3.6 Trust Management Part 2 - ZN

00:01

so the importance of public key infrastructure and zero trust is paramount. You know things like devices, users and applications could be or should be authenticated with certificates from a public infrastructure.

00:15

So what does public key infrastructure really mean?

00:19

What it does is securely distributes and validates Public Key's in a network that is untrusted.

00:26

It's primary goal is to verify that an otherwise unprivileged user device or application is authentic. Dudes with exist in trust with very certificate authority,

00:38

or what a lot of us would call a C A.

00:41

Now the certificate authorities signs and publishes the keys that are used for validation to user's devices and the applications.

00:49

The certificate authority uses its public key

00:52

to sign the user device or applications certificate.

00:56

The sea is trusted, and it is used for other authenticating hosts on the network to validate the signature of that certificate provided by the user device for application,

01:07

you know, on the slide, we have a breakdown of the public and private keys using certificates.

01:11

Public keys are gonna be distributed, but private keys are gonna be kept secret,

01:18

you know, public. He is used to encrypt a message that only the person that has the private key can decrypt.

01:25

Now this ensures confidentiality, meaning that on the person

01:29

that the message is meant for can read it

01:32

now. Alice used her private key to send an email. Anyone that has her public, he would be able to read the message. In this scenario, we are protected the integrity of the message and whatever is in the message. We know it came from Alice, since

01:49

she is the one with the private key.

01:53

It's this level of verification. We want the router networks, and that will reduce risk.

01:59

So a quick analogy, off certificates and public key infrastructure that I've heard before would be. It's like a license plate, right. Essential authority issues the numbers and ensures

02:12

each license plate number is matched to the right vehicle.

02:15

Both drivers and police

02:19

trust this third party to keep

02:21

the right details on file, Right?

02:24

So just a quick review off what we discussed. We went over trust management,

02:30

what is trust and how strong authentication helps with manage and trust,

02:36

and we touched briefly on public key infrastructure.

02:38

So in the next section we will talk about how to trust devices,

02:44

how to trust users how to trust applications and the traffic in the zero Trust network.

02:50

Thanks for being here. Stay tuned.

02:54

So thank you for sticking with me. We've got another pop quiz. A quick learner check for the section that we just went over.

03:02

We begin with what is the least privilege

03:07

we moved to What is scope creep and then third in public key infrastructure. Who should have the private key? All things that we touched on briefly in the last section. And now we move to those answers.

03:24

So what is least privilege

03:28

least privileges? The notion that a user device or application should only be allowed the privilege is required to perform the task I was given.

03:36

Ah, quick example would be, ah, vulnerability management account. Right? If you're someone that's used some of the products out there like Ness's HQ, Wallace

03:46

or Rapid seven open boss eyes a lot to choose from.

03:52

Some of them will say that you need a domain administrative account or a local administrator account. Right? And so you know, how do we

04:01

instead of giving it full permissions to do that, how we get close to the privileges or the rights that account needs toe probe the operating system properly to give you the best assessment about the vulnerabilities, right?

04:17

So we only want to give that service account for your vulnerability management application or software the rights that needs to perform the checks it needs to do right. So least privilege needs to be applied with all users, all devices and applications. And and that's what we really mean by that and how it plays such a

04:38

important role

04:39

and zero trust. Next we have what is scope creep? And this is the act of given permissions that are desired, more so than required and can lead to accidental misuse or intentional attacks by user device or an application. So we really have to audit, um,

04:57

our devices are users or applications and make sure that we're not giving them too much permissions. Whether it's someone gets a promotion

05:02

or we, we start to use the service account for multiple service's instead of creating a individual service count for each service or tax that we're trying to perform.

05:14

All right, so keep that in mind, and that's what zero trust is gonna allow you to do. I think about you know, how do we have the least amount of trust at least amount of privilege in our network.

05:25

Next, we've got public key infrastructure, and who should have the private key and the private key should always be in possession of the owner of the private key. Right? And you really see it in the name private. It's not something that should be publicly available, or I shouldn't be giving you my private key right? It needs to have the integrity and the

05:45

authenticity,