Zero Trust Explained | Real World Example

00:00

what is zero trust well that depends

00:03

who's asking zero trust is critical to

00:06

protect us from hackers and cyber crime

00:08

in the modern world before we talk about

00:10

what zero trust is let's start by

00:13

talking about what zero trust is not it

00:16

is not a piece of new technology it is

00:19

not a protocol it is not a product that

00:21

you go out you buy you set up and

00:24

suddenly you have zero trust now it's

00:26

better to describe zero trust as a

00:28

security concept or a framework the goal

00:32

is to trust nothing instead we must

00:35

continuously authenticate authorize and

00:38

assess every user and every device zero

00:42

trust is achieved using a mixture of

00:45

security policies and the right security

00:47

tools and speaking of tools let me say a

00:50

big thank you to our sponsor of this

00:52

video twin gate twin gate offers super

00:55

easy highly configurable remote access

00:58

to your home or business Network work

01:00

using Advanced user authentication

01:02

limiting users to just what's needed and

01:05

assessing the security Heth of your

01:07

device makes twin gate a great tool for

01:10

our zero trust Arsenal we'll talk more

01:12

about this later and I'll show you how

01:14

you can get started implementing your

01:16

own zero trust using twin gate by the

01:19

way it's not going to cost you anything

01:22

okay so to fully understand the problem

01:24

that zero trust solves we need to go

01:26

back a few years a traditional Network

01:29

looks something in like this we have our

01:32

computers our servers and our

01:34

applications sitting inside our Network

01:38

these are all protected from the outside

01:39

world by our routers and our firewalls

01:42

this is called perimeter based security

01:46

because all of these devices are owned

01:48

by the business and connected to the

01:50

same network we can control them using

01:52

things like group policy for

01:54

configuration or active directory for

01:57

authentication and our firewalls control

01:59

which traffic traffic is allowed in and

02:01

out we can even control the physical

02:04

access to the devices and the

02:06

infrastructure by controlling who has

02:08

access to the buildings or the server

02:10

rooms we use things like ID cards and

02:13

passcodes we call this The Trusted

02:15

Network because we have complete control

02:18

over these devices everything on the

02:21

outside however which we don't control

02:24

this is called the untrusted network

02:28

people often use the analogy of a

02:30

medieval castle to describe this

02:32

approach the castle protects everything

02:35

inside from the outside attackers with

02:37

high walls and Moes now this setup

02:40

worked well for a long time however the

02:44

idea of perimeter security has been

02:46

facing challenges in recent years some

02:49

of these challenges that businesses are

02:51

facing are cloud computing and web apps

02:54

now most businesses are using a

02:56

combination of web applications and

02:58

cloud computing Services these

03:01

applications and services can be

03:03

accessed from anywhere on any device

03:06

remote working users are not always in

03:09

the physical office Network sometimes

03:12

they're working from home in a coffee

03:14

shop or any other public Wi-Fi how do we

03:17

then provide access to the resources the

03:19

user needs while still ensuring they're

03:22

using a safe connection and how can we

03:24

ensure they actually are in fact who

03:27

they say they are user owned devices

03:30

users are not always using company-owned

03:33

devices users may want to use their own

03:36

phones or tablets or laptops to connect

03:38

to the corporate data and services well

03:41

then how do we ensure that these devices

03:43

are free from malware and secure enough

03:46

to access our company resource and one

03:49

of the biggest problems with

03:51

perimeter-based security is something

03:53

called lateral movement if an attacker

03:56

can find just one weakness in the

03:58

perimeter and get access access then the

04:01

explicit trust gives the attacker access

04:03

to the other resources within the

04:05

network all of these problems have

04:07

gradually been increasing in recent

04:09

years however the pandemic skyrocketed

04:13

these and it was clear that the

04:14

traditional perimeter security approach

04:16

was no longer able to protect this new

04:19

way of working so a new solution needed

04:22

to be found and this brings us to zero

04:25

trust now I've said this already but

04:27

zero trust is not a single product that

04:29

can be implemented overnight it's a

04:32

security architecture that needs to be

04:34

built over time using different

04:36

Technologies products and policies many

04:40

security vendors have their own approach

04:42

to zero trust and how it can be

04:44

implemented but I'm going to be talking

04:46

about some of the core principles that

04:48

make up zero trust and then we're going

04:50

to get handson with a real world example

04:54

at its core zero trust does exactly what

04:57

it says on the tin it removes all trust

05:00

in users devices and networks a phrase

05:04

often used to describe this is Never

05:07

Trust always verify it doesn't matter if

05:11

you're sitting in a coffee shop at home

05:13

or in the office behind company

05:15

firewalls you are treated exactly the

05:18

same you are only trusted once you can

05:21

prove otherwise now I like to call this

05:24

guilty until proven innocent now the way

05:28

to prove your innocence is to be

05:30

verified this is done based on several

05:32

factors including things like

05:34

credentials the device being used and

05:37

the location of the request for example

05:41

let's say you want to access a company

05:43

resource before your request is granted

05:46

your credentials will be checked to

05:48

ensure you are who you say you are you

05:51

may then be prompted for an MFA this is

05:54

all pretty standard stuff but then we

05:56

can go further by checking things like

05:59

the the security health of your device

06:02

this could include checking that the

06:03

operating system is up to date and that

06:06

endpoint protection is installed your

06:08

geolocation could also be looked at

06:11

maybe only requests from certain

06:13

countries will be accepted countries

06:16

where the business only operates in for

06:18

example several of these checks can be

06:20

made before you are verified the key

06:23

Point here though is even if you pass

06:26

verification once that does not

06:29

automatically mean you are trusted a key

06:33

part of zero trust is that every request

06:36

should be continuously and dynamically

06:39

verified every single time this stops

06:42

Hackers from taking advantage of things

06:44

like open sessions and trusted access

06:48

okay as the name suggested zero trust is

06:51

all about removing all trust from every

06:54

request but there is more to it than

06:56

that the next principle is that of least

07:00

privilege now least privilege means only

07:03

providing the minimum level of privilege

07:06

needed to do a task seems pretty obvious

07:10

right well this is often easier said

07:13

than done implementing this in

07:15

applications and services not designed

07:18

for zero trust can sometimes be tricky

07:21

as humans we also want to be as helpful

07:24

as possible often giving much more

07:26

access to users than needed or giving

07:29

access temporarily and never actually

07:31

removing it this is a weakness and the

07:34

attackers do take advantage of this a

07:37

common example of giving too much

07:39

privilege is when all users have local

07:42

admin rights this is great for the user

07:44

because they can install applications

07:46

run tasks that require permissions all

07:49

without interruption however this also

07:52

means that malware or hackers using this

07:54

account have much more access to the

07:57

device this is great for hackers but

07:59

it's bad news for us with the right

08:02

tools and policies in place we can

08:04

ensure that any user application or

08:07

device only has the permissions required

08:09

to do what's needed and not a single bit

08:13

more an example of this is something

08:16

called just enough access this is where

08:19

we provide only the necessary access

08:21

required for a job there's also

08:23

something called Just in Time access

08:26

this is where we can provide access to

08:28

resources such as virtual machines only

08:31

for a set amount of time once this time

08:33

is up the access is then removed the

08:36

last principle of zero trust that we

08:38

will discuss is a sum breach now this

08:41

means that we're not just trying to stop

08:43

cyber attacks but we're going to assume

08:46

that the systems will be breached at

08:48

some point if they haven't already by

08:50

taking this mindset we can start to plan

08:52

our defenses for if the worst should

08:55

happen the first thing to do is segment

08:57

our systems to reduce reduce the blast

09:00

radius what this means is we reduce the

09:03

Damage Done if an attacker is able to

09:06

get access we can reduce the area of a

09:09

network they can access by using network

09:12

segmentation and we should also use user

09:15

Bas segmentation to limit the scope of

09:17

the credentials as well as reducing the

09:20

blast radius we must Implement measures

09:22

to detect and respond to these breaches

09:26

we must ensure we have the tools to

09:28

provide visibility

09:29

and the tools and services to respond to

09:32

threats in real time okay so we now know

09:35

the theory behind zero trust and why

09:37

it's so important but how do we actually

09:40

start to implement this stuff well as

09:42

mentioned at the start of this video

09:44

complete zero trust cannot be achieved

09:47

with just a single tool or service you

09:49

need a range of tools and policies to

09:52

implement zero trust but let me give you

09:54

a real world example so you can get

09:56

Hands-On with some zero trust tools

09:59

the tool we're going to be looking at is

10:01

called twingate which provides something

10:03

called zero trust network access also

10:06

known as

10:07

ztna zero trust network access provides

10:11

everything we've already spoken about

10:13

in-depth verification and least

10:15

privileged policies for your users who

10:17

need access to the corporate resources

10:19

now don't worry because twin gate is

10:21

completely free for up to five users

10:24

which is more than enough for your home

10:26

networks and for small teams so here is

10:29

my home network in my network I have a

10:32

Nas or network attached storage this NAS

10:36

Drives hold all of my video files I want

10:39

to be able to access this Nash drive

10:41

from anywhere I could be at home in a

10:44

coffee shop or on the road I need to be

10:46

able to access my Nash Drive I also have

10:49

an editor called Peter and I may want

10:52

Peter to access my Nash drive as well

10:55

now of course I could use a simple VPN

10:57

to do this however I want to implement

10:59

the zero trust principles of

11:02

verification device compliance and least

11:04

privileged twin gate makes this super

11:07

simple to do so let's get this set up

11:10

now the first thing we need to do is go

11:12

over to tate.com and set up a free

11:16

account just go over to try twin gate

11:18

for free once we've done that and signed

11:21

in it's just a simple three-step process

11:24

we need to set up a network set up a

11:27

connector and then install the client so

11:30

first we need to set up a network we'll

11:33

hit the add remote Network button this

11:36

is the network we want remote access to

11:40

so as we can see we have options for the

11:42

three major Cloud providers AWS aure and

11:46

Google Cloud but in my case I'm going to

11:49

select on premise Because by the Nash

11:51

drives at my house so we select on

11:54

premise and then we're going to give it

11:56

a name so I'm going to go with home cuz

12:00

it's my home network then hit add remote

12:04

Network and just like that we have our

12:07

first network but it's currently empty

12:09

but don't worry we are going to fix that

12:11

and this is where we Implement our first

12:14

bit of zero trust instead of giving

12:17

access to the entire network here I'm

12:19

going to specify exactly what can be

12:22

accessed and we do that using a resource

12:25

so I'm going to click create resource

12:27

then I'll give it a name this is going

12:29

to be my Nas and then I'm going to give

12:32

it the IP address the IP address for my

12:35

NAS drive is

12:38

192.168.1 187 not only am I going to

12:41

restrict the IP address but I'm also

12:43

going to restrict the ports that can be

12:45

used to access my NAS drive so I'll do

12:48

that by clicking ports and for TCP I'm

12:52

going to allow Port 5000 which is the

12:56

port for the web admin and I'm going to

12:58

allow the port number

12:59

445 this is for SMB which will allow me

13:02

to access the files

13:04

remotely then I'll just disable UDP and

13:08

I'll disable icmp as well so here's my

13:11

IP address here are the only ports that

13:13

you can access it on and then I'll click

13:16

create

13:17

resource you're then asked to select

13:19

which users will have access by default

13:21

you have an everyone's group and it's

13:23

just me so I'll select that and hit the

13:26

add button okay so now we have our

13:28

Network and our resource defined we now

13:31

need to deploy a connector this

13:33

connector sits somewhere in the network

13:35

and is what makes the connection

13:36

possible so to deploy the connector I

13:39

just have to click on one of these

13:41

interestingly named connectors on the

13:43

left hand side so I'll go with Classy

13:45

bobcat and then we're taken to the

13:47

deployment page as we can see we have

13:50

tons of different options to deploy the

13:52

connector all are pretty straightforward

13:54

but to be honest the easiest one is

13:56

going to be Docker so that's the one

13:58

I'll select s I'll click Docker and then

14:01

all we need to do is generate some

14:02

tokens so I'll scroll down hit the

14:05

generate tokens button of course we have

14:07

to authenticate remember verify

14:11

everything so we'll relog in and once

14:14

generated the tokens will be added to

14:16

the command at the bottom now all we

14:19

need to do is run this command on some

14:21

type of machine now this could be a

14:23

computer you have lying around the house

14:25

windows or Linux it doesn't matter it

14:27

could be a raspberry Pi or it could even

14:30

be the NAS drive itself assuming it

14:32

supports Docker in my case I'm going to

14:34

use a virtual Ubuntu machine so I'll

14:38

pull up that machine

14:40

here log in and all I have to do is open

14:43

up a

14:46

terminal the first command to run is

14:48

pseudo

14:50

a update and this will go through

14:53

looking to update all of your

14:57

packages then the next next command is

15:00

pseudo

15:02

a

15:04

install docker.io

15:06

now this command will install Docker on

15:10

the virtual machine again this will only

15:12

take a minute to go

15:15

through once done we just need to take

15:18

that command from Twin gate and paste it

15:20

into here but do not forget to type

15:24

pseudo before you copy it all it will

15:27

probably fail so go back to Twin gate

15:31

click the copy command button go back to

15:33

our virtual

15:35

machine and paste that in hit the enter

15:39

button and it will start to work its way

15:43

through so now that's completed we can

15:46

go back to Twin gate and check to see if

15:48

the connector is now online so it

15:51

currently says not connected but if I

15:53

hit the refresh button with a bit of

15:55

luck as we can see the status has now

15:58

changed to Connected meaning our

16:00

connector is now live and working we do

16:03

have the option to add multiple

16:05

connectors for rgency but I'm just going

16:07

to leave it as the one for now so now we

16:10

have our resources defined our connector

16:13

deployed now the only thing left is to

16:15

download the client and test it out okay

16:18

so I have my iPad here and I'm going to

16:19

pretend that I'm on the road now it's

16:21

Ted to my mobile so it's a completely

16:24

separate Network to my local network

16:26

here to download the client we need to

16:29

go to Twin

16:30

gate.com slown and as you can see we

16:34

have a download option for pretty much

16:36

every device now of course I'm on iPad

16:38

so I'm going to choose

16:42

iOS and hit the download

16:46

button okay so I have the client but

16:49

before I connect I want to show you that

16:51

it will fail if I tried to access my NAS

16:54

drive from here so I'm going to open up

16:57

the browser going to go to a new tab and

17:00

remember that IP address that local IP

17:03

so it's HTTP colon

17:07

for1

17:11

192.168.1 187 and the port number for

17:14

the web admin page is

17:17

5,000 so I'll press the enter button and

17:20

yep as expected it looks like is going

17:22

to fail so now what I'm going to do is

17:25

connect to that

17:26

client so we will log

17:32

in and I'll will ask for a couple of

17:39

prompts and now I'm connected to the

17:42

client so with a bit of luck if I go

17:45

back to my

17:46

browser hit the refresh button I now

17:50

have access to my Nas web admin remember

17:53

I'm teed off my phone on the mobile

17:55

network which is completely separate to

17:57

my local Network here an important note

18:00

here is I'm actually using the local IP

18:03

address for my NAS drive as if I was sat

18:06

in the local network I don't need to

18:08

mess around with port forwarding or DNS

18:10

names super simple to set up so I should

18:15

even be able to create a network share

18:17

from here so if I open up the files

18:20

app press these dots at the top and

18:23

connect to server I should be able to

18:25

type in that local I

18:29

address hit the enter button use a

18:32

registered user user for my NAS drive it

18:35

requires

18:37

authentication and yes now I've

18:39

connected to the nas Drive via a shared

18:42

Drive I click onto my

18:44

videos and then go to Sur Bros videos

18:48

archives and now I have access to all of

18:50

the files I need securely from anywhere

18:53

in the world remember we're applying the

18:56

principles of zero trust so let me just

18:58

show you what happens if I try to get

19:01

access to my home router so we already

19:03

know I have access to the NAS drive but

19:07

if I were to go to my home router which

19:10

is

19:14

192.168.1.254 and press

19:17

enter again it fails because I'm only

19:20

given access to my NAS drive and those

19:23

port numbers we specified everything

19:26

else is out of bounds no access

19:30

whatsoever this is the principle of

19:32

least privilege only given enough access

19:35

to do the job now we can go even further

19:39

and to do that we need to go back over

19:40

to Twin gate we can even assess the

19:43

devices that are allowed to connect if

19:45

we go over to devices and then

19:49

security here we can set the minimum

19:52

device requirements before they're

19:54

allowed to connect things like screen

19:56

locks must be enabled and antivirus must

19:59

be installed and encryption is required

20:02

this all adds yet further verifications

20:05

to our connections meaning just because

20:07

someone has the right credentials

20:09

doesn't mean they'll be allowed to

20:11

connect so for example if I want to

20:13

allow iOS devices to connect to my NAS

20:16

drive I probably don't want devices

20:18

without a screen lock to be able to

20:19

connect because anyone could just pick

20:21

it up off the desk and then access my

20:24

files so I can come over to here click

20:27

screen lock not required and change that

20:29

to required and confirm the changes now

20:34

any iOS device that doesn't have a

20:36

screen lock will not be allowed to

20:38

connect to my NAS drive again adding

20:40

further protection to my data so if you

20:43

want to get handson with some zero trust

20:45

and secure your network connections use

20:48

the link below for your free twin gate

20:50

account okay so there we have it zero

20:53

trust is not a single tool or technology

20:56

instead it's a concept achieved by

20:58

implementing security policies and tools

21:01

that align with the core principles of

21:03

never trust always verify if you like

21:07

this video and you got some value from

21:09

it don't forget to give it a thumbs up

21:11

leave a comment and subscribe the

21:13

support from you guys really helps this

21:15

channel grow a big thank you to Twin

21:17

gate for sponsoring this video you can

21:19

find the link below and remember it's

21:21

completely free thank you for

21:27

watching

21:32

[Applause]

21:33

[Music]

21:44

he