Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems

  • View
    45

  • Download
    2

Embed Size (px)

Text of Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems

  • Software Defined Perimeter:Reducing the Attack Surface

    GTSCAugust 17, 2017

    Juanita Koilpillai Waverley Labs

  • THE STATE OF CYBER SECURITY - STATUS QUO

    2

    Machine to Machine Connections FORCE securing machines

    Access to Services allowed BEFORE Authentication

    Firewalls are Static ONLY network information

    BUSINESS SERVICES

    IT PERIMETER

    - Conventional wisdom is just that conventional

    Waverley Labs

  • SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS ARENT GOOD ENOUGH!

    VPNs - dont scale and once inside the network there is no control over what users can access without additional tools

    Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control

    3

    Key Management - too many to effectively manage ie. user keys, device keys, encryption keys

    Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user.

    Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/legacy applications that are hard to upgrade

    Waverley Labs

  • THE DIGITAL THREAT LANDSCAPE

    4

    . Today, many paths exist to attack enterprises

    Insider threats within a user group (role).

    External Threats from all over the world..

    Insider threats, across user group boundaries.

    Waverley Labs

  • Hackers cant attack what they cant see

  • Insiders cant steal what they cant see

  • Enter Software Defined Perimeters (SDP) Connectivity

    Based on need-to-know access model Device posture & identity verified before access to application

    infrastructure is granted Application infrastructure

    Effectively invisible or black No visible DNS information or IP addresses

    Combines security protocols previously not integrated Single Packet Authentication Mutual Transport Layer Security Device Validation Dynamic Firewalls Application Binding

    Cloud Security Alliance adopted SDP for its membership Follows NIST guidelines: crypto protocols & securing apps in

    cloud

  • SDP Architecture

    SDPController

    ProtectedHost

    SDPClientDevice

    ControlPlane

    DataPlane

    AccessinordertoAuthen6cate

    PerimeterhasUserContext+Dynamic

    Authen6ca6onBeforeAccess

    FirewallhasonlyNetwork

    Info+Sta6c

    ProtectedHost

    Current SDP

  • SDP Integration

    SDPController

    ProtectedHost

    SDPClientDevice

    ControlPlane

    DataPlane

    Firewall/Gatewayprovidesnetwork

    awareness

    Applica6onprovidesuserawareness

    ProtectedHost

    Clientprovidesdeviceawareness

  • SDP cryptographically signs clients into the perimeter

    1-Netfacingservershidden

    2-LegitusergivenuniqueID

    3-Legitusersendsthetoken

    4-Perimeterchecksthetoken

    5-Validdevice+user=access

    SDPController

    ProtectedHost

    SDPClientDevice

    ControlPlane

    DataPlane

    AuthN+Encryp6onKey

    ProtectedHost

  • Use Case Anti-DDoS

    SDPClientDevice

    ControlPlane

    DataPlane

    AuthN+Encryp6onKey

    Todaypacketfilteringandloaddistribu6ontechniquesaffectallgoodtraffic

    Hostsarehidden Clientscoordinatew/mul6pleperimeters Goodpacketsknown Upstreamroutersinformedaboutbad

    packets Akamai(contentdistribu6on) Avaya(networkinghardware) Verizon(networkprovider)etc.

    WithSDP

  • Open Source Community

    Software Defined

    Perimeter

    12

    Coca Cola: removing VPN and 2-Factor AuthN has improved user experienceCoca Cola: Users access limited to a single connection

    to each authorized application eliminating malware and information theft

    Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized

    and unauthorized users/devices

    Google: Enabled BYOD and reduced the number of company laptops

  • SDP: New model with many benefits Wrap applications in a black cloud inaccessible by the

    bad guys Simplifying what has been a complex landscape

    Point products go to background Clear vision to the security failure presenting greatest

    risk Cost effective

    Over time eliminate costs of some point solutions and the headcount to manage them

    Less vulnerable to talent drain SDP is smart

    Lower risk: Effort equal to risk Prioritize applications that present the greatest risk Optimized by defining failure scenarios

    Effective assurance for risk insurance

  • Continue the conversation . . .

    Juanita Koilpillaijkoilpillai@waverleylabs.comlinkedin.com/in/juanita-koilpillai-5551b111

    CybersecurityAssessmentsSDPDesign&Implementa6onDefini6onofFailureScenarios

Recommended

View more >