The video on-demand of this session is available to logged in QCon attendees only. Please login to your QCon account to watch the session.

Session + Live Q&A

"Trust me, I'm an insider" - Diving into Zero Trust Security

In 2020, hackers got around by making about 4.2 Billion Dollars majorly from Phishing scams.

The current scenario of Network Security highly depends on the assumption that if a client has a set of “good” credentials, they can be trusted with access to all or at least some confidential resources of the network.

Back to reality – with an exponential data usage nowadays, there is a definite increase in the degree of data breach in an organization. So, with the conventional checks, any “authenticated” client, making a connection from “outside” or “inside” can access this data and possibly exploit it. Most of the time, unknowingly.

Having just a single security layer solution like VPNs or 1st Gen Firewalls but still relying on the good old dictionary credentials for SSH is evidently not good enough.

The Zero Trust approach involves a combination of securer authentication approaches such as MFA with profiling and posturing of the client device along with some stronger encryption checks.  

Only after complete holistic verification of the entity, “thou shall pass!”.

So how does it do a better job? How scalable is it? And why trust the “Zero Trust”?

Main Takeaways

1 Hear about zero trust, what it is, how it helps in network security.

2 Learn about building a network with zero trust, how to integrate VPN connections, how to deal with malicious traffic.

What is the work that you're doing today in your day-to-day job?

Deepank: We're working as network security engineers at Cisco. Our job roles are very related to each other. I work in AAA technology and solutions, which involves engaging with customers who are often network engineers themselves and bring very specific issues that are encountered in their live network environments. I’ve been addressing customers’ issues in various AAA verticals such as - Deployment, RADIUS/TACACS Authentication, Authorization and Accounting, Profiling, Posture, BYOD and MFA etc. Overall, it's an adventurous job. In one case, you might be solving a query and in the next one, you may be working against the clock to solve a network outage. So we get to have both ends of the spectrum.

Sindhuja: In addition to that, we work with customers with their security deployments. I specifically work with VPN, cryptography, and Public Key Exchange, so handling VPN is my core job, but I do work with firewalls and IAM servers for secure management as well. So our job role is totally the code of zero trust. We work on its principles and help customers implement zero trust values such as performing Multi-Factor Authentication, working on privilege accesses, how encryption schemes, identity and access management etc play an important role in Zero Trust and moreover, how customers can implement it.

What are your goals for this talk? What do you want the audience to walk away with from your talk?

Sindhuja: I think we just want them to be more security aware than they were before the talk, that's our primary goal. So we will be speaking on what's currently not so good about the security standards inside an organization or the software developers that work with sandboxing, access control etc. And then we begin to explain why that doesn't work, and what and how can this be better with zero trust. And they can walk away with things like what they can do to make their security infrastructure better. They can learn about what they should do at each level of organization, how they can incorporate zero trust values within their organizations and within their teams. It could be as simple as changing their passwords more frequently or as complex as redesigning their network to include security best practises, orchestration, automation, threat hunting etc so that they can eliminate any attacks that they might encounter because of their current security infrastructure.

Your talk title mentions zero trust security. Can you give us a quick overview of what zero trust means and specifically is it multifactor? Is it getting rid of VPNs?

Deepank: Zero Trust is about addressing the concerns we’ve had with the traditional style of security. Through this talk, we want to show how Zero trust security juxtaposes our seemingly outdated security practices which are still implemented to a great extent. Our traditional idea of security is that we assume a perimeter around the organization network outside of which everything is untrusted, and inside are all good devices that are automatically granted access. We assume that some request originating from within the enterprise perimeter has to belong to one of our trusted corporate devices, so they are a trusted user. Hence we give them the best possible access as we do for any internal corporate user or device. But due to a vast number of cyberattack incidents that were reported to have originated from a malicious source within the organization, Zero trust attempts to update this notion of security. It sets an even ground where everyone has the default low/zero level of access no matter where they’re coming from, and they have to prove their identity through the same amount of grilling before they can get network access. It doesn't matter where the traffic originates from - be it an inside user, outside user, VPN user, or a BYOD visiting user, they all have to go to the same set of policy sets and condition checks that are imposed by the network administrator. Only after a thorough assessment of their identity, do we allow/deny them any sort of access. That's what zero trust does, it puts us all in the same field, and every device starts from zero and gains trust as it passes the checks.

Sindhuja: To sum it up, zero trust is “never trust, always verify”. Either it's a resource like a docker application, a webpage or an endpoint, or even a user. 

Some basic values we can say about zero trust is that always verify the endpoints, grill them. If they are indeed verified, don't give them any kind of default privileges. So, rather deny access by default than allowing the endpoints any unmonitored level of access. The most important one is to monitor them throughout their connection attempts. So basically, do threat defense, see where the traffic is coming from, where is it headed? Do they have any malicious traffic that they're trying to infect the network with? If there is any malicious activity going on, detect and take action immediately instead of waiting for the endpoints to get disconnected or something worse to happen, so, do minimize lateral movement of attacks. That's what zero trust is looking for. 

And when it comes to the VPN part, I do cover that part in my talk where I say there are a couple of myths with VPN, but zero trust doesn't have any core values of encryption or ciphers or cryptography on its own. It rather depends on the services and products being used to implement encryption schemes for networks to incorporate Zero Trust. One such solution happens to be VPN. So with that, to always think that networks are always on public platforms, whether or not they actually are, that is, to think they're always vulnerable, is when you can incorporate encryption, integrity, authentication, stuff like that. And that makes them less vulnerable to attacks. We also call this something called CIA, Confidentiality, Integrity, and Availability. Because of public-key cryptography, everything comes with VPN and not intuitively with zero trust.  VPN also doesn’t talk about giving full access by default which is another misconception. So in case someone is trying to build zero trust, they don't have to eliminate VPNs. They can leverage Zero Trust and build over existing VPNs, for example, for your remote users when you're working from home, and you have important resources that you're trying to access, say, your accounts data which is highly confidential, or if you're a government organization, military organization, you don't want your resources to be public. For that, you do need a VPN to be established and VPNs don't always mean you are connecting from outside. That's another myth, what it means is two parties are talking to each other with some encryption scheme, and that's what VPN does. And it has a lot to do with services and capabilities that come with different products. So you can have a hybrid culture, you can have remote access, and you can still have zero trust values within. So, it just enhances Zero Trust.


Sindhuja Rao

Network Security Engineer @Cisco

Sindhuja Rao is a Network Security Engineer at Cisco specializing in network security solutions like VPNs, Firewalls, IAM etc. She is a Cisco Security Interstellar Pioneer. She also represents the Cisco Women in CyberSecurity India team. She has delivered Security talks on latest tech trends like...

Read more
Find Sindhuja Rao at:


Deepank Dixit

Technical Consulting Engineer @Cisco

Deepank Dixit works as Technical Consulting Engineer in Security AAA. He helps customers with issues pertaining to the deployment and management of their security IAM solutions. His day-today responsibility is identifying issues in a live network, isolating the root cause and providing...

Read more
Find Deepank Dixit at:


Tuesday Nov 2 / 02:10PM EDT (40 minutes)


Security: Establishing & Maintaining Customer Trust


SecurityApplication SecurityAuthenticationAuthorizationOAuth

Add to Calendar

Add to calendar


From the same track

Session + Live Q&A Security

Authorization at Netflix Scale

Tuesday Nov 2 / 12:10PM EDT

How do you centralize authorization in the critical path of a multi-million RPS online service?  How does centralizing authorization enable product flexibility?   How do you make such a system fault-tolerant?  We will answer these questions and more in this session. At...

Travis Nelson

Senior Software Engineer @Netflix

Session + Live Q&A Security

Building Trust & Confidence with Security Chaos Engineering

Tuesday Nov 2 / 01:10PM EDT

Complex adaptive systems are dynamic, self-evolving, non-linear, emergent, and most of all unpredictable. Delivering secure and reliable software will continue to become exponentially more difficult unless we start approaching this new problem frontier differently.    Security Chaos...

Aaron Rinehart



Perspectives on Trust in Security & Privacy

Tuesday Nov 2 / 03:10PM EDT

Continuing the track trend around trust, the security panel discusses we can balance the adjustment of our security posture and our user experience. What is the right balance between security and usability? How do we build systems that scale, that gives the right amount of security and control to...

Clint Gibler

Head of Security Research @r2cdev

Stephanie Olsen

Customer Trust, Abuse & Fraud @Netflix

Cassie Clark

Security Awareness Lead Engineer @brexHQ

Ellen Nadeau

Privacy Analysis Engineer @Cruise

View full Schedule