ZEROing Trust: Do Zero Trust Approaches Deliver Real Security?

Presented at Black Hat USA 2018, Aug. 8, 2018, 4 p.m. (50 minutes).

Over the last year, the "zero trust" network (ZTN) security architecture concept has generated interest both for its abstract security properties, and the marketing hoopla proclaiming it the "next big thing." The value proposition of "zero trust" networking is that it can more effectively prevent common security issues that lead to breaches while simultaneously enabling BYOD and removing the need for VPNs and legacy security concepts. ZTN architectures claim to enable both enhanced security and user freedom by removing implied trust from the network perimeter and replacing it measured trust at the user and device layers. This success of this scheme relies heavily on the ability to measure user and device security properties as a viable means to establish trust.

In this talk, we will analyze the "zero trust" approach in several threat scenarios to determine its true effectiveness. This will include an examination of the platform and device security properties that can be measured to establish trust across modern OSs such as Windows, Chrome OS, iOS, and Android. This will incorporate a detailed technical dive into the capabilities and limitations of device trust measurement frameworks such as Google's SafetyNet/Verified Access, Microsoft's System Guard Runtime, and common EDR/AV products. ZTN based methods for combining device and identity-based to provide access and authorization will also be examined.

Finally, public ZTN implementations will compared to a wide range of threats from common REDTEAM tradecraft all the way though hardware and firmware attacks. Attendees will walk away from the talk with a technically sound view on the potential and pitfalls of ZTN based networks, which will help to cut through the marketing hype.


Presenters:

  • David Weston - Group Manager, Microsoft
    David Weston is a group manager in the Windows team at Microsoft where he currently leads the Windows Device Security and Offensive Security Research teams. David has been at Microsoft working on penetration testing, threat intelligence, platform mitigation design, and offensive security research since Windows 7. He has previously presented at security conferences such as Black Hat, CanSecWest, and DEF CON.

Links:

Similar Presentations: