The term “zero trust” is everywhere, but it is more than just a buzz word. Sorting through the hype to know if your cybersecurity architecture is ‘true’ zero trust can make your head spin. Most of the zero trust players still utilize default/allow architectures and the definition of the zero-trust security model is not trusting by default, so a default/deny architecture is needed.

Join cybersecurity experts Jay Sawyer, Senior Security Architect, Tempered, and Holger Schulze, Founder and CEO, Cybersecurity Insiders, for an on-demand webinar to sort through the myths and facts that create zero trust solutions. During the webinar you will learn how you can reduce your attack surface and risks by knowing the difference.

They also discuss:

  • The difference between zero trust and non-zero trust solutions

  • How to easily adopt a true zero trust architecture

  • Why trust then verify (default/allow) is no longer the best option for cybersecurity

  • How to control and protect data transferred in and out of your organization

  • Ways to reduce attack surface to secure critical infrastructure and IoT deployments

Zero Trust Network Security Webinar Tempered 2020

 

Tempered presentations from Security Field Day 3

What is Airwall - a technical introduction and demo
How Tempered Uses HIP to Achieve Zero Trust Security
Tempered's use of Cloud, Virtualization, Containers, and APIs

Additional resources

Download Airwall whitepaper - we make networks invisible
Download 451 Research Business Impact Brief
Download Great Lakes Water Authority case study
Airwall Solution - Talk with an Expert

Transcript

Holger Schulze:

Welcome to today's Cybersecurity Insiders webinar, where we will talk about Myth versus Fact in Network Security Architectures, and how to leverage true Zero Trust. Thank you for joining us today and taking time out of your busy schedules. Today's webinar is brought to you by Tempered. And Tempered is a secure networking company that makes it easy to create and maintain hyper-secure networks across complex infrastructures. My name is Holger Schulze. I am the founder of Cybersecurity Insiders, the online community for cybersecurity professionals, and publisher of the Cybersecurity Insiders Research Reports. And I'll be your moderator today.

Holger Schulze:

Now it is my pleasure to welcome our featured presenter, Jay Sawyer. Jay is senior security architect at Tempered. Jay, thanks for presenting today.

Jay Sawyer:

Thank you.

Holger Schulze:

Times have certainly been changing for network security over the years; dissolving perimeters, cloud computing, employees working from home, especially now at scale during the COVID pandemic. Jay, can you tell us more about these changes, and what they mean, and how organizations can keep up to protect their networks?

Jay Sawyer:

Sure. Times are changing for sure. Network intrusions have spiked in recent years resulting in millions in financial losses due to theft of intellectual property, and personally identifiable information. To keep up, folks in the past and even today have been sealing off their network with security perimeters, and trusting pretty much everything within these castle walls, and which has proven time and time again to be flawed. The soft, chewy centers of these models can allow the bad actors to persist in your organization systems without detection for months or even years. Going into defense in-depth model, increasing the perimeter layers to permit these type of attacks leaves critical gaps that allow attacks to continue and remain undetected.

Jay Sawyer:

And as you mentioned, during the COVID period of our life, the recent times the trends of users requiring to work remotely, getting on untrusted public WiFi in their favorite coffee shops or even their home. The surge has turned this new year, forcing an increase in this remote employee workforce for business in that, risks of cybersecurity risks in privacy risks have increased because these remote workers store their data in the cloud. So that it can be accessed wherever and whenever, and required access to the corporate network for productivity simultaneously, most of the times. And then a lot of these workers want the capability to use their own computers, tablets, and mobile devices. I don't blame them. I also too like to choose my own devices to be able to be productive when I work. I love my company, but sometimes they miss the mark on what they can provide me.

Jay Sawyer:

But to access both cloud environments, in corporate resources with personal items, personal devices, also increases cyber security and privacy risk, and leads to a demand on how to overcome those. And on top of that, the remote access to readily available data for productivity leads to a demand from the workers on ping-less access so that data and resources are accessible whenever, wherever, and however they desire to access it. And then to include to the risk, we have cloud-based services that we place our data which is outside the corporate perimeter, and accessing it with devices that once ran within the relative safety of the corporate perimeter. Even prior to the remote work, we are forcing ourselves into lately workloads data. The resources have been moving away from networks that we control and trust, into the cloud to process them.

Jay Sawyer:

So whether we like it or not, the perimeter has been eroded by the business needs of today as our business of everything is pretty much everywhere, forcing our businesses to place pretty much a scrutinizing eye on how to address the compounds cybersecurity, and privacy risks requiring something like Zero Trust model more than ever. And then what comes with a Zero Trust model is a mindset change, as well as understanding the tools and the principles that allow easy adoption for the Zero Trust model.

Jay Sawyer:

So, what I'm going to do is going to go over some myth and fact, to smooth out what we've heard, and what's true from what we've heard and what's actually myth, to help alleviate the nervousness about Zero Trust and help educate each other, especially when you go back to work, educate the executive team to make sure they understand the principles of Zero Trust. Something like segmentation. I know, speaking to a lot of customers, when I mentioned segmentation or micro-segmentation, a lot of toes curl, mainly because what I found out is the process of deploying that really isn't understood as much as it should. Now, I know my counterparts understand it well, but the executive team sometimes don't have that type of knowledge to be able to comfortably give the okay for it to move forward.

Jay Sawyer:

So myth versus fact in networking security architecture where Zero Trust is involved. Myth number one, Zero Trust architecture requires a rip and replace of existing network. The fact is Zero Trust architecture is meant to augment existing infrastructure with its secure micro-segmentation gateways, using granular policies based on users' application, and data, and devices. Myth number two, Zero Trust architecture is expensive, disruptive, and not scalable. The fact here is Zero Trust architecture is eminently scalable. It provides augment solutions, but it is scalable and can be built quickly, and provides viable security solutions for organizations without the costs in disruption of a rip and place exercise. Myth number three... Just also just take a little break there.

Jay Sawyer:

These are the top myths that I've been hearing from customers in other audiences. I mean, there's more myths, but these are the top fives, that'll go through with you. So myth number three, Zero Trust is limited to on-site deployment. This is truth in part. So the main purpose of on-site Zero Trust is to protect the two primary attack surfaces. And those are devices and people, which in turn requires Zero Trust in form of end-to-end security and identity wherever they may be working from, whether it's on on-prem, or off-prem or a hybrid of the two.

Jay Sawyer:

Myth number four, Zero Trusts cannot be deployed in the public cloud. The fact here is since the public cloud is a virtualized data center or a remote site, if you would, the Zero Trust approach is required for public cloud more than ever. There are solutions available today that not only make extending your Zero Trust architecture to the cloud, or from cloud to cloud, depending on which services you use if you use more than one. And the same solutions can make the process very easy, and cost effective. And finally, Myth number five, Zero Trust architecture is only for large organizations. The fact that more than 61% of all data breaches affect small organizations and small businesses, it's imperative that Zero Trust architecture be deployed in a smaller but still critical infrastructure. Again, there are solutions out there that make deploying Zero Trust and security identity solutions like MFA, multi-factor authentication, in even device cloaking, and this is invisibility to those who do not have authorization to see devices or data. So some of these offerings solutions are easy on the budget and easy on administration.

Jay Sawyer:

Moving on. We're going to go over the differences between Zero Trust and non-Zero Trust environments. Zero trust solutions protect enclaves or your infrastructure using Zero Trust principles and its tools. We'll cover some of the tools and the principles in later slides. But the non-Zero Trust solutions pretty much use castle-and-moat approach or defense in depth where they layer the perimeter within the environment. For Zero Trust solutions, you have multiple security perimeters within the corporate network security perimeter. And that's achieved by micro-segmentation and more of the principles and tools that Zero Trust calls for. Where non-Zero Trust solutions occur you have large sealed-off corporate networks secure with security perimeter, and trusting everything inside of that security perimeter. Which, in effect, is providing a trust-but-verify type of traffic acceptance, where Zero Trust solutions never trust and always verify. In fact, never-trust-always-verify is pretty much the Zero Trust mantra.

Jay Sawyer:

Zero trust solutions again provide network segmentation not only with North-South traffic, but also East-West using secure micro-segmentation. And this can be also as North-West also nets users network address translation for devices traversing from internal network to the internet. Some of the secure gateways that provide micro-segmentation can also net and do some firewalling laterally between East-West, even within the same subnet between two devices that are located in same subnets. Network segmentation in non-Zero Trust solutions with switches and routers doesn't really equate to what Zero Trust principles are calling for. Same with the firewalls. Firewalls were usually created to negate any North-South movements and hardly any lateral movement negation there. Finally, for Zero Trust solution, oftentimes some of the principles of Zero Trust are calling for infrastructure and device cloaking for reducing attack surfaces. There are other ways, and other tools and methods to reduce the attack surfaces. But mainly the easiest and the best and cleanest way is to provide that device cloaking between networks.

Jay Sawyer:

On the left, I'm showing a little example. Pretty high-level of Zero Trust solution versus on the right, your typical non-Zero Trust solution in a castle-and-moat deployment. Going back on the left for the hyper secure enclave that you see there, it starts with layers. Starting from the center, you've got your SCADA, and then moving out from there you have your operational technology. And then out from there IT, and then your perimeter for your network, the internet and remote sites. Now the reason why I added all those in there is to show you how micro-segmentation with Zero Trust can be implemented, whether you're in SCADA environment, in the IT environment, in the internet, where cloud or the public cloud is concerned. And even at remote sites, remote sites that are owned by you or by a vendor that you've integrated into your network.

Jay Sawyer:

The yellow perimeter around these circles, these spheres indicate the micro-segmentation. The shields that you see within the micro segmented networks there, are the end-to-end type of security that some products or tools that Zero Trust calls for, can provide between devices, whether it's within the same subnet, or it's across multiple VLANs. Even across the internet. And earlier I mentioned there are products out there, security products that will provide end-to-end security, even between cloud. A sample is AWS in Azure.

Jay Sawyer:

Taking it down to what I'm really familiar with here is network diagrams. What does Zero Trust solution looks like in a network diagram, and pretty much what non-Zero Trust solution looks like. The diagram on the right is typical. We look at these every day, in our lives, in our work lives, maybe sometimes in our personal lives. But that's pretty much the typical configuration points that we see. You've got your main perimeter, which is the big block there. And then you've got your defense-in-depth perimeters, other security devices that get placed throughout your network. Again, this is great, but it also leaves gaps within those networks that its protecting. Whereas on the right side your Zero Trust solutions, these devices, protected devices or the micro segmented devices within each manufacturing plan as well as the corporate data, each of those color codes is a policy. And anything within say the purple policy cannot cross communicate with anything that's in the yellow policy.

Jay Sawyer:

That's a great example of secure micro-segmentation in data or providing data encryption in motion, even if it's in the same subnet. Also the fact that anything in the purple policy can sit behind a secure gateway that's providing micro-segmentation which also can provide invisibility to anything in the yellow policy. Again, invincibility might be a toe curler as well. But that visibility only effects the unauthorized or the malicious hacker, or anybody that, again is not authorized to see any of those devices within that micro segmented environment.

Jay Sawyer:

In our fleet, a lot of you are familiar with what you're seeing here, this is an Nmap scan. It's been initiated. And this is typical of what a lot of recon, or a lot of hackers do for recon. This the type of results that they're hoping for, find IP addresses. And once they find the IP addresses, they can launch other types of scans to find out vulnerabilities to test these IP addresses or the devices that belong to those IP addresses. This is your network on Zero Trust, even if we're talking about I mean, not just castle-and-moat, but defense-in-depth with multiple layers of firewalled systems. If that firewall or gateway gets compromised, this can be the result of the reconnaissance that is done. Again, I'm going to go back to talking about the secure gateway for Zero Trust that provides cloaking, or invisibility to those that are not authorized, and these can be done within those secure layers, even within multiple micro-segmented VLANs, and even within a certain VLAN that already has been micro-segmented.

Jay Sawyer:

So this is an Nmap scan that was done in one of those micro-segmentations. A lot of the assessors, this was actually to test for one of our big electric companies or power companies in Seattle, actually the assessors came in and assess or started assessing, and this is what they saw. And they actually called the folks, the power company, and said, "Hey, can you turn on your devices so we can start testing," and the manager of system integration told them they are on. So I guess we passed. But this is actually a true result of an Nmap scan that was done in-between two micro-segmented sections of a subnet.

Jay Sawyer:

Adopting Zero Trust, and how it can easily be done. So the easy part is great because we can control that. We can control what we understand about myths and facts, we can control where we can do our research. I went to many, many seminars where CIOs, CTOs, VPs, VP of Information Security were on the panel talking about their deployment, what their hits and misses were. I was taking notes, found out about more types of solutions that can be used outside of the minimal four types of tools to use for adopting Zero Trust. But there are four principles for adopting Zero Trust. And this is a minimum. There's many more, but this is the minimum, and these are the more popular ones. There's a mindset, a philosophy that has to be understood. Zero trust is an architecture, philosophy, and strategy. So that has to be seen. Expanding your audience in your organization for this. Teach upwards. Teach your executives who may not understand the principles and even some of the tools that are suggested for adopting a Zero Trust. Get security alignment, executive support within your organization.

Jay Sawyer:

Zero trust architecture approaches require asset discovery inventory for the development and implementation of policies and rules that you will use during the implementation to apply it to devices that will connect to the network systems. So addressing asset discovery and inventory management are core components to effectively implementing Zero Trust, and to release action, it helps us understand the importance of data classification as well. So it's known what's required to change, and what's required to protect, and at what depth of protection. Using micro-segmentation. Again, this is also key to adopting Zero Trust. Threats come from inside as well as outside. I mean, this is the biggest purpose of micro-segmentation, is we have to presume that compromise may already have happened, and we need to implement something that can mitigate the risks from inside threats as well as outside. So, the Zero Trust architecture should be a combination of endpoint and network capabilities. Established least privileged access. Most of us have already done this right. This is a fundamental pillar of Zero Trust, providing access to the right people or identity with the absolute minimum type of access to the data that allows them to be productive.

Jay Sawyer:

And finally, the fourth principle, knowing the tools for Zero Trust and what they provide. Some of these tools, again, we're just going to go over four of them really quick here. There's more, but there are four tools central to Zero Trust, one being single sign-on, and I'll explain this in a bit. But multi-factor authentication is another. This points to the identity of the person, and even the device. In today's environments, we not only have manned devices by people, we also have unmanned devices or the IoT, internet of things which are growing. Supposedly this year, the count for IOT devices or network, not just network but in an internet and the whole world, is going to reach 6 billion things that are connecting to networks. So multi-factor authentication, we all know it. We've used it, and it gets annoying after a while because after an hour, it keeps popping up. Might be less depending on, how humorous your security admin is. But with the help of single sign-on that multi factor authentication can get smoothed out to where it can decrease the amount of MFA that's being requested.

Jay Sawyer:

And then the last 2.3, or tool three is solutions or processes that provide fast provisioning and de-provisioning systems. This is important when you say you're providing access to a vendor? How fast can you provision that vendor using the tools you've deployed to securely access from the internet into your environment, the devices that you've implemented by the vendors. Deep provisioning is just as important, because how are you going to deep provision it? Are you going to wait till the morning even though he's been done three hours prior? Or are you going to implement a device that can automatically detect that the vendor is complete, and cut off any further access, any further trust or authentication as soon as he is complete, or she. Fourth tool, solutions or processes that provide device protection and privacy. Again, this can be an end-device security antivirus. Secure tunnel they've got software Defined perimeters that are now taking over the VPNs to allow AES 256 encrypted tunnels to communicate from device to device, whether it's a manned device or an Internet-of-Things device.

Holger Schulze:

Hey Jay, quick question. Many solutions are being labeled as Zero Trust. Is Zero Trust a product?

Jay Sawyer:

So in the terms of Zero Trust as a model, it is not a product. Because Zero Trust is a philosophy, and the strategy that has to go along with that philosophy. And with that model, it's not a product. But there are solutions on the market that are categorized under Zero Trust principles and tools that I just covered. And some solutions were created from the ground up to address Zero Trust principles in those tools, in essence firewalling East-West for lateral movement or providing in visibility to those that are unauthorized. As such, these tools or products are simply labeled as Zero Trust, which makes more marketing sense than being labeled as designed for Zero Trust principles and tools, kind of thing. In terms of the philosophy and strategies, Zero Trust is not a product. But in terms of those tools the principles call for, I think some of the tools can be labeled as Zero Trust ready, or Zero Trust compliant. Thanks for the question. That was a good question.

Holger Schulze:

Cool. Thanks, Jay.

Jay Sawyer:

So default-allow. This was typical when I first started networking in 1987 at Boeing, I sat at my workstations, my multiple workstations, Apples in Solaris devices. And one of the humorous admins was playing a joke on me and he was able to get into my network and do to the ping of death, or something similar to that. And I was like, how is this possible because those devices were built with default-allow. And in the Zero Trust philosophy, default-allow security products will fail. And they have been failing for quite some times. And the philosophy also points out that in Zero Trust, compromise is inevitable. To take it down a bit, default-allow systems make it impossible detect the infinite amount of malicious variables that exist out there. So when a system is allowed by default, the system and administrators must be able to detect the bad things that are coming through. And in the case of malware, or even a malicious actor, these bad things in form of traffic or virus, are controlled by the attacker, and are infinitely variable. So if the attacker gets caught, and he gets blocked, he can easily change his IP and MAC address, or his location, and he can change the type of delivery of his attack, or that virus.

Jay Sawyer:

So it's impossible to build any system that detects all possible bad things from a set of infinite possibilities. So this is why default-allow is no longer the best option to help implement your security and privacy. So by contrast, when a system is default-deny, you must be able to detect the good things. So you're not you must, but you will detect good things because the only thing you're allowing is the authorized traffic to those devices or to a system. So only thing you're detecting are good things, and these good things that are supposed to come through are controlled by the system administrator and is a finite set of possibilities. And in this sense and compared to the default-allow type of systems, default-deny types of system, it's possible to build a system that detects the good from the infinite set of unexpected possibilities. It's because the good is an expected or finite set of expected possibilities. So, default-deny is one of the best possible protections available because of its simplicity. And that's why Zero Trust actually calls for that. It's actually one of the Zero Trust's mantra. Deny-all verify, or default-deny.

Jay Sawyer:

Control and protect data that is going in and out of your organization. There are four tools minimum, that will help control and protect data in and out of your organization. Secure remote and local access. And a lot of you have started seeing this come up, a marketing term called software defined perimeter. This can provide protection and privacy of data that is traversing in and out of your organization. But simultaneously can also provide that type of privacy protection between devices even within the same subnet. Fast provisioning and deprovisioning. So these tools should sound familiar. So fast provisioning and deprovisioning. This is the capability, again, to provision a device access to data on another device from your network, or to a remote device, or from remotely into your organization when it's needed. Again, coupled with the capability to deep provision that same device is just as important because you don't want three hours to go by, who knows where that vendor has been, what they've been searching for. And if that system is still up and running, we can't trust that they're following Zero Trust or any type of security posture to help secure data that is going in and out of the devices. So making sure you can deprovision quickly, is very important as well, to protecting not just the data going in and out, but devices that hold that data.

Jay Sawyer:

Device protection and privacy. This is utilizing encrypted tunnels. In the form of again, SDP and with the minimum encryption strength of AES 256 which is pretty much the standard out there. And then the last tool, multi-factor authentication. This uses multiple identification, or multiple identity verification for users sending data in and out of your organization. And combine this with the use of your previous tools, this can be a powerful way of protecting that data in motion, traversing through the internet to another device that's out there. You also want to make a note, data in motion is essential to protect. But data at rest is as much of importance to protect as data in transition. There are solutions that can also provide data at rest on devices, as well as solutions that provide device protection for the device that's holding that data. A good example of where control and protect data in and out of your organization is IoT devices, not just people-driven computers, and workstations, and mobile devices but IoT devices. And that makes IoT devices harder to provide risk mitigation for cyber security and privacy. Because there's hardly any controls. Some of the IoT devices are considered blackbox, and have no direct access to them at all.

Jay Sawyer:

Ways to reduce attack surface. Again the two primary attack surfaces to consider here for Zero Trust, is people and devices. Network also belongs to that category. But on devices, more and more devices are being used today. I made mention of the 6 billion types of IoT devices connecting to the network, to the world. This provides more of gateways for cyber criminals to carry out cyber attacks. And then the number one security threat to devices today is the hybrid ransomware, which allows an attacker to take control of the device and simultaneously give it a virus, and with the purpose of that virus spreading to other devices. For micro-segmentation, there are some best practices to follow to help reduce attack surface.

Jay Sawyer:

Micro-segmentation, and you're going to keep hearing that word if you're looking to deploy Zero Trust. But micro-segmentation, especially when that provides invisibility or cloaking of devices to the unauthorized. Think back to the Nmap scan that we did within a network that was micro-segmented with a device that provided in visibility for the critical infrastructure. If I'm a hacker, I go in and do reconnaissance and I see an empty results tab or results sheet from my end map or any type of scan network scan, I'm going to move on because if I don't have an IP address, my device is going to be able to ping or connect to anything.

Jay Sawyer:

Another secure tunnels for data in motion. Again, going back to the previous slide. This is important to mitigate a lot of the privacy and security risks that our devices are doing when communicating with other devices to either collect or deposit data, data that's critical for our business. Endpoint security application for malware, and the spread of malware. This doesn't stop there. It seems like we're talking about a workstation or a laptop, it can be a mobile device. It can be an MDA that you're installing on that mobile device that actually, when detected, malicious activity can pull all of critical data, or access to that critical data, and the access capabilities from that mobile device.

Jay Sawyer:

Least access privilege. Again, only give access to a server or device or database, with the absolute minimum privilege required to continue productivity for that user that's connected to it. Device assessment for vulnerabilities. So this should require a routine device assessment for vulnerabilities for your workstation, laptops, mobile devices, and for any vulnerabilities or compromise.

Jay Sawyer:

On people best practices is to use password policies. People are the weakest link in any digital security chain. Human error is actually attributed to 37% of security breaches. So, I mean, it's important to initiate a lot of these best practices. And again, I'm only displaying a few, there's a lot more. I'm telling you there's a lot more that can create headaches, but these are pretty much the top best practices here. So on people, I mentioned password policies. You've got your multi-factor authentication which you should recommend again, from speaking from previous slides. And processes and policies is important. Provide security training. And then on top of that, routinely assess people's knowledge of security, and the organization's process and policies.

Jay Sawyer:

On network. So because compromise is inevitable, the network is the first line of defense for devices located on premise, and the people accessing them within the organization's network or from outside in organization network. I mean, you can even consider inside out as well. But for network, best practices that micro-segmentation, there's that word again, micro-segmentation to protect against any malicious advance towards network devices. Again, first line of defense, you're protecting any malicious data from reaching those critical devices that are holding your critical data for business. And then you've got network traffic assessment, that should be routinely done, some of them on a daily basis, like intrusion detection devices, packet inspections, a lot of solutions out there that provide these in real time. And then routinely do third-party security assessments for your network. Assessing network or networking device. This includes firewalls in the secure gateways responsible for the micro-segmentation I keep talking about. And last for this group, assess applications in the cloud. Let's not forget the cloud. A lot of us are moving to the cloud, whether for personal reasons or for corporate reasons. Our data is just in the cloud, it's unavoidable. And again, there are solutions out there that provide micro-segmentation or software defined perimeter where you can go from organization to the cloud, or even cloud to cloud, depending on how you've dispersed your critical data out in the cloud for access or backup.

Jay Sawyer:

So I'm going to summarize here. I had the chance to read the 2020 Trust Generic Report. And what I found in there was, 33% pretty much, of those who took the survey say they are adopting Zero Trust in a timeframe that is less than nine months, where 27% have no plans. Some 89% acknowledged that users may have access privilege that is beyond what they're required.

Jay Sawyer:

But going back to point one were 27% have no plans, another statistics I read about was that 47% of security teams lack the confidence in their ability to provide Zero Trust, citing that their existing technology may not or will not help them embrace Zero Trust strategy, I think my point of view, I've helped a lot of customers look into Zero Trust. We spent some time whiteboarding, and having conversation, and throwing a lot of strategy around. It can't be done. Whether you're a big organization, like Wynn Resorts here in Las Vegas, or if you're smaller organization like some of the churches here in Vegas again, with some work and research demystifying Zero Trust myths and knowing the facts and its unknowns, its principles and the tools recommended, can help easily adopt Zero Trust strategy. Just takes a little more sweat work, and it takes some salesman type of activity to do when you are attempting to push the adoption to the executives that may not know, pretty much the principles or any of the tools, and may only know the myths that are being thrown around there.

Jay Sawyer:

So, one of the devices I kept talking about, the micro-segmentation that provides invisibility, that's actually a product that I represent. It's called the Airwall. And that Airwall is a secure gateway that not only provides micro-segmentation but provides that invisibility to any unauthorized seers or lookers. You can use the firewall to create micro-segmentation between two devices that are in the same subnet for that lateral communication mitigation. It can also be deployed. As you remember this little circular enclave with the micro-segmentation is pretty much where we can deploy or protecting any device, anything, anywhere. And on top of that, the Airwall also provides AES 256 secured tunneling between devices, whether it's within on-prem organization network, or if it's from cloud-to-cloud environments, or from on-premise network to remote offices. And because we're using AES 256, you can actually go from the office to Starbucks, open up your laptop and connect back to your environment while you're drinking your favorite coffee and having your favorite snacks as if you've never left the office. Coupled with multi factor authentication, it makes for a secure data access from wherever you are.

Jay Sawyer:

So Tempered, this company I'm from, if you require any more details, please go visit https@tempered.io, or tempered.io. And then for information, if you want direct contact, email is down below, info@tempered.io. And if you do want to play with our Zero Trust solution, or Zero Trust ready solution, I should say, there is a free demo that you can log into our tempered.io site. The URL is there. So simple sign up, you sign up for it. You will get an email with instructions of how to login, and how to drag and drop policies between two devices, and how to send emails to those device owners so that they can provision the clients that you're going to install to be able to create that secure remote access between devices.

Jay Sawyer:

During the COVID, when it first broke out, I've known some friends and even one of my daughters that just started working in San Francisco, they weren't allowed to go in the office. The IT guys just sent, mailed her devices and says she has RDP access to her workstation in her office. And she knew right away. I mean, she's my daughter. So she knew right away and she goes, "How do I secure this without waiting three weeks for IT to secure it?" And so I pointed her to this site and she set it all up. At that point, she was able to do secure remote access to all her Gantt charts and whatever she needed through one of our Airwall tunnels.

Holger Schulze:

Excellent. Thanks, Jay. Let's see if we have any live audience questions coming in. The first question here. What recommendation do you have to provide enterprise application access for users?

Jay Sawyer:

Let's go back to securing those devices and data in motion. So the recommendation I would have, first is to implement secure or software defined perimeter, excuse me, where it offers, not just your typical trust-this-IP-address-from-this-device-to-communicate-with-another-device, but you want to have a mechanism that replaces that IP address as the host identifier with something DNA of that device, like a cryptographic ID. And so it happens that our Airwall secure remote access provides that type of identity replacement. So there is no mistake as to who the device and the person is connecting to your device, to an enterprise application server. That's the first line of security defense in privacy defense.

Jay Sawyer:

Of course, multi factor authentication should be used in that process as well, which the Airwall does also provide. You can use anything from, Azure to Okta when accessing the tunnel to access that data, in that enterprise application.

Holger Schulze:

Thank you, Jay. The next couple of questions are regarding some of your Tempered solutions that you mentioned earlier. And the first question here is, how does Tempered encrypt data in motion?

Jay Sawyer:

We encrypt it with AES 256. And that's pretty typical for data in motion with that heavy type of encryption. But the process we build to create trust between the two communicating devices is just as important, along with what those devices or those solutions that are hosting that tunnel authenticates to. And so our solution actually uses hosted entity protocol to replace the IP address with a cryptographic ID. And that's just the first part. In the upper layers... And that's between layer three and four. But upper layers from that, the system also uses a hash of bit rate or binary rate, and a context identifier of the device it's installed on. And that gets turned into what we call a host identity tag. And that tag also gets us in a sense of password lists trust authentication between our Airwalls before that tunnel gets built. Once everything passes, that tunnel will get built AES 256 IPsec. And then our Airwall gateways will allow that traffic to start passing.

Holger Schulze:

Excellent. Thank you, Jay. It looks like we have time for one more question. How does Tempered micro-segmentation separate network infrastructures from each other?

Jay Sawyer:

We do support North-South, as well as East-West lateral movement. And we support the certain switch type of features like port isolation. Port isolation is a must for that lateral movement prevention. But what we do is when you deploy an Airwall into your environment, we are a denial by default, which means you've got to be very careful of what you connect to our devices before implementing us, because we will cut off communications to the general network. And what happens there is once we are employed, a policy needs to be created in order for say Airwall A to communicate with Airwall B. And once that policy is created and the trust is built, then a tunnel will be created between the two Airwall gateways, and anything that has policy to communicate behind each of these Airwall gateways will be allowed in that tunnel.

Jay Sawyer:

So that is pretty much how we create our micro-segmentation. We Airwall or make invisible or create this logical air gap around certain critical infrastructure that are in scope for our solution, not allowing anything in the rest of the network to see or communicate unless there is a policy that allows that communication.

Holger Schulze:

Excellent. Thank you, Jay. And thank you again for sharing your insights on how to leverage Zero Trust for network security. Oh, no.

Jay Sawyer:

It was my pleasure. I enjoyed it. Thank you.

Holger Schulze:

Same here. Thank you, Jay. And with that, we are at the finish line for today's session. I hope we will see all of you again at one of our future webinars. Thanks everyone. Have a great day.