into a more, in the next lesson, more of the core principles, how is it actually calculates trust? And then we're gonna go on to the new standard and go to case studies. Okay, so now I hope you've gotten the foundation better now. So let's go into the more deep dive now. Thank you guys and I'll see you in the next lesson. 5. Core principles of Zero Trust : Hi friends. Okay, So this is a very, very, very important lesson. And in this we're gonna be doing a more deep dive. And we're going to look at the core principles of Zero Trust and how's electrons actually calculates the transport? Where does the trust part come in? So we've already understood zero-trust flag. It's a security framework. You assume nothing is, no user, device or system is inherently trusted, right? There is no implicit trust regardless where you are inside or outside. And it has different by certain core principles, right? So we're going to talk about that and we're going to talk about trust. So instead of your static way of like how you do it currently, zero-trust as a way of like deciding trust, who is trusted and who isn't. And you can see how it continuously looks at these factors. And it actually changes its policies and permissions and real-time. So it's able to establish this trust sessions dynamically. So access decisions are made on a case-by-case basis. It's not like you just give a guy access in the matrix and the role-based symmetric, symmetric, so the file-based permission, and that's it. No, it can actually dynamically look at, and that's how, that is the difference between zero-trust and the other models. So let's take a look at what we're talking about here. So I talked about zero-trust rate and the principles. So zero-trust consists of certain core principles. These are the ideal goals to be achieved. Like I've told you before, it's not like you snap a finger and suddenly all the principles of Zero Trust are going to be implemented. No, it doesn't work like that, right? So it provides you a collection of ideas and concepts that are designed to implement it, right? And once you've done it, you can say, okay, now we have this maturity in zero-trust and we're going to talk about that. So these are the ideal goals to be achieved. And one more thing which is very important guys, like we're going to talk about nist and other things names sometimes seeing these principles at the backend, they remain the same. But the concepts, It's only the names change, but the concepts will remain the same. So don't get confused because there is no standard like list. We have certainly some things from nist and certain things from other. I've tried to summarize all of them into one location from it to make it easier for you. So that's we're going to talk about now we're going to talk about what are the Zero Trust principles. So this is a recent one which came out from the World Economic Forum, which is a zero-trust model in cybersecurity. And it is given certain principles, right, established no trust by default. Ensure visibility. Apply trust for dynamic and continuous verification. Use least privilege, ensure the best possible end-user experience. So one principle you'll always see is that never trust, always verify the most, the most common principle. But it's based on a wider listing of principles, right? And usually they take it from the nist. The National Institute of Standards and Technology is the special publication SP 800 to 07. And each organization it can shoot, analyze each of these principles and look at what is feasible to implement in what it is. But these are some of the most common principles we talked about whenever we are talking about implementing zero-trust. When we talk about like verifying everything explicitly when we talk about there's nothing like no trust is there by default, you always have to authenticated and authorized users before granting them access regardless of their location or what was previously done previously, previous trust level, right. You might do this through enforcing MFA least privilege access. And you're assuming breach, there's always like you're assuming that you're operating under the assumption that your network has already been compromised. And this mindset encourages like a pro-active security measures even if there's no visible sine of a breach there. And this was something like the least privilege. This is already there, right? So a lot of organizations already enforced this, that you limit users and systems access to the minimum level of permissions necessary to perform the task. And this will help you to reduce the potential damage caused by compromised credentials. But you want to make sure that the users are not, the productivity is not compromised at the same time. One thing which is locked there and which is quite important, this micro-segmentation, which I talked about, which is quite important. Micro-segmentation means you divide the network into smaller isolated segments to limit your lateral movement, right? Actually, I realize it might come under least privilege, but yeah, I would think it's more important to discuss it separately. But by Microsoft segmentation, what you do is to compartmentalize your resources. So what happens because of that attacker's ability to move from one part of the network to another is significantly reduced. And you have, we talked about blank trust with dynamic and continuous verification, right? It comes into continuous monitoring and analytics. What is happening is the users are regularly monitored and analyze. This is Tim behavior to respond to potential security threats. So what the Zero Trust engine does it, it is continually gathering and analyzing data to help it, like respond to alerts. And usually how does it do? It integrates with your other leg security tooling, SIM solution, your single sign-on. So this is like a holistic way of doing it, right? And so basically these are the different models which are there. By following these core principles, you can really implement zero-trust and its entirety and reduce the risk of security breaches. And you can protect your sensitive data, which is there. So I've taken, I've taken the liberty of taking these principles and making it simple like this, right? So these are the principles which we talked about earlier also, that the network is always assumed to be hostile. Yeah, assuming that breaches already the external and internal threats idea. So there is no implicit trust granted to anybody. Because basically anything can be compromised, right? Where you are on an advocate is not sufficient for deciding to trust. And every device user and network flow has to be authenticated and authorized. It doesn't matter by the in the Cloud or on-prem. And things like that. And policies must be dynamic and calculate it from as many sources as possible. So these are there. And of course, one thing which is not mentioned as micro-segmentation, and I think that is there in the user least privilege one. But that concept also has to be dead. But like I said, Zero Trust is not a single architecture. It is a set of guiding principles and it may evolve over time. Okay, So it's a journey. It's not like day one. You will have all these principles implemented, right? So this is an actual, what we talked about it to talk about the normal approach versus a zero-trust approach. So it is, we talked about Zero Trust is a very significant departure from your traditional symetric security. Traditional network security is trust, but verify. It assumes that the users within your perimeter are secure and it will put you at risk for malicious internal actors who have stolen legitimate credentials, or maybe attackers who have socially engineered through fishing and taking over somebody's accounts, right? And what happens is with that compromised accounts, they have a wide access within the network. So this model pretty much became obsolete once cloud came in, once remote mocking came in, like 2020, you can save it Valley. This model is really doesn't work anymore. So this is what we're talking about with Zero Trust. Never trust, always verify. A zero-trust assumes there is no inherent trust and requires continuous verification and authorization, right? Whereas with the previous one, it allowed a certain level of trust, right? It really depends on how you implement zero-trust, depends on your specific needs and everything. But in a nutshell, we talked about again and again, nothing is trusted inherently, whether they're inside and outside, right? Because you're assuming that a breach is already there. So this is very, very important. And then you explicit, you implement the Zero Trust principles of least privilege, micro-segmentation and continuous monitoring. But how do we do it, right? So how do we get now we're seeing that never trust, always verify and how do we verify it and then how do we give this trust, okay. How do we know something is secure? So this is, this is how the departure comes in. So managing trust is perhaps the most difficult aspect of really implementing zero-trust choosing. Like even within your normal metrics, choosing which religious people in devices are allowed on the network. It is a very time-consuming process, right? And you keep updating your permissions and it directly affects the security posture. Usually, let let's be realistic. How is it usually done is left as a manual effort for security engineers and the identity and access management team. Cloud might have managed policies. You know, if you're implementing something in AWS, it might have managed policies. But those policies only provide very basic isolation, like super user admin. And because of the difficulty in defining or maintaining them, request to change those policies is usually metrics with resistance. And you don't know what the impact will be, right? So it usually pushes administrators to maintaining those policy, not change them, and they get overwhelmed with more and more requests. So this is a common problem. Policies are not really dynamic enough to respond to the threats which are coming in. Mature organization will have some process of auditing weight. You might be doing a quarterly certification, but how often are you going to do that? It's so tedious to do that. You know how much for a human, you might have thousands and thousands of policies. How much damage could a rogue admin do on a network before an audit discovered, mitigate it, right? So a more useful way would be to think about eating this and to rethink the whole trust relationship. Recognizing that trust in a network is changing and it's based on the previous and your current actions, right? So this is how we start moving away from that old method and towards a zero-trust approach. So this is a new way. Instead of defining binary policy decisions that you give to specific users, zero trust network will continually monitor the actions of an actor on a network and there's a risk score which is continually updated. This code can then be used to define policy in the network based on the severity of how much your trust is there, right? So in a zero-trust architecture, trust is not calculated as a single metric, as a single score, but there's a combination of factors and we'll look at those that contribute to the decision-making. Then you make the decision whether allowed or not allowed, right? And these can many things, user and device identity contexts, behavior. But all of these the Zero Trust is looking at and it can determine the level of access. There are many things that can come into play. Your user identity, right? Who the user is, whether they're using strong authentication like MFA, device identity. Whether the device is like manage or like personal device. What's the security posture, which is the patching level context? What's the user's role in the organization, the location which come into time. It's coming from a public Wi-Fi or VPN behavior. Maybe they user's behavior from the history. It might be showing some anomalies and then the risks so might be changed, right? So when you might need to monitor risk assessment, evaluating the risk score, and what access your granting at what is the potential impact. So what I'm talking about on a case by case. This is the zero-trust engine looks at this and how would it be practically implemented? So let's look at the practicality of this. So this is how basically a zero interests in gen would look at from a very, very high level. It would be getting data for the user, the device, from your SIM solution. And there is an engine which is there, that it's going to calculate a risk score and then allow or disallow by considering these factors. User, device, as I am continually and adapt, evaluating, interrupting permissions. In real-time zero-trust architecture can then establish the trust dynamically, like I said, access to children being made on a case-by-case basis. And to make sure that the users and the devices have the appropriate levels of trust, right? So let's take an example. A user might be viewing the calendar from a personal device right there, office calendar, that might give you a low-risk score. But if the same user from a personal device, he attempted to change the system settings, that will give you a much higher risk score. And that would be denied by the Zero Trust in general flag to the security team. So even in this simple example, you can see the benefit of a score. You can make very smart decisions. And things like school based policies can affect the outcome of like watercolors to asking based on variable number, things like historical activity, it can dramatically improve your network security is nothing compared to the previous static policies we talk to them. So sessions that have been improved, approved by the zero-trust engine can be trusted more than those that haven't. So you can start to rely less on your user-based authentication. So now you can see how smart the zero-trust engineers provided you implemented properly, right? And how does it happen? Like, let's say I put in more details. Usually there's a concept within zero-trust of a data plane and control plane. So the distinction, this concept of a data plane and control plane, It's not a new concept for Zero Trust is there from network security, network architecture. But the basic idea is that a network device or a user, it has two logical domains. There's a clear differentiation between the two. The data plane is usually the DOM domain, then that manages the traffic. And usually if it's designed for handling high rates of traffic, it has simple logic. It's not usually making smart decisions, okay? The control plane, you can think of it as the brains of the network. It is the layer that system administrators are applying configuration. And this is where the policy decisions are being made. So usually control plane is not used for handling traffic, okay? And the data plane, that's the data plane. That is the data plane job. So zero trust network, it defines a clear separation between the Control Plane and Data Plane. And Data Plane usually is made up of all the applications, firewall, proxy routers that directly process all the network, right? And these are being, that these are being used to manage all the connections. They quickly need to make a determination whether the traffic has to be allowed or not allowed. Okay? So this is where the control plane will come in. So the data plane is where the traffic is handling and the mechanism. The control plane is used to make the decisions and the policy decisions. And this is usually where your zero-trust engine works. And how the control plane, basically the control plane is going to make the decisions or policy changes and push it to the data plane. Okay, So he going to say hit, apply this policy, apply that policy, restrict this user because he had a higher so allow this user because he has the lowest risk score. So how does it do it? But it can be various ways. I mean, the mechanism by which the control plane, it affects changes in the data plane is very important because the data plane is often the entry point for attackers. And the interface between it and the control plane must be very secure, very clear. Because if that is compromised, your whole zero-trust engine is compromised. Write requests between the data plane and control plane must be encrypted, authenticated using a non-public PKI to make sure that the system is trustworthy. So it's very, very critical. It's like the user and kernel phase between operating systems, right? It's very, very isolated to prevent anybody from accessing it. This is all basically the zero trust network is working. The control plane is very, very critical because this is where the trust is being granted. Due to the far-reaching control of an infix behavior, the control planes security is critical, the trustworthiness. And usually somebody very, very highly privileged must be there to access it. And the trust guaranteed to. What he called the control plane is the one who's making the decisions to the data plane. And remember, whatever policy decisions it gives, those are temporary, right? The policies are changing. It's dynamic. So usually you can do it two tokens or lifetime certificates, but this is how usually a zero-trust system works. So when the control plane grants a token to somebody on the data plane that it's short-lived, It's not like permanent. So this is how in practicality, you give access in a zero-trust engine. You have the control plane, which isn't within the zero-trust engine and that is dynamically applying policies to the Data Plane. And Data Plane policies are usually short-lived and the data control plane has to be very, very secure to make sure that attacks cannot subvert, it, cannot access it. So sorry guys, This went a little bit longer, but this is where we're really diving deep into how zero-trust engineers working. And now we're going to do in the next lesson, we're going to take a look into the zero-trust from the nist perspective, not at your basic concepts are there. So what we talked about, we talked about Zero Trust principles are not set in stone. We continually evolve rate. And the names might be different, but the concepts are what we have to talk about. And we're moving away from static policies to a trust into an approach. And this is a much better approach than static policies. Like you talked about zero trust. Trust is not like a single metrical score, is continually to a combination of factors. It's intelligently making decision process to grant or deny access. And this can be your user and device identity, contexts and behavior. All of those things are coming in. And by continually evaluating these factors, Zero Trust Architecture enables dynamic decisions to be made on a case-by-case basis. Very important for you to know the control plane and data plane concept. Those are critical for understanding. Remember the control plane is the brains of the zero-trust engine, where all the access across authenticated and authorized and the decisions are being made. And the data plane is basically the DOM network traffic part where the policy decisions are being implemented and enforced. I hope it, this guy, this gives you a better understanding of zero-trust, how it works, and how everything is working. In the next lesson, we're going to talk about the nist standard and how that is pretty much the de facto industry standard and where these concepts are implemented in more detail, guys. Okay, thank you and I'll see you in the next section. 6. NIST Standard - overview: Hi friends. Now, welcome to this lesson in which we're going to deep dive into the new standard. I think this is easily the most important lesson of this course, so I need your full attention here please. And it really, if you want to understand zero-trust in detail, this is the lesson where you want to focus on the most. Now, just to recap, we've talked about like how the Zero Trust approach is different rates. We talked about things like the trust-based approach in the previous lesson and why it is such a better approach than you having just static policies making binary decisions yes or no. And we saw that in our Zero Trust Architecture, trust is not calculated like a single metric or a square. It's not yes-no. Instead, trust is established through a combination of factors that contribute to the decision-making process when granting or denying access rate. And this is what we're going to talk about, how to implement that in detail. Because if I asked you, okay, go ahead and implement a zero-trust architecture, how would you take those concepts we talked about and actually implemented this is what we're going to talk about, okay? So we know that we're now zero tos the concept is there. And, but what about zero-trust architecture? A lot of people get confused between zero Trust in zero-trust architecture. So zero-trust architecture is the actual plan. Then accompany this is the enterprises cybersecurity plan that uses Zero Trust concepts and applies that implements it within the network. Okay? This is how you're going to give you implemented it. And when a company decides to adopt zero-trust as its core strategy and generate a zero architecture, zero-trust architecture plan. Those principles. Now you're going to deploy it and how do we do it? So this is where the nist standard comes in. This is easily the most like the defacto industry standard. So this is, we're going to talk about how to actually implement those components. Okay? So, yeah, this is what I talked about earlier, that these don't get confused between Zero Trust Architecture and Zero Trust concepts. Zero Trust is the concept which has very high level broad. These are the principles and architecture is how you implement it. This is how you're going to be actually enforcing those standards, enforcing them within your network. Supposing you have a new, existing environment you want to implement zero-trust. This is how you're going to be actually implementing it. So how do we go about it? So supposing the seesaw comes to you today, or the head of cybersecurity says, I want you to go ahead and make our environment compliant to the Zero Trust principles. How are you gonna do about it? Where do you look at? Like where do you start? And this is the challenge I also faced, like I talked about at the beginning of the course, there's a lot of very high-level documentation present, nothing in detail, or it's more to do with products. By this product, buy that product. You don't really go into the detail of implementation. This is where the standard comes in. 80207, Nestle National Institute of Standards and Technology. Like a well-known organization that makes standards and they quite detailed. Most companies, if you want to implement zero-trust, this is the standard. This is the most vendor neutral comprehensive standard, not for any government entity but for any company. So it takes all the concepts we talked about from forrester Gartner, and it implements it. And it shows you how to implement it. And it also shows how to implement it in a modern environment, right, with a Cloud-first remote working that most companies need to achieve. And like I said, it's vendor neutral, which is amazing. So it's not promoting any product. It can be used by a company of any size. The best part is the standard likeness goes, it has gone through heavy validation and input from many, many experts, from commercial customers, vendors, government agencies, stakeholders. Which is why it's been so thoroughly tested, and which is why many private companies, public companies, government, they look at it as the de facto standard, whether you end a government or not. This is what we want to talk about now, you can go and look at it. The good thing about it is it's completely free right? At the beginning it talks about like what Zero Trust is, what are the concepts? But I want to talk about in detail how the architecture is, because that is where we want to focus on how to actually implement it. So let's take a look at like the zero-trust components will be in a zero-trust architecture. So this is what I want to talk about. So you can see in this diagram, right? You have a lot of within the environment, it might look a little bit confusing here, but what is this? But I want you to focus on the middle, which is one of the best parts of the nist document. And it is an emphasis on a few core components that are necessary to implement a proper zero-trust architecture. That is the policy decision point and the policy enforcement point. You can look at it right in the middle. It is the policy decision point and the policy enforcement point. Having these two components, the PDP and the PEP, in front of every asset which you have. And this is where every request, my spouse, that is the biggest difference between a Zero Trust Architecture and a normal architecture. This is what will differentiate your environment, whether it's a zero-trust architecture or it is a normal architecture. Now this is when we talk about PDP and PEP. This may not necessarily have to be a solution. This can be something you built in house. These are like abstract concepts that can take different forms depending on the needs of your enterprise. We'll talk about that in detail. But whatever however you implemented PDPs or a policy decision points, these are components that evaluate the posture. Of somebody who's acoustics something the subject and object. And then it makes a decision whether to allow or disallow based on many, many factors. We're going to look into detail other trust algorithm, right? And the next is the PEP, the PEP, the policy enforcement point. These other components that are responsible for opening and closing the connection to the resource. So the PEP takes it, takes action, which the PDP does. A PDP says allow it, it'll allow it. Pdp says disallow it, it'll decelerate. Okay? So this is the, one of the critical things. I think it's the most critical thing of a zero-trust architecture. Now PDPs and PEP is can be consolidated, they can be distributed. The PEP can be like an agent on your computer or laptop, right? Or it can be a gateway, like a proxy or like a firewall. But in all cases, whatever you implemented PDP, NPP, they represent the capability to which, like the zero-trust architecture is being enforced. Pdp, remember, this is how you make the decision whether to allow or disallow based on the trust. And PEP is how you implement that decision. It allows a disallows and let's look at it in more detail. I don't want to overwhelm you. So first thing is the subject. Subject is like you want to access something so defined by nist. It, this can be a user, this can be application, this can be a device like a laptop. And it might be requesting access to an enterprise resource right now, this can be an application, this can be a data document workload, but it is under the control of the Zero Trust system. So I'm going to refer to us as a resource, okay? So this is how it's going to be accessing. So the subject is going to say, hey, I need access to this resource. That resource is controlled by the zero-trust system. So what happens? Okay? This is then, like I said, the Zero Trust. You always assume that the subject is in untrusted network, right? You don't trust anything. It's on an untrusted system, the subject is interested. So the PEP comes in the policy enforcement point. This is what is controlling the subjects access to the resource. It doesn't, the PEP is like, you can think of it like a dumb device. It doesn't store or make any policy decisions. It doesn't know about that. That is the part of the PDP, which is the policy decision point. Now, look into the policy decision point. The policy decision point is a logical entity, right? That is going to give decisions is composed of something like a policy engine and a policy administrator. And usually we don't need to get into details, but just into like, uh, give you a high-level overview, the policy engine is responsible for the decision to grant or deny access. It, it takes a lot of information from other sources. We're going to talk about that the SIM and your data access policy or single-sign-on your threat intel. And it uses a trusted algorithm to decide whether or not the decision will be allowed or not. The policy engine, it makes a lot of these policy decisions and then it gives it to the policy administrator. Write, the policy administrator is responsible that for like whether the connection will be established and not established, it communicates to the PE the policy enforcement point. Okay. I don't like the talking into too much detail of the policy engine policy administrator just to remember the concept of the policy decision point. And usually that is enough. Honestly speaking, I because I think sometimes people get confused about this. Just remember the policy decision point made the decision and the policy enforcement point, we'll implement that decision. And it is sitting between the subject and enterprise resource, and it's gonna be enforcing those decisions. And this is how we implement zero-trust architecture. Okay? What does, if you remember, we talked about the control plane and data plane. Remember, the subject is communicating with the resource across the Data Plane. And Data Plane is separate from the control plane. Then this also states that the PDB and the PEP, they need to communicate to each other. Honors like a woody call out-of-band network. The data plane is being used for your application traffic, okay? This is what you're being used for applications affect. The control plane is where all the critical decisions is being made and that needs to be completely separated. Nobody should be able to access it. Apart from very, very specifically, sorry, specifically allowed people. Just remember the data plane is the DOM layer that manages traffic on the network, okay? And usually it's able to handle very, very high rates of traffic. And usually it's like hardware driven. And nobody called. You can think of it as like the dumb device when they're just starting the DOM layer with just the traffic is flowing the control plane, it can be, you can think of it as the brains of the network. This is where the PDP is relying, right? And this is where the configurations are being applied and this is where the policy decisions are being made. But remember what I talked about earlier in the previous lesson. Since the control plane is so critical, it's not designed to handle high rates of traffic, but it communicates with the data plane and the policy enforcement point. That is why it should be highly secure. Nobody should be able to subvert it. If somebody is able to, attacker is able to gain access to the control plane, then he will be able to change the decisions and make them modify the algorithm, right? So this is where the zero trust network, it defines a clear separation between the control plane and a data plane. Just remember, data plane is where your network is made up of all applications, firewalls, proxies, routers, right? This isn't a part of all the connections. And you need to make a determination whether catholics should be allowed on all that is done on the control plane. I hope this gives you an idea. What does his death. Now these are the supporting system. These are the additional elements which are there, which are sitting outside the system, like the CDM that same, Let's look at it from the left. But these are logically part of any zero-trust system and this is, they help the policy decision point to make the decision because your trust algorithm, we'll talk about the algorithm also. The trust algorithm uses the data from all of these systems to make the decision in the zoo and they influence how the policy decisions are being made. This is because it takes information from all these other systems and makes a decision. Okay, so let's look at the literature from the left to the right that you have the CDM system right, which is a continuous diagnostic and mitigation system. This gathers information about the enterprise SAS current state and apply these updates to configuration and software components humor, a lot of companies have this systems, right? Basically, it provides the PDP with the information about the asset, such as whether it's running the appropriate operating system. Once the integrity of the software which are running on it, maybe it has some non approved systems there, right? Where there any vulnerabilities are there. This will help the PDP to know whether the device is in a secure state or not. The other one is like the industry compliance system. This ensures that the enterprise is compliant with any regulatory regime in a PCI DSS, CIS benchmarks, those things. Next is the threat intelligence feeds. The threat intel feed. I think you all of you are aware of it. This provides information from internal and external sources. They'll help the policy engine that make this decision or this might be third party, this might be open source. This could be multiple services that take data from internal or multiple external sources and let, it tells you about the newly attacks and vulnerabilities which are there, maybe flaws in software, the silicon feed into the trust algorithm. Next up is the activity loads. Now network and system activity logs. This enterprise, like this, aggregates all the activity logs which are there, right? And it provides real-time feedback. This can be combined with the same solution also, not necessarily it has to be separate. What else is there now we move to the right, the data access policy. These are the rules and policies about access to enterprise resources right? Now, this could be dynamically generated by the PDP, but usually it's a starting point. It looks at who is allowed access, who is not allowed access, and then it can refine it. But this is like a starting point. You might have a PTA, PTA, I think you already know this is like the certificates which are issued by the enterprise. And usually a zero-trust system. It gives these certificates for that. Establish the session. Like we talked about that whatever has access to give it to be very short, a time-bound. It's not like if if the zero-trust engine gives you access, you're going to have it forever. I know it can be time-bound. Sometimes it's implemented through certificates. And whatever is. Next up is the id management. This might be a single sign-on. It could be how you manage all your user accounts held up as those single sign-on octo, whatever it's there. But this system contains information about the user right? Name, email address, what else is there? Role access attributes. What's your risk level? So this is usually where you find out the information about the user, right? Where it's coming from. And last is the SIM solution solid. Sim is where it collects security information. I think most of you already know what ISAM is. This is about the security events which are there. So all of this information is feeding into the zero-trust system. And I know it can become a bit overwhelming. So I want to show you in a simple way, this is what I want you to look at, right? This is the user is going to be accessing something resource. The PEP is standing in between. And it's going to ask the PDP headway allow access to and the PDP educating information from the SIM, from the GRC, Mobile Device Management SSO, all these components we've talked about. And the PDP lies on the control plane while the PEP is on the data plane, right? And the communication between the, between the two has to be very, very secure. But these two components are really what is properly necessary to established a true Zero Trust Architecture. And it has to be there in front of area enterprise asset. All the requests have to pass through this. The p, p could be a firewall, a proxy, something, an agent. But these are the two capabilities. Now you can implement it however you want. But these are the, this is how actually you have to implement it and really make it make sense. Now, I hope this was useful and you understood how the actually you're going to be implementing it within the zero-trust architecture. Now, we talked about the trust algorithm also, right? So let's take a look at the trust algorithm. I talked about it earlier, how the zero-trust engine decides whether something to allow naught. So this is. The trust algorithm is the process used by the PDP to ultimately grant or deny access to a resource. It takes inputs from multiple sources. The leg is going to the policy database. It's going to take information about the access request, the subject database and history, the asset database, like like. So let's start at the top right, access request. This is the actual request which is coming from the subject, Hey, I need access to this, right? But then that information will become like, what is the OS version? What is the software being used, right? The leg is your quiz blacklisted, white listed, right, then it might be the subject database. This is the who who is this guy? Why is he requesting access to the resource? Oh, what's going on? Is this person even allowed to have this access or not? You can probably get this from like I see, your single sign-on write. All the access requests which are there, it'll be captured here. That argument with the asset database. This is the database that contains the status of the enterprise resource like the BYOD, what other devices which are there. Okay, next up is very social comments. These are the set of policies. And they define what are the minimum policies required to be accessing these resources. And lastly, we talked about the threat intelligence, right? Threat intelligence or the external and internal fields which are being used there. So you can see how powerful this cluster algorithm is, how much different it is from your standard. Like yes-no things which you just allow you to okay. The timer is accessing accessing this because it is his name there on access control lists. If it is there. Okay, Please allow knowledge. Even if it's allowed, you will still have so many other things to look at. And this is why this is the true beauty of a zero-trust architecture. So this is how the nist defines the standards. We're going to look into more detail now in the future sections about what are the different types of deployments. And this talks about, but now I hope you've gotten a better understanding guys. So the nist special publication, 800 to 07, It's a vendor neutral standard on Zero Trust. Gone through. It details how you implement actually a zero-trust architecture with these concepts we talked earlier about, it has gone through heavy validation and inputs from many, many commercial customers, vendors, government agencies, stakeholders. And it is considered to be the de facto standard for governments and private companies. And it details the Zero Trust Architecture and specifically the concepts of the policy decision point, PDP, and the policy enforcement points which have to be there in front of every resource. And these can be implemented however you want it. But remember, just hardness details of it has to be implemented like this. So don't think of it as a product, think of it as B. These are the principles which have to be present in anything for it to be enforced, right? And this is how you actually implement and start implementing a proper Zero Trust Architecture. So I hope now you're getting a better understanding how zero-trust architecture is actually implemented in practice. And we're going to look at it more in the case studies. Now in the next lesson I'm going to talking about the nist approaches, the different variations and scenarios. So I hope this, I know this went on for a bit long, but I really wanted to deep dive into the specific concepts. So let's take a look in the next lesson about the different approaches, variations, and standards. Okay, Thank you guys and I'll see you in the next lesson. 7. NIST Scenarios - 1: Hi friends, welcome to this lesson. Now, in this lesson you're going to be covering zero-trust and then nist approaches, variations and scenarios. Now, I hope you've understood now, we've gone into a little bit deeper into zero-trust and especially nist. How we talked about the concepts of the PDP and the PEP and how things work basically. So I hope now you're clear that zero-trust as a set of principles, it can manifest in many different types of architecture, right? When you actually start to implement it, there are many, many different ways because that's the reason they've made it high level, right? This is like a big strength of Zero Trust because it places the body called the decision of how you implement these zero-trust principles in your hands, right? The architect or the administrator. And you can evaluate and prioritize how you implement these principles in a way that suits your company. But at the same time, because it's so high level, the different types of variations that can come. It can be a reason that it seems to be very less clarity here, right? You don't know how to implement it and how to actually implement zero-trust. And these principles. In these cases, like nist has given some understanding of how to do the PDP and the PEP, how to arrange the technical components because we will be unique for every company is different, right? So fortunately than this document, it fleshes out I think three different architectural approaches and therefore variations and five types of businesses levels, scenarios. To show you how to implement zero-trust in principle, we're going to touch on each of these briefly. And after the lesson. After this, we're gonna do a proper case study of an impairment in zero-trust. So that way you will start to get more and more clarity about how Zero Trust works and how you can implement it. So let's get started. First of all, is the Zero Trust approaches which are there in the document now, they are high-level enterprise level architectural approaches. These are how you would like to think about your overall Zero Trust strategy. So they've talked about three ways which is enhanced identity, governance, micro-segmentation, network infrastructure, and software design parameters. So let's take a look at each of them. Now, enhanced identity governance in this zero-trust approach or zero-trust strategy. This is, the bulk is on your user identity, the focus. Like you think about other stuff also like your device posture and behavior. But they're not the principle criteria. The main way in which the policy decision will be depending on the permissions and the identity. So like something like a single sign on most of your zero-trust approach will be bad. So it's like a centralized policy with a single or a small number of identity provision services and they will be controlling everything. So you can think of it like from what he called focus on identity as they are in this approach, in this Zero Trust strategy. The other one is micro-segmentation. I'm sure you must have heard of it. It's a network security practices that creates secure zones within data centers or within Cloud environments. What they do is they break this segment of workload into intelligent grouping and you secure them individually. It's micro-segmentation is a very, very important topic and I'm going to deep dive into it more shortly. But if you implemented properly, it sets the foundation for a zero-trust model in which only explicitly authorized traffic and move between these parameters which you define. And critical applications can really get like you are implementing a zero-trust within the network. In this approach, you basically use things like routers and firewall as the policy enforcement points, the PEP, and the management of those components that you can think of this at the PDP role. So this is more of a decentralized approach because the network segments can be like a smaller set it in a big asset, but the decision-making is divided here, so it's more decent relations. Last one is the network infrastructure and software design parameters. This, this is also using your network and network infrastructure to enforce policies similar to the micro-segmentation. But here you are talking more about dynamically configuring the network to allow or disallow approve connections. I've seen more on the identity and the micro-segmentation. I'll be honest. Network infrastructures, software design perimeters. I haven't seen that, just my own personal experience, but it doesn't have to be one of the three. You can use a combination. Like I said, this is just like the guidance from this. You can use a combination of micro-segmentation and network infrastructure, or a combination of identity and micro segmentation completely up to you. But what I do want to talk about is micro-segmentation. Because like I said, this is a very, very important topic, especially when you're thinking about implementing zero-trust, right? So why do we need microsegmentation? So when we talk about network security devices like network firewalls, usually the inspect not so traffic, which is client to server traffic that causes the security perimeter and it stops like allows authorized traffic stops by traffic assets within the perimeter, like we talked about the prostate, which means that the east-west traffic workload, the workload. So in this concept, the traffic between server to server, it may go without inspection. And for most companies, east-west traffic makes up the majority of the datacenter and the Cloud traffic, right? And perimeter focused. Like you get your firewall will not have visibility into your east-west traffic. So because of this, malicious actors are able to move laterally like we talked about lateral movement, right? So the network TAC rebel pathways between the workloads and whether you can allow or not. And usually within the segments within the subnet, you can travel surveys able to ping another server access under this over here, micro-segmentation comes in and creates isolation. And it really does a deep dive into whether two endpoints with access each other not. This is really an enforcement of the least privileged principle which we talked about for containing lateral movement and data breaches. Okay? So this is how it will look like, right? Because you might be saying, hey, I know this, I know about this. This is why we have network segmentation. We implement subnets and network segmentation when we talked about, it's like a practice of segmenting or isolating and effect into smaller subnetworks. Or subnets like to prevent movement for attackers. Same thing, lateral movement. From a security perspective. Like what do you call the network segmentation might do it through like five or lose two knuckles. Now, the drawback to this approach is usually within the subnet. Again, you can travel right? So that's why please don't take me wrong. I'm not saying creating subnet should not be there, but you should complement that with a zero-trust segmentation, micro segmentation strategy. So remember when you do it, usually why do people divide things into subnets? One question is performance, right? When you divide into smaller subnets of eLance, it reduces the scope of packets and increases performance and also security. You can apply network access control lists, V lands to isolate machines. So in the event of a data breach, they still will prevent a threat from spreading to other networks. Okay? But on top of that comes in micro-segmentation, right? Because let's be honest, segmentation or sometimes does not match the network architecture and re-architecting the network or reconfiguring the lines and subnets to meet segmentation of comments is very difficult and time-consuming. So microsegmentation comes in here and it focuses on east-west traffic. And it's usually implemented uses software-based security solutions like an agent or a hyperbolas firewall solution. And it is able to apply security policies at the individual server level, application level instead of at the network level. So how would it look like? This is what it will look like your network with micro-segmentation. So your traditional firewalls can be many places. You don't have to remove them to enable not so differences. But micro-segmentation will limit, restrict unwanted communication between workloads, east-west traffic. This is quite important, especially in the Cloud where you have continuous spinning up. You have Kubernetes clusters spinning up. And you can't be like assigning them IP addresses, IP ranges, right? Micro-segmentation will help out a lot. This addresses network attacks where the attacker inside the perimeter and what do you call, it will really limit the breach of the attack. And this model, there's a reason I'm doing a deep dive because this is becoming more and more popular. Okay? So there's a recent micro-segmentation and zero-trust is so usually they're mentioned hand-in-hand, right? And the best thing about this, you don't need to re-architect. Your security team can isolate workloads In an effort to limit the effect of lateral movement. And usually you can do it through an agent. Lot of products are there. They use a software agent and the workload and in first granular isolation, right? They can leverage the built-in host firewall, or they can put in their old controls there. Or you can have a network based segmentation microsegmentation that relies on your maybe your firewall, your software defined network. And to use that, it really depends. All you can have. If you're in the Cloud, you can use your native Cloud capabilities such as AWS, security groups as all firewall firewalls. So those things are there. Now. I hope you understood the benefits now guys, off micro-segmentation, which is the reason I've gone into a little bit of a detail here. It reduces the tax surface, right? Because it will limit the blast radius even if they broke through the subnet. It will allow to, and it'll allow you to isolate the network also, it will really help you fine tune it and the best thing, it'll give you better visibility into your hybrid cloud environments, right? And because the traffic will get monitored, the east-west traffic is also getting monitored here. Because attacker, if he tries to move east-west, micro-segmentation is also stopping. Always east-west traffic is usually considered to be like a blind spot. Micro segmentation helps you control this blind spot there. And you can create like a security alerts, which will alert system administrator if I micro-segmentation is being attempted to be breached, right? So you'll get better visibility into your hybrid workloads, into your security environments. And of course, dividing the network into security zones. It can be a little bit difficult. You need a network administrator with a good understanding of your network. And you need a guy who knows the network inside out. So it's challenging, but the benefits are many. This was the high-level strategies. Now, let's look into what does this tells us. It also tells us the diploid variations. These are smallest scale. Leg models for setting up individual components. When we talked about the PEP, the policy enforcement point, the PDP. Nist also tells you how they should deploy it. You can look at it from the device agent or the gateway based where you're putting like agents on the individual machines. Or maybe you can look at it from the enclave. This deployment model is like what do you call. It is similar to the device and agent-based, but it will protect a lack of resources, not just individual devices, right? Okay. What else is there? You can look at the resource portal. Resource portal is there's only one signal system which is acting like the policy enforcement point. And I've all the traffic has to go through there and it is something which is controlling everything. And lastly is the device application sandboxing, which is more on the virtualization there. So let's take a look at what we're talking about here. It will be better. So this is what nist is talking about. The first one, which is the device agent or the gateway base in this model, what you're going to do, how are you going to implement zero-trust? Remember what we talked about zero-trust, right? Architecture. You have a control plane and data plane, and you have like a policy enforcement point. So what do we talk here in this style of deployment, the policy enforcement point, it's split into two agents. One on the requesting side. So the one on the resource side, which communicates with each other at the time of the request. So what will happen? The agent on the requesting system, it'll be it'll route the request to the gateway. And the gateway on the resource side, what you're gonna do, it's gonna communicate with the PDP, the policy engine, and the policy administrator to verify the Kruskal algorithm will kick in. And usually this type of thing, it works well within micro-segmentation, right? So how would it work? Let's take an example. You might have a user with an enterprise issued laptop, right? And you want to connect with an application there. So what will happen? The local agent will kick in. It will take that request falling forward it to the policy administrator. The policy engine will be like it could be in the cloud, it could be on-prem. And then what will happen is it will follow the policy engine will evaluate this request if it is authorized, then policy administrative, there's a communication channel now, it will be opened between the device, the laptop, and the gateway so that the traffic can happen. And it'll give it into information that the IPE session key, so that temporarily the traffic will get open rate and an encrypted session will be set up. Once it's done, that traffic will get terminated by the policy administrator. Maybe a session timeout will happen, maybe a failure to reauthenticate. But this is how a device agent or a gateway based model will work. What about enclave vase? Now, enclave, this is very similar. If you look at it from the diagram perspective. Very similar, except that the gateway here is protecting a resource, like a group of resources, not just one, right? And you can say it's like a little bit of a compromise, a little bit of Trustees there. Because the resources are there, because an actor or somebody who has permission within the enclave, you can access all the resources there, right? So why would we want to do this? So basically, this is usually used for those systems which you can't put those granular approaches there, right? I mean, you might have, let's take an example. You might have a laptop, but it wants to access like a legacy based application or an on-premise datacenter that cannot have those individually agents are gateways. Then you would put this sort of thing with a gateway will be there and then it will allow you to access those. Remember, legacy applications, usually you can't put those sorts of zero-trust architecture there. That disadvantage, like I said, it here is the gateway, right? Because it's a collection of resources, so you're not protecting them individually, like in the previous one, right? So maybe it's not as efficient as least privilege, but it can be a good compromise where you have a legacy application. Legacy protocols are there. What else is there? So the other one is the resource portal. So this is a very decentralized approach where you have one system acting as the PEP here, the Gateway, portal for all the assets or maybe a large group of them. So here you can have flexibility because you don't need agents, All the client assets, right? But it also limits your visibility and control over user posture and actions compared with the previous two approaches, right? So here the advantage, like I said, it's, you don't have to implement agents, they're right there. And this might be good for BYOD policies or like where the companies are collaborating with partners. So you don't have to ensure that every device has the same agent, right? However, the problem is of course, you will get limited information from devices because you don't have an agent. The model can only scan and analyze once they connect to the PEP portal, right? And it might be not be able to continuously monitor them for things like malware or unpatched vulnerabilities, right? So remember the main difference here is there is no agent, local agent is there. You don't get the full visibility when you can attain. So you might be putting other controls right, to maybe mitigate this. But usually the assets are invisible to the enterprise until they connect to the portal there. So just keep this in mind. But remember, because the portal becomes like a single point of failure here also. So you need to make sure nobody can DDos it, nobody should be able to compromise it. Okay. What else is there? So we've talked about these three approaches. Last one is an application sandbox. This looks, this is quite simple. Basically. We are using virtualization here, such as virtual machines or containers to isolate the application from the asset it is running on. The type of the agent gateway deployment model. So everybody here, it's running on compartmentalize like it could be virtual machines, containers. But the thing is like in this example which you are talking about. So that might be a trusted appetite and it is communicating with the PEP to request access to resources, but everything else on the sandbox, the PEP will refuse, right? So this could be on the cloud and this could be like on-prem. The main advantage of this variant is individual applications are segmented from the rest of the asset. If the asset cannot be scanned for vulnerabilities or other things, the sandbox applications will protect him from an attack here. Of course, the disadvantage, like you have to maintain all the sandbox applications and you might not have full visibility because of that into the other assets, right? You have to make sure that all the sandbox applications are secure. So these were a few of the variations, guys, just to go back. Yeah, these are the device based and you have enclave base, you have resource-based and application sandbox. So these are the different variations and this has given, remember you're not restricted to them. You might be looking, but these are based on the best practices and the industry standard which has given. Apart from that, we also have the zero-trust scenarios, and I'll talk more about that in the next lesson because this lesson is already become quite large, I don't want to overwhelm you with too much information. So I'll see you in the next lesson. We will continue on to the zero-trust scenarios. Okay guys. Thank you. And I'll see in the next lesson. 8. NIST Scenarios - 2: Hi guys, Welcome to this continuation of the previous lesson. And now we're gonna be talking over, he talked about the diploid variations, right? We talked about the high-level architectures. Now, we're going to talk about scenarios. So these scenarios are like strategic business level examples, examples of specific companies. And they will help you to understand what zero-trust means in practical terms, like when you're implementing them. So we can talk about maybe you are a corporate office with branches. You have with a single primary facility and you need access to secondary facilities or remote stuff. So how do we implement zero-trust in such an architecture? Where would you put the, what he called the PDP. Pdp all you might have a multi-cloud cloud to cloud enterprise. How would you accept that? Maybe you have contractors now unemployed access. Maybe you have collaboration happening across multiple zones, right? You might have. Because for a moment, woman organization, they need access to specifically sources which are controller for another partner organization, right? But the partner needs to put in zero trust. So how would you implement there? All you might have enterprise with public customer facing services. So you need to give access to users and absolutely completely beyond the control of the enterprise. So there are many, many, many examples there. Let's take a look at a few of them to go into detail. So let's take a look at the first one which is enterprise with satellite facilities. Any enterprise environment. I mean, no matter what it is, what sort of architecture you can put Zero Trust principles. They're, most companies, they do have some aspect of zero-trust already present, right? But they are on their way to implementation by implementing in the best practices. If you're going to lie when we talk about deployment scenarios and use cases. So a lot of time you can actually put in secret trusts easily. So zero-trust is usually built for organizations that are geographically distributed. You have remote users so anybody can benefit. But let's take a look at the example of their first example here, which is enterprise, which satellite facilities. This is the most common scenario. You have a headquarter corporate office, and you have multiple geographically dispersed locations there. And they're not like they might not be joined by enterprise own physical network, right? You might be coming in over the Internet. And employees at the remote location, they might not have full enterprise own local networks, but he's still, they need to access enterprise resources. So how would you, maybe you're connected to MPLS and all those connections. And how would you implement zero-trust, right? You might have employees are teleworking, remote working. They might have they bring my own devices. And employees in. Your company might want to give some access to those resources like employ calendar, email. But you don't, they don't want remote users accessing sensitive resources like, I don't know, the HR database or something like that, right. So in this case, the policy enforcement point or the PDP. Pdp is specifically, you can put it in the cloud service, right? Because the Cloud, because you have so many remote users accessing it, right? The cloud would actually make sense here. The remote users would not have to depend on the enterprise infrastructure to access resources. So you can put an agent on your end-users assets right? This way. Because you don't want to put in the policy decision point about the PDP on the enterprise local network here, that would not be a good idea, honestly speaking. So that was the first example. What is it that you might have a multi-cloud cloud to cloud enterprise? This is becoming very, very common with zero-trust like accompanies utilizing multiple Cloud providers, right? Multi-cloud environment. And in this case, the enterprise, you might have a local network, but you might be using two or more cloud service providers for hosting application or your data. And sometimes the application is hosted on a Cloud service that is separate from the data source. The data is somewhere else. So the application might be hosted in ventral provider and the data sources in another Cloud provider. I've seen this. I've seen applications using maybe you have the application and the database is in MongoDB Cloud, completely separate thing. So it's very, very possible there. So remember what Zero Trust says, said Zero Trust said there should be no difference between your corporate assets or your enterprise own assets like these are your personal assets which are owned by somebody at all, maybe those who owned by the provider, right? You still need to apply zero-trust. So the Zero Trust here in a multi-Cloud would be you would place the PEP, the policy enforcement point at the access point that each application, each Cloud provider. So this could be services located in the cloud or a third cloud provider. And the client would have like a local agent installed accessing the PEP this way the enterprise can still access managed resources which are hosted outside the enterprise. And the only challenge is because the different Cloud providers might have different ways of implementing functionality. So as an enterprise architect, if you're implementing zero-trust, you will need to be aware of how to implement zero-trust architecture with each Cloud provider. Each of them might have a different way, but because here the best use canary would be to have some sort of an agent which is installed on your asset, which is controlling the access here. Okay, What else is there? Another common scenario is this one which is enterprise that might have on-site visitors are contracted service providers and they need limited access to enterprise resources, right? So maybe you have your own dental application services, databases, and they might be contracted out to other service providers. They may be on-site to provide services, right? They still need network connectivity and you would allow this cell here, the Zero Trust. Like would need to provide access while preventing access to another thing, right? So how would you do it? So in this case, so in this case, the visitors can have like accesses, maybe they can have internet access, but they can't access corporate resources. You don't want them messing around, right? So in this case, the policy enforcement points or the PDP, you could be hosted within the network or it could be hosted on the Cloud, right? And again, your enterprise assets could have it installed agent to access the resources where the portal and the PDP would ensure that any assets that don't have to install agents, they cannot access the local resources, but they can access like the other interim resources. So again, this is just guidance from this. Like I said, you might have a different, completely different to comment and want to install it differently. And the last one we're going to discuss, which is the fourth use case. We just cross enterprise collaboration. What does that mean? Maybe you have a project and employees from enterprise, an enterprise be right. So there may be different agencies or like a private agency accessing a public agency enterprise. They might have the database, but you want to allow access for employees from enterprise BI, right? So enterprise they can spread a setup like accounts for employees of the company B2 access and deny access to all of the resources. But this can become very difficult to manage, right? So it would make more sense like maybe you can establish them to do a local identity, provide a single sign-on, right. And the PEP can, the policy enforcement pan can kick in when the identity governance happens? So this can be similar to the example of the use case when we talked about the single sign on his desk. It can be in the Cloud like Azure AD Okta or something like that. So you can still put in your other rules which are there like fireballs and access. But by putting in the policy decision at the single sign-on, you can really have centralized control there and without the need to be. Because usually in this cases it might be difficult to install agents because you're not controlling them, right? So here the single sign-on or a cloud-based identity provider might be a more vertical viable use case. So I hope you understood he dies. This can be a very, a lot of information to take in. But remember, this is just guidance from nist as long as you understand the principles, you don't need to follow it blindly. You can put in your own architecture which is there. So what are the key takeaways here, guys? This provides different variations and scenarios from zero-trust. It is used as a guidance. Micro-segmentation is very, very important. It is one of the most important principles and tools you can use to implement zero-trust. And you should really assess your environmental and that's what I talked about before. Also, assess your environment for what model works best. And really look at don't blindly follow any, any document. Look at what your apartment is, how you can implement it. So I hope this was useful guys. We did a deep dive into the document and how to implement it. We're going to do more case studies that yet. But first I want to talk about what are the threats to zero trust? So we talked about zero-trust. But what are the risks? Are the threats which might come in when you are implementing zero-trust. And I'll go into more detail in the next section. Thank you and I'll see you there. 9. Threats to Zero Trust: Hi friends. Welcome to this lesson and now we've covered the disk document and quite a lot of detail. We've talked about the architecture. And before we move into the case studies, I do want to talk about something which is quite important, which is about the threats to zero-trust. Yes. So it seems a little bit funny because the whole point of zero Trust is to put in security controls, right? Put in a security model which makes your environment more secure. But zero-trust itself has some tourists which you must be aware of. And this will always be the case. There is no company in the world that can completely eliminate cybersecurity risk. So you can put in controls, right? When you put in what do you call money put into zero-trust architecture, you need to, what he called, it can reduce your overall risk. However, some types are the arbitrary uniquely targeting zero-trust axis. This is how cybersecurity works, like you put in some control. Attackers will update themselves. And this is the same case with the internet, with Cloud computing, with machine learning. Every time a new technology or new concept comes in, attackers will adapt and they will target it. So the whole point of this section is to look at the threats to zero-trust and how they can be mitigated and you should be aware of for the same. Okay, so let's take a look at the first thing. This is like the high level, a very simplistic example of a Zero Trust environment, right? We have the user untrusted. He's accessing the resource. The policy enforcement point is oxidizing. The policy decision point is PDP is getting information on the control plane from all the other metadata from the SIM GRC Mobile Device Management, assigning it to this level and allowing the people to access. So zero-trust architecture, the PDP, PDP, the other key components of the entire enterprise, right? The whole point of zero-trust architecture is no communication between enterprise resources can occur unless it's approved and configured by the PEP in the PDP. So that also means that these components must be properly configured and maintain, right? And you have to make like make sure that nobody can access it. Nobody should be able to make any approved changes that can disrupt it, right? And what he called, if an attacker is able to find out a path that would not be approved, maybe like a three or personal device you can bypass for decision making process, right? He didn't BIPOC bypass the process and access to directly. So you may have to make sure that the PDP and the PP, they are properly configured and monitored and any attempts to bypass that, they are properly flat, right? You can put an alert rules and you have to make sure that what if somebody, some malicious insider, he has access to the PDP and the PP, they are making configuration changes. They must be logged and must be audited. This is a very simple attack, basically bypassing the Zero Trust decision process either by finding a path which you are not aware of or by making configuration changes, downgrading the trust algorithm within the zero-trust process. Okay? What else is there in the Zero Trust Architecture? Remember, we talked about the PDP is a key component, right? Because they cannot, no resources and subjects cannot connect to each other without the PDPs permission and configuring it. We are the PEP. So if an attacker, he realizes, okay, I can't access, I'm going to make sure nobody accesses it and it disrupts or denies access to the PEP or the PDP. Maybe he'd denial, denial of service attack or hijacking it. It can be basically in fact, the entire enterprise operations, right? Because all the access is being mitigated. But I'll get to here and leave. It. Companies can mitigate this risk by putting the PDP maybe in a properly secure Cloud environment, or maybe replicating it to several locations, right? And this will mitigate the risk, but won't completely eliminated because you can have massive DDOS attacks against Internet service providers, against the Cloud. So it is possible that attacker could block traffic to the PEP PWD fee for most of the user accounts within an enterprise. Maybe you can cut off access to a whole branch or a single, a remote location, right? So in this case only a few subset of users will be affected. But still this is quite impactful, right? And this is honestly, but this risk is also there with all your remote access VPNs also, this is not unique to a Zero Trust Architecture. And also what could happen is if your PDP is residing within the Cloud, maybe the cloud service provider could experience and disruption. This happens, right? Even with a major service providers like Google, AWS infrastructure as a service, could, some operational error could happen that could prevent the PDP from axis and the entire enterprise could get locked out if the PDP becomes inaccessible, right? And some other thing could happen, maybe the PDP is not able to access the resources, so it's not able to grant that access. It's not able to configure that communication path we talked about. This could happen maybe due to a performance impact, maybe a DDos attack, maybe a misconfiguration. Network disruptions, they happen, right? But remember, this could happen and the impact would be that the entire enterprise resource could not be accessible. So keep this in mind, guys. This is another pair of happening. What else is there? Stolen credentials. So what am I talking about here? Properly implemented? Zero Trust and your policies. They greatly reduce the risk of an attacker gaining access and doing a lateral movement insider attack, because you're not allowing anybody to be implicitly trusted, right? Because, but what if an attacker is able to compromise an existing account? And like he's attempting to access a resource is not properly implemented. Zero-trust architecture should will prevent a compromised account from accessing resources outside is normal access, right? So the account would be, so, but what does that mean? That means that the attacker, he will be what it is interested in things that they use anomaly accesses. Using phishing social engineering, multiple ways, he can actually gain access to the account and try to access things which are normally accessed by them for maybe enterprise administrator accounts, they be valuable to attack us and trying to access those sensitive data. Now, you might be implementing MFA to reduce the risk. But remember that maybe if an attacker has compromised credentials, you might be able to access resources for which there is love is low. Maybe the company's calendar, the calendar is low risk. So in that case, the Zero Trust architecture might allow that access. Okay? Because like I said, the zero-trust architecture reduces the risk and prevents any compromised accounts for moving laterally. But if they are not authorized to access it, it will stop it. Right? But if the guy is, maybe he normally accesses that we saw and the risk level is lower, right? So in that case, petrosal algorithm might detect, might say, okay, it's able to actually, because this is something which he usually accesses and the risk level is not high. So keep this in mind. This is again, it is very much possible. And of course, as your environment matures, as your zero-trust policies mature, you will put in, you will strengthen the trust algorithm more and more, right? Because the way the Zero Trust engine takes on that, it'll learn and get more intelligent overtime. But again, this is a possible attack. Okay, what are the threats? Are the feds also there? The visibility on the network. Remember, for Zero Trust to be effective, it has to be looking at all the information which is their right. It has to be getting most of the traffic so it can see what is happening. But sometimes all the traffic which is maybe coming in from personal devices, right? Or maybe from partners, or maybe from application services which are not supported, then the Zero Trust engine will not be able to inspect and look at the activity, right? And this is something attacker might be able to utilize. It doesn't mean that you completely blind, but it could be data which you are not able to access. In that case, the Zero Trust engine could look at the source and the metadata. The source and destination addresses about the encrypted traffic and use that to detect maybe it's something a malware or an attacker did. In new cases, people are putting in machine learning artificial intelligence that can build up its data over time. But remember visibility on the network. That is a problem sometimes, apart from the shortage of System and Network Information, what does that mean? Well, remember, for the secret trusts to be working, it has to be getting so much information, right? You have to gather data about access policies or SEM, what he called the Single Sign-On. Now, this has to be stored somewhere. And this can, Given a darker information about which accounts are the most valuable to compromise rate which have the most access within information. So you have to make sure that wherever the Zero Trust engine is storing that information that is hard and the underlying infrastructure has to be heartened to prevent unauthorized access and access attempts. Because these resources are vital to security and to the zero-trust ecosystem, they should have the most restrictive policies and you should be able to access them maybe for my PIM privileged identity management and from a jump server. So again, this is something you have to think about. Reliance on proprietary data formats and solutions. That's an extract. What does that mean? Well, zero-trust architecture relies on several different data sources, right? We talked about, uh, to make access decisions, maybe about the subject, what asset is being used in external intelligence? And what do you call? A lot of times this assets used to store and process that information. They don't have a common open standard for how to interact and infer information. This could lead to vendor lock-in. Maybe you're locked into a particular zero-trust product, a particular zero-trust provider. And if that provider maybe stopped support. And what do you call, it doesn't give access to that provided data format. You might have serious problems. You might have to look at replacing assets, going through a long transition program, translating the policies. So this, like, like we talked about earlier, this is not unique to zero-trust architecture. But because you don't trust architecture is heavily dependent upon information. And sometimes service providers, this sort of thing can impact the core functions, right? So you should evaluate different service providers and make sure this risk is there. Make sure you're not locked in. You have that supply chain risk management in addition to other SLAs and services. Okay. What is the last thing? The last is use of non-person entity is NPs in zero trust administration. What does that mean? Basically, you have things like service accounts, artificial intelligence, and other software based agents which are deployed to manage security issues, right? And these components will need to interact with the Zero Trust engine, the PDP, and the PEP, instead of a human being interacting with it. So this is something how these components authenticate themselves to zero trust because this is an automated thing, right? This is not a human being who's accessing it. And of course, you can, you can understand issue what if somebody compromises that service account or compromises that system? Because the Zero Trust architecture might not be giving it like a, might not be valuing it like it evaluates a human being. It could lead to incorrect risk decisions we make. And attacker could trick the Zero Trust Architecture by thinking, by making it think it's an EA system, it's a service account, right then. Because it has, it will have a lower bar for authentication, maybe just an API key or some certificate, which is good if that gets compromised, the attacker will be able to interact with the Zero Trust Architecture or the zero-trust engine by think, making it think it's a non-person entity. So remember that this is something you have to evaluate on a case-by-case basis. Look at what authentication measures are there. What are the metadata you can give the zero-trust architecture? Okay guys, so I hope this was, this was informative to you and I made you realize there are threats, all sorts of zero-trust architecture. I don't want to paint you a rosy picture that zero-trust architecture will be like completely amazing and no trucks are there. So this is giving you a realistic output of that. In the next lesson, we're going to talk about a case study. We're going to look at actual how to implement zero-trust maybe in a network and how it would work. Okay, Thank you. I'll see in the next lesson. 10. Case Study 1 : Hi friends, welcome to this lesson in which now finally we're going to do an actual case study offer zero-trust architecture implementation. So just a quick recap. We've gone over zero-trust, we've gone over this, a history of Zero Trust. We've talked about the concepts, the principles which are there, right? We talked about a deep dive into the nist standard. We talked about the threats which are there, the different deployments, variations which are there. Now let's actually try and look at how it would actually get implemented at a very high level. Okay? So remember what we talked about, Zero Trust at a high level. It's a philosophy, right? It can support many, many types of architectures, many, many different types of commercial products also, okay? So remember there is no single right architecture and that each organization needs to look at its own requirements, what they want, and then develop the right approach to implementing a zero-trust, right? So given that there's so many ways of implementing and each company has different, right? It's not possible to create a one-size-fits-all zero-trust architecture. But what I'm gonna do is I'm gonna give you a very, very high level architecture of a company, right? And then we're going to create a simplified like zero-trust architecture for us. And we're going to look at how to implement it. What are the things we're gonna, we're gonna, we're gonna put in the components, right? I've tried to make it like a high level, but make it representative of an actual company which might have a new comment. It could be it might not be as detailed because if I make it to detail, it won't be as applicable to everybody, right? But what I want to show this, this, like this particular case study, is going to have elements which are common to many, many, many companies, right? And then show how you would go about implementing zero-trust components within that model. So remember what I talked about. Zero Trust is not a one-size-fits-all approach. There is no magical one solution that can fit everybody, right? And it's also not a cybersecurity solution. It's not a product. I talked about this before. It's not something you can just implement and then you turn it on and now you're Zero Trust certified. It doesn't work like that, right? And so what the Zero Trust principles, it can provide you guidance on how to continuously mitigate and manage the slide. So many companies, it's like a journey. So many companies, you might already have a very good security baseline rate and maybe only a simple few refinements might be needed for a successful deployment of zero-trust. Others might need to build new products. They are mini need to deploy the need to replace the existing assets to implement those like Zero Trust concepts. So irrespective of where you're starting out, lab, remember what I told you, a zero trust takes time. It could be a multi-year project, multi-domain, multistakeholder. It has its own challenges which we're going to talk about. So I just want you to be very realistic. Anybody who tells you that Zero Trust is very easy to do, just implement my product and boom, you're gonna be in zero-trust complained. That is completely bogus. It doesn't work like that. Okay. So let's take a fictional company. So we have a company, let's call it XYZ, right? And they've implemented and mature cybersecurity framework over time, right? So this is not like a company who doesn't have security controls. They do have security controls. And we've got to look at what those security controls are. And what has happened is the seesaw is worried about remote users. More and more Cloud usage is coming. More and more. People are connecting over the Internet. And like he's under pressure to implement BYOD is under pressure to implement partner access. So he's researched the Zero Trust and he likes it and he just asked you, so maybe you are the cybersecurity manager over there. And he's totally okay. I want you to implement zero-trust framework and use the nist framework as the best factors guidelines. So how would you go about it? So let's take a look at this company. So this is this company, right? So this enterprise, they might have had caught or they might have multiple branches also, right? And because they have workloads within their internal network, you can see they have fireballs, they have servers which are accessing databases that it's the internal network. On the left side you can see they have a DMZ, right? So remote users can connect via VPN and then access the internal network. Customers are coming in through the firewall and accessing a web server from where they're coming in. They also have Infrastructure as a Service. They are using cloud that it might be connected to a VPN, right? From the security perspective, they have a single sign-on. They haven't SIM solution, and they have admins within the internal network, right? And they are accessing it through the PIM solution, the internal servers for admin access. So you can see, like most companies, this one has a variety of access control and network mechanisms and an ecosystem of security components. So now we want to look, think about zero-trust, implementing zero-trust. So you can see this is not like a company which doesn't have any security. They have implemented security there. They have firewalls, they have segmentation, they have a payment, they have single-sign-on SIEMs. So they have the following good practices. But now, because of the pressures to implement more BYOD, more remote working, like a accommodate hybrid working, accommodate more and more companies which might be coming in. You want to look at implementing zero-trust here. Quick brief review. Remember what we talked about. This is the simplest deployment of a zero-trust. You want to have a zero-trust like concepts and ideas. The Venice defines it. So you want to call, utilize these components, right? You want to have like a PDP, which is a policy decision point that takes input from multiple sources for each cluster algorithm. And that is resides in a control plane, which is a secured control plane. You might have a data plane. So here the user wants to access a resource. It has to go through a policy enforcement point before it can access anything. And then the PEP will be communicating with the PDP and saying, Hey, is this guy trusted enough to access it, right? And what he called, it has to enforce those Zero Trust principles, right? So this is what we want to look at it and want to deploy it. So one of the key things you want to consider, maybe you're starting out now. You're going to thinking about where do I put the PDP, where do I put the policy enforcement point? V2 microsegments, should I micro segment? Right? These are the initial questions you should be thinking about. I'm not going to we're going to look at the going through the roadmap. Then you implementing heterotrophs, getting management support. I don't want you to get too much thing. I want you to think about the architecture right now. Assume that you have the budget. Assumed that you have been given the full support of management already, right? So you don't have to worry about those things here. So we want to talk about now, on the left you can see the lower-left I put in the symbols for the PDP and the PEP, right? So first thing we want to think about is where we want to put a PDP here, which is the pretty much the heart of honors zero-trust system. And in reality, like for any company that has been implementing zero-trust, the PDP will probably be a commercial product or it might be different technical system that you are connecting to the category APIs, business processes. It can be anything, it can be a product. It can be your own internal deployment, right? Zero tos doesn't bind you to any specific type of product or technology which is there. But if it if it was me, I was doing it. So you can look near the SSO. This is where I would deploy the PDP. If you remember initially when we talked about zero-trust strategies, we talked about a centralized identity governance model, right? So Zero Trust is very much identity centric in my opinion. And your PDP must have a very tight, trusted relationship with the identity provider and the SSO provider. It might be as already, it might be something else, right? But the PDP, it must be deployed here and this reconfigured so it can take the data from the SSO directly or indirectly. You can maybe configure it. Maybe it's a product. You can configure it by a service account to make API calls. And by configuring the PDP when men do some certificates, right? So this tells you you can use it as identity governance. That is, personally I would do it because if it's a single sign-on, everything will be authenticating here, right? And that would be the best way to get access. And it can maybe from here it can connect it to the SIM solution also. But this would be in my opinion, the best way to deploy the PDP here. Now, we talked at the PDP. What about the policy enforcement point, which is basically where the accesses will be controlled from, right? So in my opinion, you can see I would deploy it near the VPN and the fibers within the internal firewall also. And at the Cloud level. My perspective is for an effective zero-trust system. For effective zero-trust model, you need to have deployed PEPs that are centrally managed by, but you can distributed across the ecosystem, right? And the PDP must control PEP behavior to the policies which I told you, which are dynamic and context-sensitive, and they enforced throughout the environment. These PEPs can be different types. They don't have to be like a product or something. Maybe you can utilize the existing firewall or the existing VPN. And we're going to talk about that, right? So maybe e.g. the PEP in the DMZ at the firewall level that can only allow to authorize and authenticate users once the PDP authenticates it and says, okay, these guys are allowed based on the permissions, give it to him by the PDP. And the PDP is going to look at the different sources, the SSO, the SIM, and you're gonna look at those mechanisms also. Similarly, the internal network wants to go and it's going to take it again from the cloud infrastructure is going to query again the SSO. So these are the areas I would deploy the PEP and how would it work? Like regardless of a, the PEP is how would you actually work it in practice? So at a high level, so, sorry, my apologies. One thing I did forget most of micro-segmentation, of course, I forgot that. So if you can look at the internal servers now, your followers are they, are, they are wonderful for looking at north-south traffic, right? We talked about earlier. You need to have microsegmentation there to restrict the communication between the workflows, the east-west traffic. I forgot to mention that policies. So yeah, I would definitely implement micro-segmentation at the server level, right? Because that would address attacks if the attacker was able to penetrate the perimeter and try to compromise move laterally. So micro-segmentation is a great way to implement zero trust, which I talked about earlier. And you wouldn't need to re-architect, right? You could probably use some software, software agent, some sort of your existing firewall controls agent-based to implement micro-segmentation. So that is what I would be doing. Now that you have the PDP deployed, the PEP, and as some form of micro-segmentation, how would it work in reality? This is what it would work, right? So assuming some guys there, he is trying to authenticate and access of each source, right? So the body called it where he would go to the PEP, the PEP would send this across to the PDP. Hey, this guy is accessing resources he allowed. Now, the PDP would query or make an API call to the SIM solution, to the SSO. The SIM solution would probably have everything right. It would take a look at all the contextual information. So it would make get all this information from the SIM system. Maybe it would get the overall threat level on the network. What's the risk level with John for this user? And the policy, the Zero Trust system and evaluate these attributes and use based on the trust algorithm, it can make a decision. Maybe it says that, Hey, the, this level is a bit medium right now. Maybe need to enforce MFA, right? Or maybe the risk level is high, sorry, you can't access it. So it would look, assess their risk level, and then it would assign a policy to this users, send it back to the PEP. And then the PEP would allow or disallow access if it wasn't, maybe a disk was low, it will just allow access. If it was medium, you would say, sorry, you need to enforce MFA. If there is level was high, the policy would be sorry, disallow access. So this is in high-level. Theoretically, this is how it would work. Of course, it's never so simple in real life, right? So you would probably, if you go back to the diagram, we've looked at deploying PEPs, maybe we can use a firewall as a PEP, the VPN as a PEP, the Cloud native tooling as a PEP. But what I saw never as simple, what would be required for a tool to act as a policy enforcement point. So this is quite important. What makes a security component of PEP like for Zero Trust White, maybe you have an old firewall. Can you think of it as a PP? Maybe you have an old VPN component. Can you think of it as a VPPP, right? So this is where the answer would be. It depends on depends on what the tool can do. This the tool does a firewall. Does the VPN have the ability to enforce the PPEs like identity centric and talk context sensitive policies. Can it do that? Can it say, hey, if the risk level is low, if there is some as medium enforce MFA. If the risk level is high, disallowed says Can I do those dynamic policies? Can it automatically changed its policies based on what the PDP is saying, right? Can it securely communicate with the PDP? Maybe you remember what we talked about the controllable and has to be secure, right? A lot of times your traditional fibers might not be able to meet this or comments if they don't have that intelligence, right? And you have to, because the PEP has to be dynamically configured by the PDP and be able to adjust its policies in an automated way, right? It's a key capability for implementing zero-trust. And that's one of the fundamental things you have to be able to do in Zero Trust. We were able to enforce identity and context sensitive policies. The PB must be able to receive ongoing updates from the PDB and automatically it justice policies in real time without any human being going in and configuring it. This is honestly the only way you can achieve the dye responsive dynamic nature of zero-trust even at the small scale, right? So maybe your firewall might not be able to do it and humid need to replace it, right? Maybe, but maybe the firewall is a next-generation firewall. It has intelligence network security automation. So you might be able to consider it as a PEP. So this is where I talked about where you need to look at your architecture, decide what needs to be replaced, what needs to be implemented, right? So this is very important guys. Please keep these in mind. What actually makes a PEP whether it's enforceable or not. And in the next, in future lessons I'm going to show what, Okay, What happens if you can't enforce all of these mechanisms? What are the solutions available within the zero-trust within this framework? So keep these things in mind is very, very important. So this is what we talked about earlier. This is how a zero-trust, I would implement zero-trust, but like I said, there is no correct or incorrect way of implementing it. Sorry. What? Like if if I was mean I was reviewing it, I would say I've made two mistakes. If it was me, I would say I have not segmented off the service micro-segmentation. I've only implemented micro-segmentation at the database level. You can see I've not done at the server level, which I should have done. And maybe what about micro-segmentation of the Cloud level infrastructure as a service? That is something should have been evaluated. So like I said, even just looking at it right now, I can see areas where I might need to have improvements done, right? And so we've deployed PEPs there. And of course it'll have to be looked at. I didn't add the pin for the administrators I forgot to talk about you will have to have a PP there also, right. And if I put it there. So this is again where the PEP would come in. Maybe the payments able to support this, maybe you would need additional intelligence support from the vendor. But this is at a high level. This is how you will need to think when you're enforcing zero-trust. So I hope this gives you an idea and it got you to the zero-trust mindset guys. We're going to look at it more in the case study and I want you to do that. I'm not going to help you that much. I'll just give you a high-level scenario. But remember, what are the key takeaways from this lesson guys were important. There is no one-size-fits-all approach. You can see every approach is different, right? Zero. Trust is a philosophy and it can accommodate a lot of different solutions, lot of different models, of different products. You need to understand your architecture. Very, very important. If you don't know your architecture, you will not be able to implement zero-trust or you will put in products and you don't know, the user can completely bypass because you were not aware of the network path, right? Do not go for a big bang approach. Like if you go back to the diagram, if you just start implementing all of these things at the same time, you're going to have a massive outage. People will not be able to access. Take your time may be implemented at the VP level first, offer, maybe at the infrastructure level first, the PEP and the PDP, right? I did it over time. Don't put any policies which are stopping anything, don't enforce policies which can block slowly, slowly, I iterate over time. So this is very important. You remember, Zero Trust is wide enough to accommodate a lot of approaches. And I hope this case study was useful to you guys. In the next one, I'm gonna go over another case study, but this one, I want you to do it and share with me the result. Thank you guys and I'll see you in the next lesson. 11. Case Study 2: Hi friends, welcome to this lesson. Now, remember what I talked about the case study, right? So we've done one case study where I went over like what a customer might. They would architect rearchitect the current environment to enforce zero-trust principles. Now, what we're gonna do is we're going to look at another case study. But this time I want you to do it, you to take a look and let me know how you would go about it. So in this one, we're talking about a customary BC and they are launching like a web application that is used by users and agents. Couple of holidays. The simple web application, it connects to a database and there's a backup server. And it's our circle, we suffer sovereign resort and administration is happening. The system admins are using a hardened jumps server to connect to the service via SSH for maintenance. And this is done internally only. So again, the seesaw is worried about cyber attacks and ransomware, things coming within timeline, but in spreading very quickly from the on-prem environment to the Cloud, do the backup server, maybe the admin, suddenly becoming malicious. Maybe like something happening to the web server. All of these things are there, right? So he has asked you to rearchitect the environment using 02 principles as per the new standard. So if we take a look, this is just a diagram of a high level. You can take a look from the left to the users and agents are connecting via HTTPS to the booking web application. We have an admin and using a jump server, he's connecting via SSH to the web server, to the database, to the backup database. Over a VPN, we have a backup been happening over the zoo as a disaster recovery. So in this particular environment, we are looking at implementing, enforcing zero-trust principles, right? So I've deliberately kept at high-level because I want you to architect it. Remember, a lot of companies they already have, like in this case, you can see that they have like a server, they have a VPN, they have a basic level of security is already there now. They want to look at enforcing zero-trust principles. So I want you to use the knowledge that we've talked about. What are the principles? How would you go about enforcing it? Where would you start believing? Remember, there is no right or wrong process here. You really want to look at Zero Trust principles and how to enforce that. We haven't. Like. I want you to assume that everything they have within their environment, it can support Eurotransplant. Suppose we'll talk more about that later on. But here I want you to think about what you would do, right? And when we talk about these other things, remember, we talked about where you would put the policy decision point. Does this environment have any fibers? If not, that's that's already but let's assume they are firewalls. They would you put the policy decision point, is there a single sign on here? If not, you might need to put it there, right? Where would you put the policy enforcement point? There's like a Jump Server, customers accessing, I don't think you need to. That's over HTTPS, right? But wherever you put the policy enforcement point where all the connections happening whenever you apply micro-segmentation in this environment. So looking at this environment, think about what you would do. Where would you put the PDP? Where we do microsegments off to prevent any lateral movement. They would you put the policy enforcement points here, like we were, the five will be the VP and those sorts of things. And I want you to now take a look and let me know. The how would you go about enforcing zero-trust? I've deliberately kept at high level. I don't want to make it to two details, so it becomes too complex for you because I realize it's your first time probably implementing zero-trust. So take a look at it. Don't worry about making mistakes, everybody, like, like I said, Zero Trust is a journey. You'll get better and better at it over time. So take a look and let me know, share with me the results. Okay guys, and I'll see you in the next section. In the next section we're going to talk about important topic. What if you can't support Zero Trust principles, right? What if you have legacy applications or products which cannot support a zero-trust? What do you do in that environment? Okay. Thank you and I'll see you in the next section. 12. Lack of Support: Hi everyone. In this topic, we're going to talk about a very important topic, which is, what if on some products are some applications that you can't support? I cannot implement zero-trust, and this is a very, very common scenario, a very, very practical scenario. So it is possible, not practical to implement zero-trust across all of your environment. Okay? So then you have the option of building what we call a mixed state. You can implement zero-trust or like you can broadly implement zero-trust. So part of your architecture will be implementing zero-trust, but you still need to access systems that cannot implement zero-trust principles, right? It is always recommended that you have your uniform gyrotrons, but we don't live in a perfect world, right? So you will have things like legacy applications or you might have things which cannot support, right? So your core services should be included. But what he called you, some applications can not get the benefit, right? This is where the situation comes in. So let's take a look what could happen. So you, on a journey you'd like, if you're going on a journey Towards the zero-trust architecture, you will find out that some applications are not supported. They can't implement zero-trust principles, right? And what you can do is you can look at a few ways of enabling access while still having the benefits of Zero Trust for the whole system. Like I said, we call this a mixed state. They can be many reasons, right? Like not all systems services applications can be integrated into a zero trust network. And you don't have to abandon your whole zero-trust project, right? Sometimes direct integration isn't possible because maybe the system is incompatible with technologies that enable zero-trust or because it's unsuitable. If you remember, we talked about earlier firewalls not being able to support dynamic policies. Maybe they're incompatible with a zero-trust system. Like a system service application might be incompatible because it doesn't support policy engines, right? It's just a dumb device. It can support dynamic policies, or it doesn't support modern authentication methods like SAML or OT, like those are things which are often released by a policy engine, but a zero-trust engine. And what happens is your policy enforcement point. It passes that policy document, maybe a Docker then device does not support it, right? Maybe it doesn't support secure protocols. That communications are not adequately secured, limiting the ability to connect. Remember, we talked about that when you're connecting to the control plane, it has to be secured, right? Maybe those products are using obsolete products. Maybe the software vulnerabilities are there, right? And because of that, your trust goes down or maybe the most common within usually I see it's a legacy application. Legacy or traditional authentication method is there. So their authentication is being handled by the application. So it's difficult to integrate with a zero-trust architecture. So what do you do now? I mean, you can't just abandoned and say, Sorry, we can't implement zero-trust, right? No, that's not the issue. So if you remember, we talked about earlier when you talked about zero-trust deployed variations and we talk about an enclave, this deployment is, it's similar to putting a gateway there, right? It like the gateway will be protecting a resource of like a grouping of resources, right? It's a type of a compromise within Zero Trust principles because everything within the enclave is trusted because all the checking has been done by the gateway, right? So this represents a way to implement zero-trust on systems that are not like compatible fully, right? It's not able to fully support Zero Trust for enterprises that have legacy applications or control systems which are not fully under their control, that cannot have individual agents. So gateways in place, this one on this type of thing. You can put something like a gateway and you can do it. But remember that within the resource, yeah, you have to make sure that the gateway is the only way to access these resources. What if somebody bypasses, then yeah, you would have to compromise a zero-trust when we talk about the threat which are there. So this type of model would be very suitable in such an environment, but how would you go about enforcing it? So this is where the practical implementation part comes and says something called a zero-trust proxy. This can be something that you already have. Maybe one of your firewall devices next generation can support this. You might need to buy a product, but yeah, a zero-trust proxy is often used to mediate connections in a zero-trust architecture. And it's sometimes it can be used in a fully secret trust, but usually it's used in a mixed state where it sits between your users and the systems are legacy applications, right? The clients, the user will connect to the proxy. And the proxy then manages access to the application in line with zero-trust policies. Using a zero-trust architecture, it allows for secure access to applications that can not support zero-trust. So how did it work? So usually it comes in two parts, like a proxy server and the proxy connector. Proxy server, that is, will be the like the policy enforcement point. It controls access to the applications. It connects to the zero-trust algorithm, the Zero Trust model and gets like what are the policies right? To make decisions, the policy enforcement, it will communicate with the policy engine. So once Zero Trust engine grants access to the application. The proxy will then forward traffic to the proxy connector, and we'll see a diagram of this. So this is where there's like a secure bi-directional channel to the proxy server, usually through TLS. And this is how basically your, your connectors you've deployed within the environment. So the other ones were handling accesses to the legacy applications, right? So this is how you would actually do it within an application. So what would it look like? It would look like something like this, right? So you can see the users connecting to the zero-trust proxy. Zero to X proxy connects to the source. It connects to the PDP where it gets a policy. And based on that, so it allows vertical, the proxy server, it'll make the decision. So once the policy engine grounds to access, it will forward the traffic to the proxy connector. So I'll go to the firewall and then to the proxy connector. The proxy connector, usually it has a secure channel, usually TLS, because you want to make sure all the traffic has been incorrect, encrypted rate. And then the connector, that is the one giving the access. So Connectors, it have to be deployed in an application there in the location where they can access the applications, right? And they can outbound access to the zero-trust proxy also, you can put it up, are connected on a separate machine. It's usually up to you how you want to architect it, right? But what is very important is all the traffic to that application, that legacy, it goes to the proxy connector and there are no shortcuts because you can't bypass it using some other protocol or some other authentication method. Because then the threats we talked about earlier, you would be bypassing the zero-trust architecture. So you have to configure the application to accept connections only where the proxy connector. And you can enforce this maybe at the network layer using a firewall, using firewall rules. These are the things you have to keep in mind. So what are the things you should keep in mind when implementing is a zero-trust proxy. So one thing which you have to really understand, most of the routers proxy solutions, they are restricted to a set of applications of protocols. Maybe some proxies only support the protocols like HTTP, HTTPS. And this can bring added complexity. When you have declined. In some applications or legacy, this might be issues, but it's not supporting the protocol rate. And sometimes the Zero Trust proxy might not scale. In applications that so many applications out there. You might need to put in like one proxy for application that might add a cost there, right? And what do you call? It might have complications with on-prem infrastructure. You might have more additional support and maintenance. And you want to make sure you need to take a look at how to make sure all the traffic is routed through the zero-trust proxy. There are no shortcuts. I keep adding this because this is very, very important because this will bypass the whole zero-trust engineer, right? You need to do and more configurations, new firewall rules. So you want to make sure that the traffic is only limited to the proxy. Since the zero-trust proxy is acting like a policy enforcement point, it's making sure that only the access is good there. So this is a good solution for the majority of times that you have legacy applications. But just make sure that you have protocols support. And whether it can scale for the number of applications in your environment. Don't just go out and buy a zero-trust proxy without checking these things are very easily just be wasting money, right? So this was what I wanted to talk about guys. What are the key takeaways? Practically speaking, in a real-world scenario, some environments might not support Zero Trust principles fully. And proxy zero-trust proxies can help in such a scenario. Just make sure the protocols are supported and it works within your environment. I hope this was useful to you guys. I'm just trying to keep this course as practical as possible. I don't want to give you a rosy picture of it. Everything will work magically. Know you will face such an artist and this is how you will be able to accommodate such situations. Okay, So we've almost like reaching the end of this course now we're going to talk about the roadmap to zero-trust. So right now, we've looked at more like implementing architectures, but how to take zero-trust as a proper project. I want to talk about that and I'll see you in the next lesson, guys. Thank you so much. 13. Implementing Zero Trust: Hi friends. Now via like going into the latter part of our course. And now we're going to talk about actually implementing Zero Trust as a project, as a body called as a roadmap. Like how do you actually take it as a project? Okay, I hope by now you've understood zero-trust how to implement it, what are the challenges? But how do you start it, right? What's the process? So remember what I told before that Zero Trust is a journey. It's an investment of time and money. And you need to have an understanding of your organizations, like architectural priorities. And it'll, you need to really justify this as a strategic project within your environment. And as you start your journey, you need to make small, small deployments and tactical wins to show the value being added, right? And doing so will really help to show the value of your zero-trust. It will build momentum and support internally, right? You have to identify tactical wins within your framework of your zero-trust architecture. By doing this, you will be able to show to management look, there's benefits coming in and they will be behind you in this project, right? Each successful or tactical when it will open up more and more support for you. Don't try to do a big bang approach, which will take like 18 months and money will be just like flying away. Time will be going. And people who are thinking, why am I wasting time with this? Okay? So zero-trust planted starts. It can become very overwhelming. People might be thinking, oh my God, how am I going to implement this? So you will really need to think of zero-trust as a destination. It's a journey, right? Sorry, don't think of it as a destination. Think of it as a journey that needs to be approached systematically and revisited, right? To navigate this journey, deploy Zero Trust properly. You have to do it like identify an action plan and then like a structure to it. Otherwise, you'll just get overwhelmed right? In. If you are working in a completely new environment via completely Greenfield environment, it is possible to build zero-trust architecture from the ground-up, right? Assuming that the applicant interpret company knows the application services workflows, it can produce an architecture based on Zero Trust principles. And it can narrow down and say, Okay, this is what I want to be implementing. These other things like I want to do. But in most cases, it's not a Greenfield environment, it's an existing environment. And you need to call start implementing it ended from within an existing environment where security is already there. And then you need to start thinking about, okay, where do I put the authentication mechanisms? Where do I need to do micro-segmentation? What sort of people do I need? So this is where you need to really start to think about Zero Trust as a project. Don't just go ahead and start making changes. It's a project. It needs to be budgeted. It needs to have constant updates or proper committee. It's not a one man show. You would start doing it like that. Like it's treating it like a technical project. I can almost guarantee it will not be successful. Okay, so what are the challenges, if you remember, we discussed it right at the very start. When you talk about leader trusts, what are the challenges that will come well? Well, first of all, you will need to have a detailed inventory of your applications, your datasets, devices, networks, right? Because you need to have like because a lot of changes might be needed, right? Significant architectural changes might be needed. You need to have financial, non-financial resources to support the implementation of the zero-trust program in the long run that needs to be budgeted. I can assure you some costs will be there. Don't think it'll be free, right? And you really need to see, So are you head of cybersecurity? They need to clearly communicate to business executives via change in the security architecture is being introduced. What are the benefits? Because a change in mindset is needed, right? And it needs support from your management for it to be successful. And the benefits might not be immediately apparent, right? If you'd, like I said, if you do a big bang approach, you might not be able to show what benefits are coming if you do it small tactical Vince, you need to identify that, right? So how would you start it? Well, looking at it as a project, you need to get buy-in from management rate. And you need to understand, map the environment. These are the five steps I would do get buy-in, understand methane. Romans slowly introduce the control mechanisms and then implement zero-trust model, maintain, monitor it and improve it. Okay? This is how you would do it, right? And for it to be properly successful based on all the projects which people have done these other best practices. So the first step is very, very important. Please do not bypass this. Get buy-in from management, get buy-in from your CTO, CIO. Of course, it will be probably be the stakeholder for this. But yeah, you need to make sure your leadership, IT professionals, all staff are involved in the development and implementation. Why? Because it's a long-term commitment. A lot of money is gonna go. It needs to have prioritize. Lot of changes is gonna be happening. You need to conduct workshops showing what, what is going to be happening. Otherwise, you will get challenges, will get roadblocks during deployment. Wanted exhale come into play. People will be resistant to change. To ensure that all stakeholders are able. And a way to participate in a zero-trust project. You need to make sure that communicate the Zero Trust principles. Find out what you already have, what you need to do. But present your management with the Zero Trust strategy. This can be developed like an enterprise-wide strategy with the full committee there with roles and responsibilities. And try to avoid the technology different discussion. Don't think about, please do not present it like Okay, we need to implement this product, right? Please think of it as a strategy and explaining how this is critical for your long-term strategy security benefits. And make sure I can guarantee that changes that will come, the disruptive changes when you deploy a new security model, they wouldn't be welcome. Lot of people might be resistant to change. They might be shouting and why is this happening? Why suddenly MFA coming up, why is that happening? You need to do this properly. That's why getting buy-in so important. Next step is understanding the environment. One of the key requirements of a zero-trust architecture you need to identify and manage the devices users, right? So how would you do run if you don't know it, right? The ability to know and managed enterprise assets is key to the successful deployment of a zero-trust architecture. Be it hardware, laptops, phones, IoT devices, digital artifacts, users, right? So it might not be possible to have a complete inventory done. So you should think about how you can get this inventory so that you have the existing one and the new one. It's not just the case of creating an associate guys, you need to have that capability within there. You might have containers, virtual assets. So because all of this information will go to the policy enforcement point, right? You might have Shadow IT, which you are not aware of. So all of these things will be needed. You might have BYOD, remote users, partners, all of the, so what about like, what can you do? What does your existing users look like? You can think of using tooling and maybe your single sign-on will give you a complete list of all your assets. And maybe you might have a Mobile Device Management rate. You can identify users are there. So think of what other things you should be able to get. Maybe from your user directory, your old app. You might already have a tool, right? Configuration management tool, which gives you the complete asset, your IT people will help you out here. So get that done. Then next step will be to conduct a risk assessment, which is already always a part of any major project. It'll help you to identify what you can and cannot mitigate as part of your zero-trust architecture. Remember, we talked about some things might not be implemented and it can help you to identify what is already working as a security measure within your right. You do this early on. It will be great. It will help you identify what are the risks that cannot be mitigated with a zero-trust architecture. Because if you just go start implementing serious zero-trust plan and without conducting a risk assessment, I guarantee you will come into the problems in the future, right? So some of your existing security controls might need to save somebody to be changed, right? This is where your inventory will help. But doing this, it will give you a clear vision on way to implement. It'll help you identify what is, what to prioritize, right? Maybe you have remote workers branch offices. They will take precedence. It'll help you to define the scope. And it can help you to identify what technology's already there, what licenses you already have. Always remember no company is starting from scratch on zero trust, you will have existing security practices like multi-factor authentication. You just need to find unit right here. You might need to look at what documentation you have and everything, right? So these are the things when you start implementing your controls. So conduct a risk assessment and then slowly look at what controls are there. Now, you can, now you have a proper femur there. Now you can look at implementing your zero-trust. You've done your initial phases. Now you can start implementing your zero-trust principles. Remember, it's isolated project, it's not a big bank. You have to make sure that staff is aware. Maybe you're implementing a zero-trust foxy. Maybe you're implementing a policy enforcement point to make changes intelligent decisions. Now people will need MFA if they're connecting from a personal device, those sort of things, right? So as part of your strategy, think of these things like your Alabama, that your roadmap should be owned by the CISO? It's not in set in stone, right? It's not like it cannot be changed. You can maybe look at, find out this new technology, improved security features are there. It has to be aligned with the overall strategy and the best practices to do it in stages and scale up over time. So you should deploy. Consider deploying Zero Trust technologies and processes in small, small use cases so that staff understand why these things are happening like. And likewise them if they come in and make sure the seesaw is responsible for overseeing it and delivering it. So you have a senior officer. If you just give the responsibility for implementing zero-trust color, junior security officer, people will be resistant and they won't listen to him, right? It has to be owned by other seesaw level. Right? Now. We've implemented a few of the Zero Trust principles. Yeah, It's time to maintain and improve the model. So like I said, it is a continuous journey. The approach needs to zero trust. You need to challenge and evaluated constantly. You need to make sure that you're getting the insights into what like what technologies are happening, what threats are happening so that your zero-trust model keeps changing. You need to, you can look at implementing new technologies, new products now, right? Such as AI and machine learning that can put in what controls which are not avail biometrics, we talk about those later. But this is where you maintain and improve the model over time. And believe me, the first time it won't be as good. You liked it, it, it, you'll improve it more and more. Zero-trust. This is our Zero Trust works. So this is what I wanted to talk to you guys about. Zero Trust is a journey. It can be a multi-year, multi-domain project. And governments across the world, they're implementing it, ordering agencies to do the same. And this is not coming up very, very prominently within the private sector as well all across the world. Zero-trust pretty much is the de facto standard now for new types of security models, treat it like a project. It will get implemented, you will get challenges, you will get resistances initially. Don't worry about those. So I hope this was useful to you guys. Now we're going to look at the lighting. It's the last one which is the maturity models. How do you know where do you fit menu implementing zero-trust? What stage are you on? How do you know? Like how mature much Zero Trust has? How do I alluded? Know where I stand? So we're going to talk it look, take a look at Zero Trust maturity models, which can help you assess where you stand. There might be multiple maturity models present easily. You can take a look and get a good idea of where you stood. Okay, So thank you guys and I'll see you in the next lesson. 14. Zero Trust Maturity Models: Hi guys. So we're almost at the end of our course. And in this lesson we're going to talk about Zero Trust maturity models. Now you've talked, we've seen how the Zero Trust journey would work in your company, right? How would you go about practically implementing a zero-trust model within your company? Now, in this lesson, I want to go back to maturity model like how to find out how good your zero-trust, where you are, where do you fit in? I mean, you started implementing zero-trust, right? Maybe you've been six months in the journey, one year in the journey, you want to know where, where am I, right? No. Am I good and my bad? Am I like mature? Am I right at the start? How do I find out? So this is where maturity models come in. Remember, as a continuous journey to approach the approach to zero-trust, it needs to be evaluated and challenge constantly, right? So you have to like if you're a C, So you need to get insight into your comprehend like interior Zero Trust strategy and find out if it's like really succeeding or not. And you need to look at ways to continuously improve it, right? You to find out where the gaps and how do you do that? One of the easiest ways to do that is to add zero Trust maturity model. It answers the question, how do I know how good my zero transport your posture is? And there are many, many maturity models present. Basically, it tells you where your zero-trust architecture is, where you're, it'll ask you what your controls are you implementing and what step of the journey. The good thing is they are like no shortage of Zero Trust maturity models in there. I'm going to look at two of the most common ones, but honestly you can look around and find it. So one thing is Microsoft. So Microsoft, they documented the whole journey of zero-trust, similar to how Google, like we talked about earlier, right? And they also had the same thing that different companies have different technology implementations and security strategies. All of them impact how is it retro security model will be done right? So based on their own experience in helping customers secure their organizations and implementing zero-trust. They have developed a maturity model to help you assess your zero-trust readiness and build a plan, right? They have like multiple when he called phases. Focus on multiple areas like device security, identity. So this is you can take a look at, and actually instead of just me talking about it, that they have a free tool which is pretty cool. They look at identities, endpoints, app infrastructure, data network. They assess maturity across all of these tools. So we can actually, at the end of the lesson, I'm going to actually take a look and fill it out for identities and endpoints and see what sort of feedback they give. Usually it's geared more towards a Microsoft box, but honestly, I have used this tool and the advice that comes out of it. You can pretty much use it for any environment. It's very easy to do that. So it is possible to do, and you can do that. And if Microsoft is not your cup of tea, you can look at other things. Also, there is a cybersecurity and Infrastructure Security Agency in the US. They are like you can think of. They provide support to the federal agencies. Within the US. They provide support for like within the US government, for agencies on security. And they have provided a very excellent Zero Trust maturity model. It's like their Zero Trust maturity model is based on identity device, network, application and data similar to, very similar to Microsoft, right? But what they do is they have also divided it. And then they actually is one of the very paths. They said these are one of the parts you can do to transition to zero-trust. And what they do is this is how it looks like they have traditionally advanced and optimal and they have divided it. You can take a look at that matrix. You can divide that. They have divided it across the board. So for identity, this is what traditionally would be and what advanced would be, what optimal with before device. This is what traditionally would be advanced with. The traditional would be like everything is manual. Advanced would be something that you have centralized visibility, optimal would be full-on optimization rate. So it's pretty cool. I mean, they acknowledge also that it takes time and investments. So that's the reason they have recommended a three-stage approach, right? So in the traditional zero-trust architecture is largely like I said, manual, right? Instead of automated, the starting point, the laser is characterized by manual procedures, nominal security policy, limited enforcement, right? And mostly manually implemented. Zero Trust and zero-trust architecture would be you start getting, improving on it. You put it in centralize, managed better policy enforcement, and more specific dependencies on automation and enhanced when you call mitigation procedures, then the last would be optimal. Optimal would be fully automation across most elements of the security infrastructure. And you have better alignment centralized. But he called threat intel. Each stage, it contributes to the overall progression to a strong and secure Zero Trust Architecture. And they visit on this five-minutes, a very excellent tool. I'm using it. So apart from that one point I didn't talk about and EI's are very hard to nowadays, which are GPD and everything, new technologies and zero-trust. So you have to be realistic. I mean, innovation continues to transform IT, right? You have new things come out today's chat GPT, tomato to be something else, right? So you have to think about things like, I've given the example of biometrics, AI, machine learning. All of them play a key role in supporting the fundamentals of like zero-trust, right? Facial fingerprint, voice recognition. You could use that for authentication. And AI could be used to automate like trend detection. In the long run. Companies would start implementing these tools, right? You have to try to avoid the hype around these technologies. And first of all, I always recommend look at what we have already instead of jumping on the next shiny product, right? And remember that a single, anybody who comes to you and says that implementing this single product willing for Zero Trust, believe me, that is completely bogus. Every solution needs to work in sync with the other technologies within your environment to make sure that the full zero-trust model is there. But remember, the deployment of zero-trust must keep pace with new technologies and how the technology industry is transforming, right? E.g. you could shift to cloud. And that means that companies are storing their assets and data outside of the perimeter. So it would be difficult to apply a single Cloud posterior, right? But security posture, similarly, IoT devices, if they come in, it could be a challenge from the point of zero trust because IoTs are very difficult to get visibility on and everything right? So all of these things, like you can imagine getting an inventory of IoT devices or difficult, that is right. So all of these things you have to keep in mind, keep doing this, kisses, sprints, and looking at these various times within the maturity. So that's pretty much as guide. This was the last lecture of this course. Remember zero-trust matures like any other technology model that you have capabilities. Don't think you're gonna be optimal on day one. But Maturity Models are a great way of find out, choose one, and use it Consistency. Use it to find out where you are, you standing, where you like video of current time, and use it to gauge your process and use that as an objective way of finding out what you're doing. So let's do a mock assessment. I'm going to use the Microsoft will also just to show you how it works and what are the, some of the good things you can get out of it, right? So let's take a look at that and I'll see you there. Hi everyone. So like I said, I wanted to just do a quick mock assessment just to show you how you can maybe use some free tools on the internet and get a basic assessment done. So this is basically Microsoft. They have a very nice small quiz which they do on your zero-trust security posture and they can give you some very good findings. I don't want you to use it like as a professional tool, but it is a very excellent way of finding out they don't take any sensitive data. They don't take any PII or anything. They don't ask you to upload any documents. They just ask you some basic questions and they give you their best practice findings which you can use as just a starting point, you know, all finding out gaps within your network. And although they focused a little bit more on being like Microsoft shop, but you can take those findings and pretty much apply it anywhere. So as you can see, they have focused on identities, endpoints, applications, infrastructure, data, and networks. So I just wanted to show you Let's take a look. Let me make this smaller. Yeah. Okay. So let's start with identities. So this is, this is the home and you can select a category. And here we go. Let's focus on identities, like we've talked about multiple times before. You can make the identity governance the focus of Zero Trust and focus your strategy there. So how do you enable multi-factor authentication? I can say some users maybe via, we've just started out, right? But some are passwordless authentication are enabled for your users, we can say because as you can see, they focus more on again, because they text messages. Which of your user group supervision, which Single Sign-On, okay, so here you can still get pretty much everybody apart from maybe partners. Which of the following security policies they're using to make decisions, access decision for enterprises sources, as you can see now, they don't specifically mentioned policy decision point or PEPs, but yeah, that's what they're talking about. So we can see okay. Maybe the cloud access security broker. And that's it. Maybe we're not using the AMD and Soviet, not using devices. If you haven't started using it yet. Have you disabled Legacy Authentication? Know why they're absolutely Because remember, you can use that to bypass the decision-making process. Are you using real-time user access and when evaluating access occurs, okay, We can say yes. Which of the following technologies have you integrated with your identity and access management solutions? Again, you follow me why they're asking. That's the reason I like it very much because they don't make it too technical, but they are asking the questions from the policy enforcement point and the PDP, we can say, okay, maybe the other ones we haven't. Okay. Which of the following context is using the access policy? Remember what you talked about, right? You need to get that visibility. So right now maybe they're getting user and we're not looking at the sign-in risk SAM database. Identity, identity secure score. This is like a risk score which you get from Microsoft in azurite it takes, it takes a look at multiple factors and everything. So I would say no, maybe we don't have the license or whatever. So what happens? As you can say, now, this is what they give you a list of prioritized findings. Hopefully, they give you a list of prioritized findings and they give you why. He's considered one of the stolen and replace connections. Why should enable passwordless authentication, improve your identity secure score. For the playbook. You can see you can actually get a complete playbook for Microsoft completely filled. So that's the reason it's so good, right? Let's take a look at endpoints also. Our devices registered for your identity provider know cannot consistently, not consistently. Let's take a look. Yeah, we can say that managed devices are quite to be compliant with IT. Configuration policies. Like do they like Indians or something like that, right? Do you have a model for users to connect, to organize? It should be sources from unmanaged devices. Know you're going to do it, but not, not not, not consistently. We can't control partners do enforce data prevention policy on all managed and unmanaged devices. So probably we have managed but not unmanaged devices. So you can see not consistently. Have you enable implemented endpoint threat detection to enable real-time device risk evaluation. We can say maybe some devices. Again. You can see now, again, it gives you a good practice findings and it gives you what other. Again, it's focused more on Microsoft. But you can really use this and apply it because the question is asking a very, what he called straightforward and they can pretty much apply to any technology providers. So I just wanted to show you guys, you will find many, many similar quizzes. You can use a seesaw and I don't know if they have the tool for that. But you'll find similar. I like the Microsoft one because it's really like the way the flow happens. It's very, it doesn't overburden you. And it gives you best practices. And it points you towards resources. And even if you don't have these resources, you're not a Microsoft shop. You can actually map them to other third-party providers or other native tooling which can use to apply zero-trust approach, guys, I hope this was useful to you and I'll see you in the next lesson. Thank you. 15. Wrapping up: Okay guys, congratulations, you have finally reached the end of this course. I know it was a long journey, but I hope, I sincerely hope that you've gotten a better understanding of Zero Trust, how to implement it, how the architecture works. And I was successful in a little bit in teaching you about zero-trust if you were starting from scratch. So one thing I would like to tell you guys, secret trust is not going anywhere with their eyes or remote working and threat of cyberattacks. Companies are constantly searching for better security frameworks. And zero-trust gives them that assurance. Gardner. They've done their recent research and they said by 2025, at least 70% of new remote access deployments will be served by a zero trust network architecture instead of VPN devices. This is going to go up, believe me, with the executive order from the US government or the federal agencies will be implemented. Consider Trotsky is the future of cybersecurity. So it's great that you've taken the step right now by taking this course. And I hope you've gotten some good valuable information which you're going to apply to it. Okay, So remember what I've told you. Please do not get like zero trust is a very powerful concept, but don't, don't fall for the hype. Don't fall for products, right? So zero trust is based on principles. And those principles you have to transform into a proper actionable plan which is based on concrete steps that you have to take, right? Remember it's a journey. Don't think you're gonna be perfect on day one. And slowly, slowly implemented Zero Trust. So rather than being as a destination, transition to zero-trust should be seen as a journey with everybody playing a part in it. And you're constantly challenging the model, looking at how you can make it more efficient. But once you do it, you will definitely not want to go back to the traditional perimeter security model, okay? Remember that? It has to be iterative step-by-step. You're going to improve it. So congratulations guys, thank you very, very much for taking this course and for listening to me talk for 2 h or something. Thank you very much for that. If you found this course useful, please do leave a review rating that would really help. Hopefully it will give me some feedback. So you can connect with me. On LinkedIn, I have a YouTube channel or so. And then on medium that would really help remember the project that you have to do. Do that project and the case study, give me some feedback. I would love to get his stay in touch with all of my people who take my courses, give me some concrete feedback and left, stay in touch. Thank you very much guys, and I'll see you in the next course. Take care and good luck on your Zero Trust journey.