Zero Trust: Beyond the Buzzword

Bill Becker
Chief Technology Officer

thalestct.com
 Thales Trusted Cyber Technologies: Who We Are

Trusted, U.S. Provider of Corporate Snapshot

Cybersecurity Solutions Dedicated
Business Area of Thales Defense & Security Inc.
to the U.S. Federal Government •
• President: Lloyd Mitchell
• Headquarters: Abingdon, MD
• Maintain required U.S. Federal Government approvals
and certifications to develop, support and sell
products to government clients
• Proxy Agreement with DCSA for Foreign
Ownership, Control and Influence (FOCI)
• National Security Agreement with the Committee
on Foreign Investment in the United States (CFIUS).
• Trusted U.S. Source of Supply for Key Technologies for
the Federal Government
• Provide U.S. based support for all products developed
and sold through Thales Trusted Cyber Technologies
2 Trusted Cyber Technologies
 ZERO TRUST
What is it?
“Zero trust (ZT) is the term for an evolving set of
cybersecurity paradigms that move defenses from
static, network-based perimeters to focus on users,
assets, and resources.”

3 Trusted Cyber Technologies Source: NIST 800-207

 Zero Trust Hits Critical Mass

12 May 2021
DoD, NSA, NIST, White House releases
OMB, CISA release executive order on 16 Sep 2021
cybersecurity and Cybersecurity – CISA gets $862
Zero Trust guidance 14028 million in budget

7 May 2021 7 Sep 2021 19 Jan 2022

Hackers ransom OMB Moving the U.S. National Security
Colonial Pipeline Government Memo on Improving
data; gasoline Towards Zero Trust Cybersecurity of
delivery to the East Cybersecurity National Security
Coast is affected Principles Systems

CISA Cloud Security

technical reference
architecture and
Zero Trust maturity
model
4 Trusted Cyber Technologies
 Implicit Trust
The Problem with
Perimeters
5 Trusted Cyber Technologies
 Implicit Trust

▌ Perimeter defenses give

authenticated users broad
access to critical data

6 Trusted Cyber Technologies

 Implicit Trust

▌ Perimeter defenses give

authenticated users broad
access to critical data

▌ Expanding services expands

the perimeter of trust

7 Trusted Cyber Technologies

 Implicit Trust

▌ Perimeter defenses give

authenticated users broad
access to critical data

▌ Expanding services expands

the perimeter of trust

▌ Remote access over VPN

grants entry into trusted zone

8 Trusted Cyber Technologies

 Implicit Trust

▌ Perimeter defenses give

authenticated users broad
access to critical data

▌ Expanding services expands

the perimeter of trust

▌ Remote access over VPN

grants entry into trusted zone

▌ Critical data moving to the

cloud creates additional
challenges to maintaining
perimeter integrity

9 Trusted Cyber Technologies

 “ Three can keep a secret,

”
if two of them are dead
Benjamin Franklin

10 Trusted Cyber Technologies

 Implicit to Zero Trust

11 Trusted Cyber Technologies

 Principle of Zero Trust

All transactions within the enterprises are untrusted (default deny) and
access/transactions are based on…

Who you are

What resource
you’re accessing

…and not where you are

Never Trust – Always Verify

12 Trusted Cyber Technologies
 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

CISA Zero Trust Maturity Model

13 Trusted Cyber Technologies
 ZERO TRUST
Foundational Pillars

14 Trusted Cyber Technologies

 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

CISA Zero Trust Maturity Model

15 Trusted Cyber Technologies
 Identity
▌ Identities are the cornerstone of access security
Establish a single sign-on (SSO) service for agency users that can be integrated into applications and common
platforms, including cloud services.
- A single, robust authentication service with phishing proof MFA, is the recommended target
Enforce MFA at the application level, using enterprise SSO wherever feasible.
Adopt secure password policies and check passwords against known breached data.

Data Access
CDM System
Control Plane

Policy Policy Engine Policy

Decision
Industry Point
Policy Administrator PKI
Compliance

Threat Untrusted Trusted ID

Management

Data Plane
Intelligence

Subject System
Policy Enterprise SIEM System
Activity Logs
Enforcement Point Resource
NIST Identity-Centric Zero Trust Architecture
(OMB ZT Strategy Memo, NIST Special Publication 800-207)
16 Trusted Cyber Technologies
 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

CISA Zero Trust Maturity Model

17 Trusted Cyber Technologies
 Device

Inventory Secure Monitor

• All hardware that • Ensure visibility into device • Deploy monitoring tools
connects to network
• Establish security baselines • Real-time risk assessments
• Agency-owned or BYOD
• Enforce compliance

18 Trusted Cyber Technologies

 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

CISA Zero Trust Maturity Model

19 Trusted Cyber Technologies
 Network / Environment

▌ Micro-Segmentation
Align to application workflow needs
Move applications and services closer
to users and branch offices

20 Trusted Cyber Technologies

 Network / Environment

▌ Micro-Segmentation
Align to application workflow needs
Move applications and services closer
to users and branch offices

21 Trusted Cyber Technologies

 Network / Environment

Unprecedented Tech leaders recognize Regulations necessitate

movement of data importance of securing protection of
throughout networks data in motion data in motion

IDC predicts the data 75% respondents cited HIPAA, SOX, PCI DSS,
created and shared data-in-motion security FISMA and others include
every year will reach 175 solutions are most standards for how to
zettabytes in 2025 effective at thwarting handle data in motion
breaches
–2018 Thales Data Threat Report

Encryption – the last line of defense – is vital for protecting data as it crosses networks

Enforce encrypted DNS and HTTPS for all traffic

22 Trusted Cyber Technologies

 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

CISA Zero Trust Maturity Model

23 Trusted Cyber Technologies
 Application Workload

CISA: Cloud Security Technical Reference Architecture

Develop Secure Operate

• Leverage micro services • All apps are designed to • Enforce HTTPS
• All apps are designed to be internet facing • Report back to Dev cycle
be internet facing • Automate code scans • Continuously Monitor
• Secure development • Automate remediation • Automate Operation
practices • Automate Vulnerability • Leverage SIEM tools for log
Scans aggregation and review
• Publish vulnerability reports
24 Trusted Cyber Technologies
 Foundational Pillars of Zero Trust

Identity

Device

Network / Environment

Application Workload

Data

25 Trusted Cyber Technologies

 Data

56% 25%
In 2022, only 56% of respondents Only 25% of all respondents said
were very confident or had they could classify all their data
complete knowledge of where and 53% said they could classify
their data was being stored, down at least half of their data in 2022
from 64% in 2021

2022 Thales Data Threat Report

26 Trusted Cyber Technologies
 Data

59% 50%
Encryption as top tool to >40% of sensitive data
secure data in the cloud in cloud encrypted

2022 Thales Data Threat Report

27 Trusted Cyber Technologies
 Data

Awareness
• Discover and classify data
• Find structured as well as unstructured data

Alert
• Built-in templates for privacy, PCI, health, etc.
• Find and rank the data at risk with detailed
reports and categorization

Action
• Automatic remediation based on data
visibility, risks, and policies
• Integrated remediation for reduced risks

28 Trusted Cyber Technologies

 Data

Data Encryption Access Controls Security Intelligence

Enforce encryption or Apply granular, least-privileged Identify and stop threats faster
tokenization to protect against user access policies that protect with detailed data access audit
unauthorized access by users data from external attacks and logs that satisfy compliance
and processes misuse by privileged users requirements and enables
security analytics
(Structured & Unstructured Data)
29 Trusted Cyber Technologies
 Optimal Maturity Stage

Identity Device Network / Application Data

Environment Workload

Continuous Constant device Fully distributed Access is Dynamic

Validation security monitor micro-perimeters authorized support
and validation continuously
Real-time Machine All data is
machine Data access learning-based Strong encrypted
learning analysis depends on threat integration into
real-time risk protection application
analytics workflow
All traffic is
encrypted

30 Trusted Cyber Technologies CISA Zero Trust Maturity Model

 ZERO TRUST
Implementation

31 Trusted Cyber Technologies

 Thales TCT Solutions

Identity Device Network / Application Data

Environment Workload

Authentication Luna T-Series Thales High Access CipherTrust Data

& Access HSMs Speed Management Discovery &
Management Encryptors Classification
Luna Credential CipherTrust
Luna Credential System Application Data-at-Rest
System Data Protection Encryption
solutions

32 Trusted Cyber Technologies

 Steps for Zero Trust Architecture Improvements

1. Read Zero Trust Guidance

 https://zerotrust.cyber.gov
2. Identify leadership and team for your organization
3. Prioritize critical Applications & Data
4. Develop a plan based on prioritized objectives
5. Execute and evolve
 Achieving Zero Trust is iterative
 It starts with Identities and ends with Data
 Your Zero Trust posture will evolve and improve over time

33 Trusted Cyber Technologies

 Thank You!

Trusted Cyber Technologies