The Software Defined Perimeter Creating an Invisible Infrastructure ‘Invisible Infrastructure’ and Access Management Solution for Cloud and Hybrid Environments The era of strong perimeter defences is now PAST Phishing - adversaries within the perimeter Assets - migration to the cloud Storage – small, high capacity storage Traversal – of the boundary by devices The change is starting now! “Access depends solely on device and user credentials, regardless of a user’s network location—be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials”2 Google “Companies such as Coca-Cola Co. and Google Inc. are also moving away from the concept of a security perimeter”1 Coca Cola “The idea is to move away from a model where a data center is secured by perimeter devices such as firewalls. Instead, AT&T wants to secure individual applications or databases within the data center using security software.”1 AT&T 1Edward 2Rory Amoroso, senior vice president and chief security officer at AT&T Ward, Betsy Beyer, Google “BeyondCorp” white paper December 2014 Companies are shopping for new ideas And there are lots in most shopping baskets: • De-perimeterisation • Software Defined Perimeters • Zero Trust Idea 1 – De-perimeterisation The slide maybe old, but the direction is still relevant today! Jericho commandments: • …protection should be specific and appropriate to the asset at risk. • Security mechanisms must be pervasive, simple, scalable… • Assume context at your peril. But do we want to just de-perimeterise? • Zero days aren’t going away anytime soon! Re-perimeterised world Trust domains Internet of things Bring your own Full de-perimeterised world • Are you compliant with data on an internet facing server? • Do you allow security software on mission critical servers? Idea 2 – The Software Defined Perimeter (SDP) The SDP protocol is designed to provide on demand, dynamically provisioned, perimeter functionality where needed in order to isolate services from unsecured networks. SDP – A couple of steps in the right direction Splits out the ‘controller’. Make network/servers “dark” until authorised. Create dynamic perimeters around clients/apps/hosts. SDP – But not the road to the future Trusted clients only. Mandates “Authenticate first”. No real-time controls. Vague definition of the new perimeter. Skates over the problem of secure connectivity. Gateways as an afterthought. Idea 3 – The Zero Trust Model Zero Trust Network Architecture Traits “This approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security,” said Kindervag. • Easily managed and segmented for security and compliance. • Built with multiple parallelized switching cores. • Centrally managed from a single console. Three key tenets of Zero Trust Ensure all resources are accessed securely regardless of location. Adopt a least privilege strategy and strictly enforce access control. Inspect and log all traffic. How do you get to the nirvana of “Zero Trust”? Problem! Its just a model. Where do you start? • Inside out? Devised more as a cure for network ills than as a solution for the cloud How do you utilise the ‘inspect in real-time measures’? We have collected the best ideas in our shopping basket Least privilege strategy Device Validation Securely access regardless of location Re-perimeterise Simple, scalable & pervasive security mechanisms Inspect/log all traffic Dynamic perimeters Dark until authorised Centrally managed from a single console. Start with the old Perimeter Cloud Secured Email Group File Share Site 1 Executive Files Enterprise Finance Separate systems for onsite and cloud. Users transiting in/out. Dealing with trusted/untrusted devices. Site 2 Multiple passwords / user complexity. No unified view of rights. Oracle Sales System No central audit. Define the new perimeter Secured Email Group File Share Executive Files Enterprise Finance Re-perimeterise around the servers/apps/data. Centrally managed. Dark until authorised. Simple, scalable & pervasive security mechanisms. Oracle Sales System Allows systems to be accessed whatever network topology is used. But managed in a different way Secured Email Group File Share Executive Files Enterprise Finance Lets just flip from managing the outside, to the inside…….a software perimeter around users. Device Validation. Use of context. Least privilege strategy. Oracle Sales System Dynamic personalised perimeter unique to each and every user. The single point of power Central configuration: • Multiple GWs. • Multiple log servers. • Multi-tenancy support. Controller is a token issuing service for clients. Controller Clients can be trusted (certificate) or untrusted Controller links to multiple identity providers. Configures Gateways and sets access entitlement. Instances are available as appliance or virtualised. Topology to suit Cloud, hybrid and network. A distributed stateless architecture Bring Your Own Rules [BYOR] firewall! X Gateway only needs the URL of the controller and a have its Private Key Client only needs to know the URL of the controller Controller Two-stage authentication Session-based/one-toone access entitlements are generated on request Auto adapt to any infrastructure changes • Filters for Entitlements • Conditions for Actions (BYOR) Real-time contextual controls Conditions are checked at action time Conditions are re-evaluated continuously as defined in the policy Access is granted dynamically based on contextual criteria – user, location, configuration…. Alerts set context related to the user Checks performed on the PC set context • Continuous verification • Remedy actions Real time alerts that set context. • Access conditions respond to what users are actually doing AppGate Secure Access Trusted Private Network Gateway Trusted Private Network Virtualised Gateway Controller ADFS Enterprise Finance Group File Share \\EXEC_SERVER Executive Files Secured Email Office Network Trusted Private Network SharePoint Virtualised Gateway Oracle Sales System No expensive fixed site to site connections AppGate Secure Access Trusted Private Network Gateway Trusted Private Network Virtualised Gateway Controller ADFS Enterprise Finance Group File Share \\EXEC_SERVER Executive Files Secured Email Office Network Trusted Private Network SharePoint Virtualised Gateway Oracle Sales System Access infrastructure deployed at the press of a button AppGate Secure Access Trusted Private Network Gateway Trusted Private Network Virtualised Gateway Controller ADFS Enterprise Finance Group File Share \\EXEC_SERVER Executive Files Secured Email Office Network Trusted Private Network SharePoint Virtualised Gateway Oracle Sales System No single gateway causing un-necessary bottlenecks AppGate Secure Access Trusted Private Network Gateway Trusted Private Network Virtualised Gateway Controller ADFS Enterprise Finance Group File Share \\EXEC_SERVER Executive Files Secured Email Office Network Trusted Private Network SharePoint Virtualised Gateway Oracle Sales System Access policies based on the user’s context Defending the perimeter beyond the network Cloud-based controller(s) that set access policy. Clients for all major OSs (Win, Linux and OSX). Virtualized appliances for IaaS environment. Physical appliances with purpose selection – Controller/GW/Logserver. Stateless model supports simple failover, upsizing and new deployments. Flip the security paradigm on its head The notion of the defensible network protected by static firewall rules is outdated. Make your infrastructure invisible (to everything including APTs). Use real time dynamic access controls. Users and devices are the new perimeter. The Software Defined Perimeter Creating an Invisible Infrastructure Jamie Bodley-Scott [email protected] www.cryptzone.com
© Copyright 2025 Paperzz