I traveled to Rennes to attend the European Cyber Week, the European Forum for sovereign Cyberdefence and Cybersecurity.
This forum gathers European military personnel, industries, and academics, around numerous stands, keynotes, sessions on organization and politics of cybersecurity, and two scientific conferences organized by Direction Générale de l’Armement (DGA), the scientific branch of the French Army.
The conference venue
On the paper
In the C&ESAR conference, whose topic this year was Cybersecurity of Smart Peripheral Devices, I presented my work on Federated zero trust architectures, in the context of tactical networks including IoT devices.
This work has been performed in collaboration with my directeur de thèse, Thomas Clausen, and my DGA supervisor, Laurent Cailleux.
It proposes an innovative solution for federating zero trust architectures. Zero trust is a security paradigm for securing organizations, based on the core principle “never trust, always verify”. In zero trust architectures, every access to a resource needs to be explicitly verified: the identity of the requestor, its device, the security posture of its device, and its environment must be compliant with the security policy of the architecture, this policy following least-privilege and need-to-know principles.
In the related work, access control in federations either require implicit trust in other federation domains or in a third party, or require intrusive measures which are not suited for devices with limited capabilities such as IoT devices.
The solution proposed in this paper relies on remote attestation, in order to verify the security posture of core components in federated domains, thus establishing their trustworthiness.
Moreover, a proof-of-concept implementation has been proposed, based on Software-Defined Perimeters, a zero trust architecture suitable for IoT devices and unreliable connectivity.
Illustration of the SDP-based proof-of-concept.
The paper is available here.
CTF Challenge
A Capture The Flag (CTF) challenge was also organized during the conference.
CTF challenges are gamified exercises for ethical hacking and pentesting.
I qualified the online challenge which took place some weeks before the conference, and could thus participate in the finals (in presential), as a member of a mixed team DGA/ComCyber.
Hacking competition.