Hello friends and thank you for joining me today. My name is Amod Darshane and today I'll be discussing a topic on advanced network security, network segmentation, and zero trust architecture and how really it helps to secure the IoT cyber security. I have about 16 years of experience in the industry. And I was fortunate enough to work with various customers from pharmaceutical, banking, financial side. At the moment, I am working for an OEM partner and that gives me access to multi technology side of the networking. Traditionally, I was a route switch engineer, but gradually I started working on the security side. And got my attention to SASE. in my current role, I work on projects, on majority of the projects on SD WAN and SASE, and Zero Trust Architecture. In today's section, we'll go over some of these topics, how, it is challenging to secure the IoT networks. And then what is exactly the zero trust architecture is the network segmentation is And we'll go through the synergy between the network segmentation and zero trust architecture And how it is helping to prevent some of the cyber attacks on IOT devices So let's begin the talk In the next 30 minutes or so, we will cover these topics. So what are really the challenges of network security? With evolving the cyber threat landscape, the cyber security threats are also evolving rapidly, with attackers becoming more sophisticated and persistent. To give you an example, the AI, Is not really being used to become more productive, in your day to day activities, but modern day attackers are also getting more productive by using AI and your traditional, security, traditional security is not really enough, to prevent these attacks, right? Especially with the IOT side, which has which has increased the attack surface. Um, and it has, limited security. built in into these devices. let's take some of the issues with, with the IOT side of the network security. The IOT is, really lack sometimes, with the robust security protocols built into them. their resource constraints, has, limited processing power and storage, and that really hinders the advanced security majors. the high volume of devices, also is a challenge in managing and securing millions of devices. and that is also very complicated. and they are very prone to, malware attacks, DDoS attacks, and data breaches. Some of the challenges are the advanced persistent threats. short form is eight APTs. Now these remains undetected for very long period, of time. It is around nine months to 12, 12 months before the attacker actually reveals its identity or you as an organization, identifies that you are under attack. so it's really long time. And in between, they silently gather all the information of, from your database and, they can really harm you. Then there are insider threats. the threats are no longer considered only coming from outside. They are also inside. for an example, employees or contractors or even third party vendors, who has legitimate access can possess a severe threat to the organization and your network. Another challenge is to secure your hybrid environments, meaning now you have your footprint, not only in your organization and your data centers, You also have your applications running in the cloud. And not only that, sometimes you have your applications running in multi cloud environment. So now you have to mitigate the risk at the data center level, at the cloud level, and multi cloud level. So your monitoring increases. so these are the security challenges, to your network and your specially IoT networks that we discussed. Let's take a look at the other side. So what is exactly the network segmentation is? so it's basically ice, part partitioning a network into smaller isolated segments and logically, logically mean you don't really have, a physical devices. Those are separated, but sometimes even that is also possible. Sorry for the glitch there. the network segmentation is basically isolating your network into a smaller, manageable parts. The traditional network segmentation example would be VLANs or virtual LANs where you segment your network based on the logical broadcast domains. Another modern day example would be VRFs or Virtual Router Forwarding. Now that is, very much in use, to isolate your, guest traffic from your corp traffic. And also you can, use, your IOT traffic to, to isolate from your, traditional enterprise traffic. now you can also have a physical segmentation of your network, meaning you can have, the, The corp environment running, in on a different set of network, on a physical device and the IOT, side of network is running on completely air gapped, environment, so that is also one of the, segmentations. Now, how it is beneficial, So it isolates the critical assets, the sensitive data and your intellectual property and critical infrastructure are separated into secure zones, reducing their exposure to, broader network traffic. And it also reduce the attack surface, segmenting the network helps containing potential threats and prevent them from spreading across the entire organization. Thank you So if you have some applications, those are exposed to the outside world. You can also use a DMZ wherein, those applications are put behind the firewall. and then you can. Only expose certain ports on or certain, surfaces for that application towards the outside world. And that is also isolated from your traditional corp network. Now let's look at, let's take a look at, the ZTA, zero trust architecture. zero trust is a security model, and it is based on the principle of never trust and always verify. Bye. What does that mean is, once you identify a corporate asset or a user or even a thing like an IOT thing, then that identity does not remain valid, for very long time. So you always verify that device is who that device is. and you always keep authenticating that device over the period of time. and it also combines with the authorization, meaning what level of access that device is granted. if a user or the device is not supposed to have access to certain applications, though, then those applications will not be accessible for that user or for the device. And along with that, if, if users, and applications, or even devices required a certain level of access, only that access will be provided. And that comes under the least privileged access. Though, they will not be getting access. Any more access beyond what is really required to function them properly. and what are the core components? so identity and access management is a foundation of zero trust, ensuring users and devices are verified through multi factor authentication and strong password policies. Meaning, when you log into your banking account with, with a username and password. The next step of authentication is going to be either an email sent to you with an OTP pin or you get a message on the phone, on a, the OTP pin. That is another level of security called MFA, multi factor authentication. Even nowadays, that is also prone for certain attacks, but that's an additional level of security that you can, You can apply, for your applications, micro segmentation, applying strict access control policies at the application level, or workload level rather than the network parameters. And then along with these, you continuous monitoring, or you continue to monitoring the real time visibility into network activity, And find out if there is any abnormal behavior or anomaly detection, and respond to the threats accordingly. Another example, which is not really been given in the slide is, the network access control systems. in my, majority of my, previous, career or previous job, rather, I was working on, network control systems, Where you will be authenticated and authorized, at the network level, you, before you can access any network. And that gives the visibility, what connects to your wired network or your wireless network, or even VPN network. a computer or a user or an IOT device needs to identify. Okay. It's identity that could be based on username and password accompanied by a certificate installed on the system. And then that will be authenticated against your Enterprise Root Certificate Authority and proper access will be given. That entity will be put in to the respective VLANs dynamically in order to provide the proper access. Thank you. Now, in traditional versus modern, network security strategies, in traditional network security, the focus is really on the perimeter firewalls. and then intrusion detection systems, are also installed separately or were installed separately. The antivirus system softwares, and it really assumes that the threats are primarily external. which is not the case in today's environment. And the challenges include insufficient internal monitoring, vulnerability to insider threats, and difficulties in scaling security for modern dynamic IT environment. In the network segmentation, we saw that it divides networks into isolated segments to control and monitor traffic, and hence it reduced the lateral attacks. it is effective for containing the breaches, but then it requires complex management and configuration to ensure that critical segments are properly secured. And along with that, the Zero Trust architecture, it is a proactive, security model. We saw Never Trust, Always Verify, way of implementing Zero Trust architecture. It validates users and devices at every access point regardless of the location. And because of our workloads are also are in cloud and multi cloud environments, unlike traditional models, it adapts the dynamic and distributed environments as well. Now let's take a look at how the network segmentation actually works. We already discussed about the virtual LANs. It is a logical segmentation of networks into, smaller subnets, to create the isolated broadcast domains. And it can be having its own security policies. For an example, VLAN, guest VLAN would be completely separate than the, corp VLAN, where the access, is given way differently. The printers will be provided a different level of access than your organization, organizational computer. the next gen firewalls, now for last, 10 years or so, the next gen firewalls are rapidly increasing its, deployment, in the modern, networks. there is a reason why, these are called next gen firewalls. It not only, detects, capable of detecting and preventing the attacks at the network level, but they are now application aware. they don't only, able to put the rules, the access rules at the network layer, but then they can also capable of identifying the applications and, you can put the rules. on them at the application level. It also, they also capable of doing deep packet inspection, rather than just looking at the IP header. they're also capable of preventing, the intrusion using the, intrusion prevention systems. you can monitor the network for malicious activity and block it by using next gen firewalls. Another feature is the geolocation identifying. what does that mean? you can now restrict, your applications to be accessed from certain malicious countries and only whitelist few countries where you expect your legitimate traffic to come from. multi tenancy, the next gen firewalls can secure multiple tenants and sub tenants and isolate the network traffic between them. they are not just capable of firewall, right? firewall features. They're also. a beefy, a router, you would say, and they are also, capable of, implementing the VRF features on them. they can also run the SD WAN on them, meaning, you don't really need a separate hardware to run the, software defined networking. they are, they're capable of, programming, and giving the greater flexibility to control the traffic management, along with that, the security policies can also be managed, dynamically applied to various network segmentations. the software defined networking, it allows to deploy the devices, the networking devices, using just one click of a button. they also call ZTPs or Zero Trust Provision Provisioning Systems where a system gets an IP address from a DHCP server and then it's called home to get the certificates and the configuration from the controller and then it configures on its own using the policies and the configuration that is, It is there to be pulled from the controller. Now let's take, take a look at some of these zero trust architecture. now how can you always trust and never, how can you always verify and never trust, right? on the devices or on the users. you, so you can implement some of these, features, multifactor authentication. which ensures the users, who they say they are, but required multiple forms of verification. We saw, an OTP pin, or also you can use, some of the physical devices, which can, verify your fingerprints as a MFA. so those are various options that you can implement, for multi factor authentication. another is the single sign authentication. Now it really simplifies user access while maintaining a strict security policies, and it is integrated with, the enterprise systems like Active Directory. So if you have certain applications, in your organization and you want that application, Before user access them. You want that applications to be, make sure the user is authenticated. So the, but then the, the user experience is such that they don't have to log in to each and every application every time. So the security token is issued once they, log in for the first time and perform their MFA. And that security token is valid for certain duration of time. And for all that duration, all their access is, valid. So they can open, and they can access multiple applications, of course, based on their authorization profile. The next is the Role Based Access Control, or RBAC. Now, it is really important to provide, the users with certain level of access to perform their job. Um, role based access control or attribute based access control. Those are some of the acronyms, are used. So organization enforced the principle of least privileges using these, using these components. so I, I previously I had given an example of, network access control. So by using network access control. If a device is authenticated and authorized for a certain level of access and, at the end of the day, it's certificate expires. So that device will no longer have the full access that can be, used to access several applications of the organization, but then it will only be given. access to mitigate that secure, that expired certificate and hence will be put into a restricted VLAN. so that's the, role based application. basically what it is, the micro segmentation, the, it ensures the security policies are enforced. at the application level, and it allows the granular control over traffic flows, isolating the high risk application from the rest of the network. we have seen, the example of, DMZ where you're highly, exposed applications. you would put them in your DMZ and then, only, open certain Ports or certain services for that application to be accessed from external, externally. using, next gen firewall, you can also put some restricted restrictions, on the devices within the same virtual LAN or VLAN. so those are, some of the key components of Zero Trust Architecture. Now, let's see the synergy between the network segmentation and the ZTA. these terms are coming over and over, in my presentation, but those are really important ones. So they complement, security strategies. They help you simplify the compliance, and help you, their, help you, To, their, the, compliances like GDPR and HIPAA, because of their, easy deployment, the security posture is also increase, increases the scalability that is required for the modern IOT networks, and workloads that also, achievable because of, using the ZTA and, the network segmentation and of course the business continuity. It ensures the uninterrupted operations. even during the incidents, because you can implement these in a high available manner. so again, the segmentation alone doesn't solve the problem of identity verification. it requires the ZTA to ensure that even the trusted network segments, users, and devices are authenticated at every stage and authorization follows by the authentication. and Zero Trust Architecture complements segmentation by providing dynamic and flexible access policies. and the key word here is dynamic because. You don't put the access policies, at once, they are always gets changed based on, based on the users or devices, compliance. So that is very important here. Now, one of the benefits of, network segmentation and, and ZTA. So it offers the comprehensive security, right? So it delivers the multi layer defense. it reduces the risk of lateral movement, meaning, your attack surface is or attack is not only happening the northbound, but it can also be east west communication or an employees or internal employees can also be present that threat, any phishing email that, that is open, the attack can be, unleashed on your organization. And, present by, by, implementing the ZTA and network segmentation, the lateral movements can be detected and be prevented. it also improves the visibility and monitoring. so with. The network segmentation organization can, monitor traffic flow between segments quickly and detect the potential breaches. it also observes the behavior of that user or of that device. So for an example, if your printer, is only supposed to talk to a print server or some of the monitoring systems, and suddenly it starts talking to an external DNS server, for, or try to access some malicious sites, there is a red flag right there. And that can be easily, found out by using the ZTA. And, which ensures, the behavior is constantly analyzed for anomalies and, enabling early detection of the threats. Now, where you all, where can be, can this be implemented? It, these can be implemented in smart manufacturing plants. and, malware spreading through an IoT sensors. Can be easily identified and detected and prevented, segmented IOT devices into VLANs and segmented zero trust policies for access control, healthcare facilities. the issue could be like unauthorized access to medical IOT devices and the solution is going to be, Use the network segmentation for devices, and implement the ZTA for the secure authentication and authorization in order to, implement these, security components. it's very important to identify the critical assets, that you have in your organization and group the group them logically. there has to be a single source of truth, That can be used to, to verify your, inventory. the audit needs to be taken annually, and then accordingly, you can, you can enhance your security posture and identify the vulnerabilities, amongst them. Now, let's take a look at the conclusion. So for over 30 minutes, I have been discussing with you, on the ZTA and the network segmentation. So these are, these tools are really powerful and complimentary security strategies that enhance protection against modern cyber threats. By implementing network segmentation, organizations can isolate sensitive areas while Zero Trust policies continuously verify access, ensuring a more robust security posture. And to get started, organizations should conduct a network assessment, apply Zero Trust principles to critical applications, and continuously monitor and adapt security measures using AI and behavioral analytics. I would like to thank you for, being with me and patiently, listening to the, to the talk. and again, thank you signing off.