Software Defined Perimeter:Reducing the Attack Surface
GTSC August 17, 2017
Juanita Koilpillai Waverley Labs
THE STATE OF CYBER SECURITY - STATUS QUO
2
Machine to Machine Connections FORCE securing machines
Access to Services allowed BEFORE Authentication
Firewalls are Static – ONLY network information
BUSINESS SERVICES
IT PERIMETER
- Conventional wisdom is just that – conventional
Waverley Labs
SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS AREN’T GOOD ENOUGH!
VPNs - don’t scale and once inside the network there is no control over what users can access without additional tools
Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control
3
Key Management - too many to effectively manage ie. user keys, device keys, encryption keys
Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user.
Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/legacy applications that are hard to upgrade
Waverley Labs
THE DIGITAL THREAT LANDSCAPE
4
…. Today, many paths exist to attack enterprises
Insider threats within a user group (role).
External Threats from all over the world..
Insider threats, across user group boundaries.
Waverley Labs
Hackers can’t attack what they can’t see
Insiders can’t steal what they can’t see
Enter Software Defined Perimeters (SDP) • Connectivity
– Based on need-to-know access model – Device posture & identity verified before access to application
infrastructure is granted • Application infrastructure
– Effectively invisible or black – No visible DNS information or IP addresses
• Combines security protocols previously not integrated – Single Packet Authentication – Mutual Transport Layer Security – Device Validation – Dynamic Firewalls – Application Binding
• Cloud Security Alliance adopted SDP for its membership • Follows NIST guidelines: crypto protocols & securing apps in
cloud
SDP Architecture
SDPController
ProtectedHost
SDPClientDevice
ControlPlane
DataPlane
AccessinordertoAuthen6cate
PerimeterhasUserContext+Dynamic
Authen6ca6onBeforeAccess
FirewallhasonlyNetwork
Info+Sta6c
ProtectedHost
Current SDP
SDP Integration
SDPController
ProtectedHost
SDPClientDevice
ControlPlane
DataPlane
Firewall/Gatewayprovidesnetwork
awareness
Applica6onprovidesuserawareness
ProtectedHost
Clientprovidesdeviceawareness
SDP cryptographically signs clients into the perimeter
1-Netfacingservershidden
2-LegitusergivenuniqueID
3-Legitusersendsthetoken
4-Perimeterchecksthetoken
5-Validdevice+user=access
SDPController
ProtectedHost
SDPClientDevice
ControlPlane
DataPlane
AuthN+Encryp6onKey
ProtectedHost
Use Case – Anti-DDoS
SDPClientDevice
ControlPlane
DataPlane
AuthN+Encryp6onKey
Todaypacketfilteringandloaddistribu6ontechniquesaffectallgoodtraffic
• Hostsarehidden• Clientscoordinatew/mul6pleperimeters• Goodpacketsknown• Upstreamroutersinformedaboutbad
packets• Akamai(contentdistribu6on)• Avaya(networkinghardware)• Verizon(networkprovider)etc.
WithSDP
Open Source Community
Software Defined
Perimeter
12
Coca Cola: removing VPN and 2-Factor AuthN has improved user experience Coca Cola: Users access
limited to a single connection to each authorized application – eliminating malware and information theft
Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized
and unauthorized users/devices
Google: Enabled BYOD and reduced the number of company laptops
SDP: New model with many benefits • Wrap applications in a black cloud – inaccessible by the
bad guys • Simplifying what has been a complex landscape
– Point products go to background • Clear vision to the security failure presenting greatest
risk • Cost effective
– Over time eliminate costs of some point solutions and the headcount to manage them
• Less vulnerable to talent drain – SDP is smart
• Lower risk: Effort equal to risk – Prioritize applications that present the greatest risk – Optimized by defining failure scenarios
• Effective assurance for risk insurance
Continue the conversation . . .
Juanita Koilpillai [email protected] linkedin.com/in/juanita-koilpillai-5551b111
CybersecurityAssessmentsSDPDesign&Implementa6onDefini6onofFailureScenarios