Zero Trust Network &

Cloud Security
Hello!
Reza Khaloakbari
⬡ IP WAN Planning and Optimization Senior Specialist
at MTNIRANCELL

My Certificate :
AWS – Advanced Networking – Specialty
Cisco - Enterprise SD-WAN Implementation
Huawei – Data Center SDN planning and design
Cisco – CCNP Routing and switching
Cisco – CCNP security linkedin.com/in/reza-khaloakbari
…

2
 The Future of Security

Introduction to
Cloud Security
ZTN

1 2 3 4

Challenges in Introduction to
Traditional Security SASE
Models
3
Threats in encrypted traffic are everywhere

95% 85.9% 24.3%

of all web traffic is of threats are delivered growth in encrypted
HTTPS-encrypted, per over encrypted threats year over year
Google Transparency channels
Report

4
Vulnerable Centralized Points

⬡ The traditional security model is known as "castle-

and-moat" concept, that focuses on protecting the
boundaries of the network.
⬡ Centralization also assumes that once inside the
network, users are trustworthy and can access all
resources.
⬡ This model is not suitable for networks where
resources are distributed across various locations,
including the cloud, as well as for environments
with remote users.

5
Weak Internal Firewalls

Traditional networks are

typically less equipped to detect
and respond to internal threats
or anomalies.
1- They Find you

6
Weak Internal Firewalls

Traditional networks are

typically less equipped to detect
and respond to internal threats
or anomalies.
1- They Find you
2- They compromise you

7
Weak Internal Firewalls

Traditional networks are

typically less equipped to detect
and respond to internal threats
or anomalies.
1- They Find you
2- They compromise you
3- They move laterally

8
 Weak Internal Firewalls

Traditional networks are

typically less equipped to detect
and respond to internal threats
or anomalies.
1- They Find you
2- They compromise you
3- They move laterally
4- They steal your data

Ransomware attacks
increased by 37% in 2023

9
 Remote Working Challenges in SDWAN

If a device in an SD-WAN setup lacks its

own security module, all traffic would
need to be routed to the Headquarters
(HQ) for security checks.
In such cases, users at that branch office
may experience reduced performance,
as traffic cannot be directly sent to the
internet or local cloud services.

10
Remote Working Challenges

With VPNs and firewalls ,How can I

ensure that my end users'
performance is optimal with the
hybrid workforce?
Are they being backhauled with a VPN
to a data center, and is that the most
efficient way?

11
ZTN
Zero Trust Network

12
What is ZTN
⬡ The Zero Trust model was first introduced by John Kindervag, a principal
analyst at Forrester Research, in 2010.
⬡ Zero Trust Network (ZTN) is a security model that operates on the principle
that no individual or device inside or outside the network should be
automatically trusted.
⬡ A zero-trust network relies less on specific hardware and more on new
approaches to security.

13
Zero-trust network terms
⬡ Identify assets
∙ Take an inventory of assets and make assessments about the value and vulnerability of
corporate assets

⬡ Verify devices and users

∙ Intrusions often are initiated through a device that has been spoofed. To maintain zero trust,
devices and users must verify they are who. Single Sign-On (SSO), Multi-Factor Authentication
(MFA), identity provider (IdP),SAML,…

⬡ Network Segmentation
∙ Dividing the network into microsegments to control traffic flow and reduce the attack surface.

14
Zero-trust network terms
⬡ Least privilege access
∙ limiting even trusted users to only the specific applications, services, and data
⬡ Test, Monitor, and Maintain
∙ A zero-trust approach—similar to threat modeling—requires testing to ensure that the
impact on productivity is minimal and hypothetical security threats are neutralized

⬡ Continuously verify trust

∙ Continuously evaluating the security posture of all devices and users
⬡ Automate policies
∙ Using automated solutions for rapid threat detection and response, and for enforcing
security policies.

15
SASE
Secure Access Service Edge
What is SASE
⬡ The concept of SASE was articulated in a Gartner report titled "The Future of
Network Security Is in the Cloud," published in 2019.
⬡ SASE is a network security approach to offer a comprehensive networking and
security solution.
⬡ SASE replaces hardware data centers with infrastructure residing in the cloud.
⬡ Zero Trust Network Access (ZTNA) is a key component of the SASE framework.

17
Key Components of SASE:

⬡ SD-WAN (Software-Defined Wide Area Network)

⬡ SWG (Secure Web Gateway)
⬡ FWaaS (Firewall as a Service)
⬡ ZTNA (Zero Trust Network Access)
⬡ CASB (Cloud Access Security Broker)

18
SASE and the Future

By 2025, 70% of organizations that

implement agent-based zero trust
network access (ZTNA) will choose
either a secure access service edge
(SASE)

19
Cloud Security

20
Cloud Security
⬡ Global Cloud Footprint
⬡ Proxy architecture vs. passthrough
⬡ Direct-to-Cloud Architecture
⬡ Zero Trust Network Access Security as a Service
⬡ Simplified Management
⬡ Multitenant architecture
⬡ Zero attack surface
⬡ Connect users to apps, not the network

21
 Cloud Security
⬡ Global Cloud Footprint
∙ Utilizing a distributed cloud infrastructure to provide security services close to users
anywhere in the world, reducing latency and improving performance.

⬡ Proxy architecture vs. passthrough

∙ Proxy architecture enables full content inspection, including SSL, with connections
brokered based on identity and context

⬡ Direct-to-Cloud Architecture
∙ Enabling users to connect directly to the cloud for all internet and web-based services,
bypassing the need for traditional VPNs and appliances.

22
 Cloud Security
⬡ Simplified Management
∙ Providing a unified platform for policy management and reporting, reducing the
complexity associated with managing multiple security products.

⬡ Zero attack surface

∙ Apps aren’t exposed to the internet—what threat actors can’t see, they can’t attack
⬡ Zero Trust Network Access
∙ Implementing a Zero Trust model that verifies every user, device, and connection before
granting access to resources, regardless of their location.

⬡ Connect users to apps, not the network

∙ Direct connections between users and apps remove all risk associated with accessing your
network
23
 Cloud Security Architecture

1 Enforce Policy

Control Content 2
and Access

Verify Identity and

3
Context

24
verify identity and context

⬡ Who is connecting?
∙ Verifies the user, device, or workload identity
through integrations with third-party identity
providers.
Cloud Security
⬡ What is the access context?
∙ Validates the context of the connection
requester, looking at attributes such as role,
responsibility, request time, location, and
circumstances of the request.
⬡ Where is the connection going?
∙ Confirms that the owner has the rights and the
destination is known, understood, and
contextually categorized for access.
25
Control Content and access

⬡ Assess risk
∙ Leverages AI to dynamically compute a risk
score of the requested access based on
factors such as device posture, threats,
destination, behavior, and policy.
⬡ Prevent compromise
∙ Conducts inline decryption and deep
inspection of inbound traffic to identify and
block malicious content.
⬡ Prevent data loss
∙ Performs inline decryption and deep
inspection of outbound traffic to identify
sensitive data and prevent exfiltration
through inline controls.
26
 Enforce Policy
⬡ Enforce policy
∙ Determines what conditional action to take
regarding the requested connection. This
action ultimately results in conditional allow
or conditional block of the requested access.

27
Thanks!
Any questions?
You can find me at:
linkedin.com/in/reza-khaloakbari

Khaloakbari@gmail.com

28
Source
www.gartner.com
www.cisco.com
zscaler ZTNA solution
https://www.zscaler.com/capabilities/zero-trust-network-access

29