Zero Trust Explained | Real World Example
Summary
TLDRThe video script delves into the concept of Zero Trust, emphasizing it's not a product but a security framework aiming to 'never trust, always verify.' It contrasts traditional perimeter-based security with the modern challenges posed by cloud computing and user-owned devices. The script introduces Twingate as a practical tool for implementing Zero Trust Network Access (ZTNA), showcasing how it verifies users, enforces least privilege access, and assumes potential breaches, ultimately enhancing security for remote and diverse work environments.
Takeaways
- 🛡️ Zero Trust is not a single product but a security framework that involves continuous authentication, authorization, and assessment of every user and device.
- 🏰 Traditional perimeter-based security has been challenged by the rise of cloud computing, web apps, and remote working, necessitating a new approach like Zero Trust.
- 🔒 The core principle of Zero Trust is 'Never Trust, Always Verify', treating all users and devices the same regardless of their location or network.
- 📋 Implementing Zero Trust involves a variety of technologies, products, and policies that align with its principles, such as multi-factor authentication and device compliance checks.
- 👥 Zero Trust addresses issues like user-owned devices and lateral movement in networks, ensuring that even if an attacker breaches one point, they don't have access to everything.
- 🔑 Least Privilege is a key aspect of Zero Trust, ensuring users, applications, or devices have only the permissions necessary to perform their tasks.
- 🕊️ The concept of 'Assume Breach' in Zero Trust means planning defenses with the expectation that systems may be compromised, focusing on minimizing damage.
- 🧩 Network and user segmentation are part of the breach minimization strategy, reducing the impact of any potential security breach by limiting access areas.
- 📡 Twingate is highlighted as a tool that exemplifies Zero Trust Network Access (ZTNA), providing in-depth verification and least privileged policies for secure remote access.
- 🔄 Twingate's setup process demonstrates how to implement Zero Trust principles practically, including defining resources, deploying connectors, and setting client access.
- 🔒 Twingate allows for detailed device security requirements, such as mandatory screen locks and antivirus software, enhancing the verification process for connecting devices.
Q & A
What is the zero trust security concept?
-Zero trust is a security framework that operates on the principle of 'Never Trust, Always Verify'. It requires continuous authentication, authorization, and assessment of every user and device, regardless of whether they are inside or outside the network perimeter.
Why is zero trust not a single product or technology?
-Zero trust is not a single product because it is a comprehensive security architecture that needs to be built over time using various technologies, products, and policies to ensure a robust security posture.
What is the problem with traditional perimeter-based security in the context of modern challenges like cloud computing and remote working?
-Traditional perimeter-based security struggles with modern challenges because it assumes all internal network traffic is safe once past the perimeter. However, with cloud computing and remote working, access to resources can come from anywhere, and perimeter security does not effectively verify the security of the access or the identity of the user/device requesting access.
What is the concept of 'least privilege' in zero trust?
-The principle of least privilege in zero trust means providing only the minimum level of access necessary for a user or device to perform its required tasks. This minimizes the risk of unauthorized access and potential damage in case of a security breach.
How does the zero trust model address the issue of lateral movement in a network?
-Zero trust addresses lateral movement by ensuring that even if an attacker gains access to one point in the network, they do not automatically have access to other resources. Each access request is verified and authorized individually, preventing the spread of an attack.
What is the role of multi-factor authentication (MFA) in the zero trust framework?
-Multi-factor authentication (MFA) plays a crucial role in the zero trust framework by adding an additional layer of security during the verification process. It ensures that the user is who they claim to be by requiring more than one form of identification before granting access.
What is the purpose of network segmentation in the context of zero trust?
-Network segmentation in zero trust is used to divide a network into smaller sections, which helps to reduce the blast radius of a potential breach. By limiting the scope of access, the damage an attacker can cause is minimized if they manage to compromise a segment.
Can you explain the term 'Just in Time' access in zero trust?
-Just in Time (JIT) access in zero trust refers to a practice where access to resources is granted only when needed and for the shortest period necessary. Once the task is completed, the access is revoked, reducing the window of opportunity for potential attacks.
How does Twingate implement zero trust network access (ZTNA)?
-Twingate implements zero trust network access by providing in-depth verification, least privilege policies, and secure remote access to corporate resources. It allows users to access specific resources securely from anywhere, ensuring that access is tightly controlled and aligned with zero trust principles.
What is the significance of the 'assume breach' mentality in zero trust?
-The 'assume breach' mentality is a proactive approach in zero trust that acknowledges the possibility of a system being compromised. By planning for potential breaches, organizations can implement measures to detect, respond, and limit the impact of such incidents effectively.
How does Twingate ensure that only secure devices can connect to a resource?
-Twingate ensures device security by allowing administrators to set minimum device requirements, such as requiring a screen lock, antivirus software, and encryption. Devices that do not meet these criteria are not allowed to connect, adding an extra layer of security to the access control process.
Outlines
🛡️ Introduction to Zero Trust Security Concept
This paragraph introduces the concept of Zero Trust, emphasizing that it is not a single technology, product, or protocol but a security framework. The goal of Zero Trust is to continuously authenticate, authorize, and assess every user and device, rather than relying on traditional perimeter-based security. The sponsor, Twin Gate, is introduced as a tool that supports Zero Trust principles by offering secure remote access with advanced user authentication and minimal access rights based on the security health of the device.
🏰 Challenges to Traditional Perimeter Security
The paragraph discusses the limitations of traditional perimeter-based security, which is likened to a medieval castle. It explains how the rise of cloud computing, web applications, and remote working have challenged this model, as these new ways of working require access to resources from various locations and devices. The paragraph also highlights issues such as user-owned devices, lateral movement within networks, and the increased risks posed by the pandemic, which necessitated a shift towards a new security approach, namely Zero Trust.
🔒 Core Principles of Zero Trust Implementation
This paragraph delves into the core principles of Zero Trust, starting with the principle of 'Never Trust, always verify,' which means that continuous verification is required regardless of the user's location or the device being used. It also covers the principle of least privilege, which involves granting only the necessary access to users, applications, or devices. Additionally, the paragraph introduces the concept of assuming a breach, which involves planning defenses to limit the impact of potential security breaches, including system segmentation and real-time threat response.
🌐 Setting Up Zero Trust with Twingate ZTNA
The paragraph provides a practical guide on implementing Zero Trust using Twingate, a Zero Trust Network Access (ZTNA) solution. It outlines the process of setting up a network, creating resources with specific access controls, and deploying a connector to enable secure access. The example given involves accessing a home NAS drive remotely while applying Zero Trust principles such as verification, device compliance, and least privilege access.
🔓 Enhancing Security with Device Compliance Checks
This paragraph focuses on enhancing security by setting device compliance requirements before allowing connections. It describes how Twingate can be used to ensure that devices meet certain security criteria, such as having a screen lock, antivirus software, and encryption. The paragraph also demonstrates how to adjust settings to allow or restrict access based on these compliance checks, thereby adding an extra layer of protection to the Zero Trust implementation.
📚 Conclusion and Call to Action on Zero Trust
The final paragraph concludes the video script by summarizing the importance of Zero Trust as a security concept that involves implementing various security policies and tools. It encourages viewers to try out Twingate for their own Zero Trust implementation and to engage with the content by liking, commenting, and subscribing. The paragraph also thanks Twingate for sponsoring the video and provides a link for viewers to start their free Twingate account.
Mindmap
Keywords
💡Zero Trust
💡Cyber Crime
💡Perimeter-based Security
💡Lateral Movement
💡Cloud Computing
💡Multi-Factor Authentication (MFA)
💡Least Privilege
💡Breach Assumption
💡Twin Gate
💡Zero Trust Network Access (ZTNA)
Highlights
Zero trust is not a new technology, protocol, or product, but a security concept or framework.
The goal of zero trust is to continuously authenticate, authorize, and assess every user and device.
Twin Gate is introduced as a sponsor, offering advanced user authentication for remote access.
Traditional network security, known as perimeter-based security, is facing challenges due to cloud computing and web apps.
The zero trust model removes trust in users, devices, and networks, following the principle 'Never Trust, always verify'.
Verification in zero trust includes checking credentials, device security health, and location of the request.
Zero trust requires dynamic and continuous verification for every request to prevent hackers from exploiting open sessions.
The principle of least privilege ensures that users, applications, or devices have only the permissions necessary to perform tasks.
Just enough access and Just in Time access are examples of implementing least privilege in zero trust.
A breach assumption mindset in zero trust involves planning defenses for potential system breaches.
Network and user role segmentation are strategies to reduce the impact of a potential breach.
Implementing zero trust involves a range of tools and policies, not just a single solution.
Twin Gate's zero trust network access (ZTNA) provides in-depth verification and least privileged policies for secure access.
Twin Gate is free for up to five users, suitable for home networks and small teams.
A step-by-step guide on setting up Twin Gate for zero trust access to a home NAS drive is provided.
Twin Gate allows for detailed access control, such as specifying IP addresses and ports for a resource.
The video demonstrates accessing a NAS drive remotely using Twin Gate while enforcing zero trust principles.
Twin Gate can enforce device security requirements, such as mandatory screen locks and antivirus installations.
The video concludes with an invitation to try Twin Gate for implementing zero trust and securing network connections.
Transcripts
what is zero trust well that depends
who's asking zero trust is critical to
protect us from hackers and cyber crime
in the modern world before we talk about
what zero trust is let's start by
talking about what zero trust is not it
is not a piece of new technology it is
not a protocol it is not a product that
you go out you buy you set up and
suddenly you have zero trust now it's
better to describe zero trust as a
security concept or a framework the goal
is to trust nothing instead we must
continuously authenticate authorize and
assess every user and every device zero
trust is achieved using a mixture of
security policies and the right security
tools and speaking of tools let me say a
big thank you to our sponsor of this
video twin gate twin gate offers super
easy highly configurable remote access
to your home or business Network work
using Advanced user authentication
limiting users to just what's needed and
assessing the security Heth of your
device makes twin gate a great tool for
our zero trust Arsenal we'll talk more
about this later and I'll show you how
you can get started implementing your
own zero trust using twin gate by the
way it's not going to cost you anything
okay so to fully understand the problem
that zero trust solves we need to go
back a few years a traditional Network
looks something in like this we have our
computers our servers and our
applications sitting inside our Network
these are all protected from the outside
world by our routers and our firewalls
this is called perimeter based security
because all of these devices are owned
by the business and connected to the
same network we can control them using
things like group policy for
configuration or active directory for
authentication and our firewalls control
which traffic traffic is allowed in and
out we can even control the physical
access to the devices and the
infrastructure by controlling who has
access to the buildings or the server
rooms we use things like ID cards and
passcodes we call this The Trusted
Network because we have complete control
over these devices everything on the
outside however which we don't control
this is called the untrusted network
people often use the analogy of a
medieval castle to describe this
approach the castle protects everything
inside from the outside attackers with
high walls and Moes now this setup
worked well for a long time however the
idea of perimeter security has been
facing challenges in recent years some
of these challenges that businesses are
facing are cloud computing and web apps
now most businesses are using a
combination of web applications and
cloud computing Services these
applications and services can be
accessed from anywhere on any device
remote working users are not always in
the physical office Network sometimes
they're working from home in a coffee
shop or any other public Wi-Fi how do we
then provide access to the resources the
user needs while still ensuring they're
using a safe connection and how can we
ensure they actually are in fact who
they say they are user owned devices
users are not always using company-owned
devices users may want to use their own
phones or tablets or laptops to connect
to the corporate data and services well
then how do we ensure that these devices
are free from malware and secure enough
to access our company resource and one
of the biggest problems with
perimeter-based security is something
called lateral movement if an attacker
can find just one weakness in the
perimeter and get access access then the
explicit trust gives the attacker access
to the other resources within the
network all of these problems have
gradually been increasing in recent
years however the pandemic skyrocketed
these and it was clear that the
traditional perimeter security approach
was no longer able to protect this new
way of working so a new solution needed
to be found and this brings us to zero
trust now I've said this already but
zero trust is not a single product that
can be implemented overnight it's a
security architecture that needs to be
built over time using different
Technologies products and policies many
security vendors have their own approach
to zero trust and how it can be
implemented but I'm going to be talking
about some of the core principles that
make up zero trust and then we're going
to get handson with a real world example
at its core zero trust does exactly what
it says on the tin it removes all trust
in users devices and networks a phrase
often used to describe this is Never
Trust always verify it doesn't matter if
you're sitting in a coffee shop at home
or in the office behind company
firewalls you are treated exactly the
same you are only trusted once you can
prove otherwise now I like to call this
guilty until proven innocent now the way
to prove your innocence is to be
verified this is done based on several
factors including things like
credentials the device being used and
the location of the request for example
let's say you want to access a company
resource before your request is granted
your credentials will be checked to
ensure you are who you say you are you
may then be prompted for an MFA this is
all pretty standard stuff but then we
can go further by checking things like
the the security health of your device
this could include checking that the
operating system is up to date and that
endpoint protection is installed your
geolocation could also be looked at
maybe only requests from certain
countries will be accepted countries
where the business only operates in for
example several of these checks can be
made before you are verified the key
Point here though is even if you pass
verification once that does not
automatically mean you are trusted a key
part of zero trust is that every request
should be continuously and dynamically
verified every single time this stops
Hackers from taking advantage of things
like open sessions and trusted access
okay as the name suggested zero trust is
all about removing all trust from every
request but there is more to it than
that the next principle is that of least
privilege now least privilege means only
providing the minimum level of privilege
needed to do a task seems pretty obvious
right well this is often easier said
than done implementing this in
applications and services not designed
for zero trust can sometimes be tricky
as humans we also want to be as helpful
as possible often giving much more
access to users than needed or giving
access temporarily and never actually
removing it this is a weakness and the
attackers do take advantage of this a
common example of giving too much
privilege is when all users have local
admin rights this is great for the user
because they can install applications
run tasks that require permissions all
without interruption however this also
means that malware or hackers using this
account have much more access to the
device this is great for hackers but
it's bad news for us with the right
tools and policies in place we can
ensure that any user application or
device only has the permissions required
to do what's needed and not a single bit
more an example of this is something
called just enough access this is where
we provide only the necessary access
required for a job there's also
something called Just in Time access
this is where we can provide access to
resources such as virtual machines only
for a set amount of time once this time
is up the access is then removed the
last principle of zero trust that we
will discuss is a sum breach now this
means that we're not just trying to stop
cyber attacks but we're going to assume
that the systems will be breached at
some point if they haven't already by
taking this mindset we can start to plan
our defenses for if the worst should
happen the first thing to do is segment
our systems to reduce reduce the blast
radius what this means is we reduce the
Damage Done if an attacker is able to
get access we can reduce the area of a
network they can access by using network
segmentation and we should also use user
Bas segmentation to limit the scope of
the credentials as well as reducing the
blast radius we must Implement measures
to detect and respond to these breaches
we must ensure we have the tools to
provide visibility
and the tools and services to respond to
threats in real time okay so we now know
the theory behind zero trust and why
it's so important but how do we actually
start to implement this stuff well as
mentioned at the start of this video
complete zero trust cannot be achieved
with just a single tool or service you
need a range of tools and policies to
implement zero trust but let me give you
a real world example so you can get
Hands-On with some zero trust tools
the tool we're going to be looking at is
called twingate which provides something
called zero trust network access also
known as
ztna zero trust network access provides
everything we've already spoken about
in-depth verification and least
privileged policies for your users who
need access to the corporate resources
now don't worry because twin gate is
completely free for up to five users
which is more than enough for your home
networks and for small teams so here is
my home network in my network I have a
Nas or network attached storage this NAS
Drives hold all of my video files I want
to be able to access this Nash drive
from anywhere I could be at home in a
coffee shop or on the road I need to be
able to access my Nash Drive I also have
an editor called Peter and I may want
Peter to access my Nash drive as well
now of course I could use a simple VPN
to do this however I want to implement
the zero trust principles of
verification device compliance and least
privileged twin gate makes this super
simple to do so let's get this set up
now the first thing we need to do is go
over to tate.com and set up a free
account just go over to try twin gate
for free once we've done that and signed
in it's just a simple three-step process
we need to set up a network set up a
connector and then install the client so
first we need to set up a network we'll
hit the add remote Network button this
is the network we want remote access to
so as we can see we have options for the
three major Cloud providers AWS aure and
Google Cloud but in my case I'm going to
select on premise Because by the Nash
drives at my house so we select on
premise and then we're going to give it
a name so I'm going to go with home cuz
it's my home network then hit add remote
Network and just like that we have our
first network but it's currently empty
but don't worry we are going to fix that
and this is where we Implement our first
bit of zero trust instead of giving
access to the entire network here I'm
going to specify exactly what can be
accessed and we do that using a resource
so I'm going to click create resource
then I'll give it a name this is going
to be my Nas and then I'm going to give
it the IP address the IP address for my
NAS drive is
192.168.1 187 not only am I going to
restrict the IP address but I'm also
going to restrict the ports that can be
used to access my NAS drive so I'll do
that by clicking ports and for TCP I'm
going to allow Port 5000 which is the
port for the web admin and I'm going to
allow the port number
445 this is for SMB which will allow me
to access the files
remotely then I'll just disable UDP and
I'll disable icmp as well so here's my
IP address here are the only ports that
you can access it on and then I'll click
create
resource you're then asked to select
which users will have access by default
you have an everyone's group and it's
just me so I'll select that and hit the
add button okay so now we have our
Network and our resource defined we now
need to deploy a connector this
connector sits somewhere in the network
and is what makes the connection
possible so to deploy the connector I
just have to click on one of these
interestingly named connectors on the
left hand side so I'll go with Classy
bobcat and then we're taken to the
deployment page as we can see we have
tons of different options to deploy the
connector all are pretty straightforward
but to be honest the easiest one is
going to be Docker so that's the one
I'll select s I'll click Docker and then
all we need to do is generate some
tokens so I'll scroll down hit the
generate tokens button of course we have
to authenticate remember verify
everything so we'll relog in and once
generated the tokens will be added to
the command at the bottom now all we
need to do is run this command on some
type of machine now this could be a
computer you have lying around the house
windows or Linux it doesn't matter it
could be a raspberry Pi or it could even
be the NAS drive itself assuming it
supports Docker in my case I'm going to
use a virtual Ubuntu machine so I'll
pull up that machine
here log in and all I have to do is open
up a
terminal the first command to run is
pseudo
a update and this will go through
looking to update all of your
packages then the next next command is
pseudo
a
install docker.io
now this command will install Docker on
the virtual machine again this will only
take a minute to go
through once done we just need to take
that command from Twin gate and paste it
into here but do not forget to type
pseudo before you copy it all it will
probably fail so go back to Twin gate
click the copy command button go back to
our virtual
machine and paste that in hit the enter
button and it will start to work its way
through so now that's completed we can
go back to Twin gate and check to see if
the connector is now online so it
currently says not connected but if I
hit the refresh button with a bit of
luck as we can see the status has now
changed to Connected meaning our
connector is now live and working we do
have the option to add multiple
connectors for rgency but I'm just going
to leave it as the one for now so now we
have our resources defined our connector
deployed now the only thing left is to
download the client and test it out okay
so I have my iPad here and I'm going to
pretend that I'm on the road now it's
Ted to my mobile so it's a completely
separate Network to my local network
here to download the client we need to
go to Twin
gate.com slown and as you can see we
have a download option for pretty much
every device now of course I'm on iPad
so I'm going to choose
iOS and hit the download
button okay so I have the client but
before I connect I want to show you that
it will fail if I tried to access my NAS
drive from here so I'm going to open up
the browser going to go to a new tab and
remember that IP address that local IP
so it's HTTP colon
for1
192.168.1 187 and the port number for
the web admin page is
5,000 so I'll press the enter button and
yep as expected it looks like is going
to fail so now what I'm going to do is
connect to that
client so we will log
in and I'll will ask for a couple of
prompts and now I'm connected to the
client so with a bit of luck if I go
back to my
browser hit the refresh button I now
have access to my Nas web admin remember
I'm teed off my phone on the mobile
network which is completely separate to
my local Network here an important note
here is I'm actually using the local IP
address for my NAS drive as if I was sat
in the local network I don't need to
mess around with port forwarding or DNS
names super simple to set up so I should
even be able to create a network share
from here so if I open up the files
app press these dots at the top and
connect to server I should be able to
type in that local I
address hit the enter button use a
registered user user for my NAS drive it
requires
authentication and yes now I've
connected to the nas Drive via a shared
Drive I click onto my
videos and then go to Sur Bros videos
archives and now I have access to all of
the files I need securely from anywhere
in the world remember we're applying the
principles of zero trust so let me just
show you what happens if I try to get
access to my home router so we already
know I have access to the NAS drive but
if I were to go to my home router which
is
192.168.1.254 and press
enter again it fails because I'm only
given access to my NAS drive and those
port numbers we specified everything
else is out of bounds no access
whatsoever this is the principle of
least privilege only given enough access
to do the job now we can go even further
and to do that we need to go back over
to Twin gate we can even assess the
devices that are allowed to connect if
we go over to devices and then
security here we can set the minimum
device requirements before they're
allowed to connect things like screen
locks must be enabled and antivirus must
be installed and encryption is required
this all adds yet further verifications
to our connections meaning just because
someone has the right credentials
doesn't mean they'll be allowed to
connect so for example if I want to
allow iOS devices to connect to my NAS
drive I probably don't want devices
without a screen lock to be able to
connect because anyone could just pick
it up off the desk and then access my
files so I can come over to here click
screen lock not required and change that
to required and confirm the changes now
any iOS device that doesn't have a
screen lock will not be allowed to
connect to my NAS drive again adding
further protection to my data so if you
want to get handson with some zero trust
and secure your network connections use
the link below for your free twin gate
account okay so there we have it zero
trust is not a single tool or technology
instead it's a concept achieved by
implementing security policies and tools
that align with the core principles of
never trust always verify if you like
this video and you got some value from
it don't forget to give it a thumbs up
leave a comment and subscribe the
support from you guys really helps this
channel grow a big thank you to Twin
gate for sponsoring this video you can
find the link below and remember it's
completely free thank you for
watching
[Applause]
[Music]
he
浏览更多相关视频
Understanding and Getting Started with ZERO TRUST
CompTIA Security+ SY0-701 Course - 1.2 Compare & Contrast Various Types of Security Controls Part A
What is Secure Access Service Edge (SASE) ?
Zero Trust - CompTIA Security+ SY0-701 - 1.2
Access Controls - CompTIA Security+ SY0-701 - 4.6
Access Controls Part 1: Computer Security Lectures 2014/15 S2
5.0 / 5 (0 votes)