3.5 Trust Management Part 1 - ZN

00:01

welcome back. So we're gonna cover the learning objectives for our next section, which is placed in trust in Zero Trust.

00:08

And our first topic, of course, is going to be How do we place trust in zero trust?

00:14

Then we're gonna move on and we will take a look at what trust means in a zero trust network. Then

00:23

we must understand how we manage that trust.

00:27

And so we move on toe, have a brief discussion on public key infrastructure and the role it plays in zero trust.

00:35

Stick around more to come

00:39

place in trust and zero trust.

00:42

So we now know that the Zero Trust Network is a network that should be seen as completely untrusted.

00:49

Now, this model does not want an administrator to secure local server any differently than he or she would if that server were accessible on the Internet

01:00

and all host must be seen as Internet facing.

01:03

So hopes that are entrusted zones cannot simply provide user and host identification in the form of a user name and password.

01:12

Strong encryption is required,

01:15

but strong authentication is required as well.

01:19

In the zero trust model, there is a control plane and a date, a plane. And in between that is the components authentication and authorization.

01:29

The control plane sets the policies that dictate if the connection will be allowed or denied

01:36

the dead. A plane simply sends the request. If the right attributes are present

01:41

and the control planes policies,

01:44

they allow that action for the user. The device in the application

01:49

as an administrator or engineer, were placed in trust in the control plane and preparing a trust score

01:56

that determines entry.

01:57

So keep in mind that this isn't just occurring at the perimeter, but throughout the network and the zones that have been created.

02:13

So what is trust?

02:15

Trust in a zero trust network is strong authentication and least privilege.

02:20

You know, we talked about, Ah, the putting together of more than one attribute to authenticate our users and devices, but least privilege also helps to build trust,

02:31

you know, least privilege is the notion that a user device or application should only be allowed. The privilege is required to perform the task it was given.

02:43

Scope. Creep

02:44

is the act of given permissions that are desired, more so than required and can lead to accidental misuse

02:52

or intentional attacks by user

02:55

device or an application.

02:58

An example would be the use of an application. Instead of using our own account to run that application service,

03:06

you would want to create a service account

03:08

and on Lee provided with the required privileges and these to perform the service it was purchased for or developed for.

03:15

We could even try and take it a step further if the environment uses Microsoft's active directory system.

03:23

You know, with that system, we can specify accounts should be interactive or non interactive in terms of its logging ability.

03:31

You know what? What that means is, if you configure a service account to have non interactive log in on your domain than if that account was compromised, the attacker wouldn't have the ability to actually sign in. Tow a host when prompted at Let's say, windows log in screen.

03:47

So it's these extra vantage points you have when you use the zeros trust concept.

03:54

And when you shift to that model, there's these functions that you can use. You can pull out of your active directory systems or really any system that you're using

04:05

to ah Tau achieve zero trust throughout your network and throughout your zones.

04:14

So trust management, you know, manager and trust will come down to strong authentication.

04:18

Now, generally, an appliance, physical or virtual will review the i p address of the remote system and then simply check the password after a credential Prompt is building.

04:30

But with zero trust, things like device posture and client base certificates should be used in conjunction with the using the password.

04:39

You know, when I was thinking about authentication, something really moved in my spirit and my mind and I want to share it with you. Now Be patient with me because

04:47

I am going somewhere with this. Just listen

05:00

the

05:04

they

05:11

such a great song That brings me back to my childhood.

05:15

So does anyone know who or what group is responsible for this song?

05:19

And it's okay if you don't, because

05:23

if you get it right or wrong, I would encourage you to listen to that song

05:27

after this course on after I tell you the answer, right?

05:31

So it's the British rock group Queen,

05:34

and this song was a big part of the soundtrack toe eighties movie.

05:39

Does anyone know that movie

05:44

now? Same rules apply here right or wrong. I will encourage you to check out. It's a cult classic,

05:50

Um, when you have some free time.

05:53

So that movie is Highlander,

05:56

and the reason the song and movie come to mind

06:00

is really the tag line for the movie. There can be only one,

06:03

and that's true with authentication, right? Only one person should be able to say I am Mario Bardwell and authenticate toe a computer or application. Only one device should be able to authenticate with his own credentials, whether that be via a client base certificate

06:20

to access another device or service.

06:24

So, just like Highlanders

06:26

authenticity that we can see and hear,

06:30

he says it in his famous line. I am Duncan Macleod of the Clan Macleod.

06:35

And that's what we want for our networks, right? Never really trusted, but always verifying.

06:42

And how does Duncan Macleod of the clan Macleod verify that he is who he says he is?

06:47

We'll watch the movie and find out

06:50

now it is rated R, so it would be best not to watch it around Children.