Software Defined Perimeter:Reducing the Attack Surface
GTSCAugust 17, 2017
Juanita Koilpillai Waverley Labs
THE STATE OF CYBER SECURITY - STATUS QUO
Machine to Machine Connections FORCE securing machines
Access to Services allowed BEFORE Authentication
Firewalls are Static ONLY network information
- Conventional wisdom is just that conventional
SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS ARENT GOOD ENOUGH!
VPNs - dont scale and once inside the network there is no control over what users can access without additional tools
Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control
Key Management - too many to effectively manage ie. user keys, device keys, encryption keys
Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user.
Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/legacy applications that are hard to upgrade
THE DIGITAL THREAT LANDSCAPE
. Today, many paths exist to attack enterprises
Insider threats within a user group (role).
External Threats from all over the world..
Insider threats, across user group boundaries.
Hackers cant attack what they cant see
Insiders cant steal what they cant see
Enter Software Defined Perimeters (SDP) Connectivity
Based on need-to-know access model Device posture & identity verified before access to application
infrastructure is granted Application infrastructure
Effectively invisible or black No visible DNS information or IP addresses
Combines security protocols previously not integrated Single Packet Authentication Mutual Transport Layer Security Device Validation Dynamic Firewalls Application Binding
Cloud Security Alliance adopted SDP for its membership Follows NIST guidelines: crypto protocols & securing apps in
SDP cryptographically signs clients into the perimeter
Use Case Anti-DDoS
Hostsarehidden Clientscoordinatew/mul6pleperimeters Goodpacketsknown Upstreamroutersinformedaboutbad
packets Akamai(contentdistribu6on) Avaya(networkinghardware) Verizon(networkprovider)etc.
Open Source Community
Coca Cola: removing VPN and 2-Factor AuthN has improved user experienceCoca Cola: Users access limited to a single connection
to each authorized application eliminating malware and information theft
Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized
and unauthorized users/devices
Google: Enabled BYOD and reduced the number of company laptops
SDP: New model with many benefits Wrap applications in a black cloud inaccessible by the
bad guys Simplifying what has been a complex landscape
Point products go to background Clear vision to the security failure presenting greatest
risk Cost effective
Over time eliminate costs of some point solutions and the headcount to manage them
Less vulnerable to talent drain SDP is smart
Lower risk: Effort equal to risk Prioritize applications that present the greatest risk Optimized by defining failure scenarios
Effective assurance for risk insurance
Continue the conversation . . .