Embed Size (px)
Citation preview
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Building Secure Global Networks in the Age of Technology Consumerization
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Agenda
Alan Boehme
Chief of Enterprise Architecture for The Coca-Cola Company
Junaid Islam
CTO, Vidder
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Once upon a time things were simple
PC
Employees ServersMac
VPNFirewall
Sales Guy
Perimeter
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Mobility, clouds & outsourcing changed everything
PC
ServersMac
Perimeter
Access AuditLogging
Configuration Compliance
IntrusionDetection
NetworkFirewall
VPN
Access Control
IntrusionPrevention
Clouds
DDoSPrevention
IntrusionDetection
Web ProxyServer
URL ContentMonitoring
IntrusionPrevention
Web AccessScanning
VPNFirewall
Mobile
Contractors
Partner
MobileDevice Mangt
Sales Guy
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
SDP provides a solution for the open enterprise
PC
Employees ServersMac
Sales Guy
Perimeter
Mobile
Contractors
Partner
Clouds
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
SDP: elastic, encrypted containers
Personal Devices
App Infrastructure
Physical/VirtualInfrastructure
Internet of Things
Software Defined Perimeter
• Identity-based access• Any device to any infrastructure• Strong cryptographic attestation• Complimentary to SDN• Leverages cloud strengths
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
What's different? Standardization of "Need-to-know" access model Deployed with DoD for many years but rarely seen in the commercial world
Integrates latest ideas from NIST & other experts Mutual TLS DHE, Device attestation, identity-based access
Public domain project Integrates existing standards & best practices into an industry standard
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
SDP Applications
Enterprise Application Isolation
Private Cloud and Hybrid Cloud
Software as a Service
Infrastructure as a Service
Platform as a Service
Cloud-Based VDI
Internet-of-Things
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
SDP Standard Model
Initiating Host
SDPController
Accepting Host
Data
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Basic Workflow
SDPController
IdPAD
API to Request Access
Mutual TLS
API to Verify Identity
API to ProvisionAccess
1
2
3
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
. . . a bit more detail IdPAD
LocationService
FingerprintServicePKI Software
Attestation
SDPController
Security Controls
Single Packet AuthenticationPKI / Key VerificationDynamic FirewallDHE Mutual TLSDevice FingerprintSoftware VerificationGeo LocationApplication WhitelistingIdentity VerificationGroup PolicyWhitelisted Services
TrustedApp
Mutual TLS
accesscontrol
data
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
What SDP Delivers . . .a lot!
APT / Malware
Scan the network Pass-the-hash Pass-the-ticket Password cracking OS & application exploitsSQLi and injection attacks Cross Site Scripting (XSS) Directory traversal Attack the backup servers
SQL / Server
Protocol InjectionSession HijackCross Site ScriptingObject ReferenceMisconfigurationClear TextFunction ReferenceCross Site ForgeryComponent ExploitsURL Re-direction
Denial of Service
Application Exploits Resource exhaustionBandwidth consumption
Man-in-the-Middle
Wi-Fi Hot SpotFake SiteARP Spoofing DHCP StarvationMAC Table FloodSPAN Port
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
SDP Hackathon
Test of the SDP security model
"Inside attack" scenario
Open to the public: Win a trip to Def Con!
SDP Workshop following the Summit today: 2pm at Moscone West Room 2008
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2014 Cloud Security Alliance
Thank you for attending! Your mission is below:
SDP Workshop 2pm TODAY at Moscone West, Room 2008
SDP Hackathon, www.HackSDP.com
Visit CSA at our booth 2433 (South Hall – where the cool kids hang out)
Next global event is SecureCloud, Amsterdam (Colorado with canals and better food), April 1-2 https://cloudsecurityalliance.org/events/securecloud2014/
CSA Congress US, Sept 19-21, San Jose, CA https://cloudsecurityalliance.org/events/csa-congress-iapp-privacy-academy-2014/
Take a selfie at an RSA party and tweet it to @cloudsa
