Software Defined Perimeter & PrecisionAccess. Secure. Simple.

Size: px

Start display at page:

Download "Software Defined Perimeter & PrecisionAccess. Secure. Simple."

Ashley Camilla Payne
6 years ago
Views:

1 Software Defined Perimeter & PrecisionAccess Secure. Simple.

Enterprise Perimeter: Then & Now THEN: Fixed Perimeter blocked attackers NOW: Attackers are Inside the Perimeter Corporate employees Corporate employees Proxy, IPS, etc.

2 Enterprise Perimeter: Then & Now THEN: Fixed Perimeter blocked attackers NOW: Attackers are Inside the Perimeter Corporate employees Corporate employees Proxy, IPS, etc. Proxy, IPS, etc. Fixed perimeter protected traditional enterprise and kept the attackers out Sophisticated attacks, like phishing, bring the attackers inside the fixed perimeter Lesson learned: Perimeters can hide critical infrastructure 2

3 The Solution: Shrink the Perimeter ü Shrink perimeter to the server ü Attackers back on the outside Corporate employees ü Unfortunately, so are the users Proxy, IPS, etc. 4

4 Software Defined Perimeter (SDP) ü Separates control path from packet path ü Controller Authenticates & authorizes Devices & users Establishes packet paths ü Packet path provides scalability Proxy, IPS, etc. Client Controller Protected 4

5 SDP/PA: the Advanced Access Control ü Server isolation Defeats server exploitation Controller ü Transparent MFA Defeats credential theft ü End-to-end control Defeats connection hijacking ü -specific access control It s not a VPN Proxy, Proxy IPS, etc. Client Protected ü Multiple use case 4

Cloud Private 2. Internet 3. Cloud Instance Business Enablement 4. Extended Workforce 5. Critical Vendor Access 6.

6 The Multiple Use Cases of PrecisionAccess Traditional Enterprise Extended Enterprise Server Isolation 1. Internal Isolates Internal s from Unauthorized Users Protect Internet s as if they were Internal s Makes the Public Cloud Private 2. Internet 3. Cloud Instance Business Enablement 4. Extended Workforce 5. Critical Vendor Access 6. Distance Workers Unauthorized Unauthorized BYO D Internal Users Contractors, Consultants, SME s Critical Supply Chain Distance Workers 6

Vidder PrecisionAccess for External Access Control 0. One time on-boarding Client root of trust Crypto artifacts & thin client 1.

mtls Client SAML SPA Groups Crypto Auth'r & IP s FP PA Controller PA Gateways Hosting & IaaS 3.

7 Vidder PrecisionAccess for External Access Control 0. One time on-boarding Client root of trust Crypto artifacts & thin client 1. Device Authentication & Authorization SPA: anti DDoS, defeats SSL attacks mtls & fingerprint: anti credential theft Context-based device authorization 2. User Authentication & Authorization Enterprise identity: separation of trust SAML IdP integrated with LDAP groups Gateway Device LDAP mtls Client SAML SPA Groups Crypto Auth'r & IP s FP PA Controller PA Gateways Hosting & IaaS 3. Dynamically Provisioned Connections lications isolated and protected Usability: portal page of applications PA 3. Dynamic Connection 3. Dynamic Connection DMZ & Data Center Server isolations defeats server exploitation Transparent MFA defeats credential theft mtls defeats connection hijacking 7

8 Simple Click & Access for Users (Demo) Vidder 8

Defeating Attacks on the Extended Enterprise Server exploitation Miscon:igurations

Brute force Connection hijacking Man- in- the- Middle Certi:icate forgery DNS

certi:icate authority. The real- word effect of this attack is still unknown.

York Times was unavailable for two days.

9 Defeating Attacks on the Extended Enterprise Server exploitation Miscon:igurations Vulnerabilities Injections Denial of Service Credential theft Phishing Key loggers Brute force Connection hijacking Man- in- the- Middle Certi:icate forgery DNS poisoning : constant attacks 500 digital certi:icates were forged from this Dutch certi:icate authority. The real- word effect of this attack is still unknown. Injection attack on the web admin interface resulted in the public dumping of PII of 60K government workers. Turk Telekom was ordered to hijack Google s DNS servers at IP address by the Turkish government. As a result of a spear phishing attack on Melbourne IT, the website of The New York Times was unavailable for two days. SQL Injection on a public website used to gain access to the database a database of 150K customer password hashes. Heartbleed enabled attackers to VPN into CHS and steal 4.5M patient records. A Russian cyber gang acquired 4.5B stolen credentials, cracked many of the passwords, and posed them online. A phishing attack on an employee of the South Carolina Dept. of Revenue and the resultant credential theft resulted in the loss of 75GB of data. Chinese attackers performed a massive man- in- the- middle attack on U.S. ISP s stealing unknown amounts of s and passwords.

Defeating Attacks on the Extended Enterprise Server Isolation SPA, Dynamic FW

Vulnerabilities Injections Denial of Service Transparent MFA mtls, Fingerprint

Encryption, Pinned Certs, No DNS Connection hijacking: stealthiest Man- in-

10 Defeating Attacks on the Extended Enterprise Server Isolation SPA, Dynamic FW No False Positives Server exploitation: constant attacks Miscon:igurations Vulnerabilities Injections Denial of Service Transparent MFA mtls, Fingerprint Credential theft: ⅔ of Verizon DBIR Phishing Keyloggers Brute force Encryption, Pinned Certs, No DNS Connection hijacking: stealthiest Man- in- the- Middle Certi:icate forgery DNS poisoning User name Password cec9a2187c914df2b3078e320f

11 Which lications Will You Protect?

So.ware Defined Perimeter Internet- scale Security for the Internet2 Community. Junaid Islam Co- Chair SDP Workgroup Cloud Security Alliance

So.ware Defined Perimeter Internet- scale Security for the Internet2 Community Junaid Islam Co- Chair SDP Workgroup Cloud Security Alliance The challenge: How do you secure an open network? 2 Solution