Embed Size (px)
Citation preview
Securing thePerimeter of One
Fernando SertoHead of Security Technology and Strategy, APAC
Adapting Security to Your Digital Landscape
MobileCloud
Ecosystems
Digital Transformation and Your Attack Surface
Newbusinessinitiative
Newbusinessprocess
Newattacksurface
Your Evolving Attack Surface
API
API
IAASAPI
SAAS
People & Things
Complex Infrastructure
IaaS & SaaS
Apps & APIs
Digital Ecosystems
API
App #1
App #2
App #3
There is no inside...
App #2
App #1
App #3
Inside = trusted
Secure Access in a Cloud Era
“Initial one-time block/allow security assessments for access and protection are flawed, leaving the enterprise open to zero-day and targeted attacks, credential theft, and insider threats.”
Excerpt from Gartner’s Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats
Key Principles of CARTA
• The network is always assumed to be hostile.
• External and internal threats exist on the network at all times.
• Network locality is not sufficient for deciding trust in a network.
• Every device, user, and network flow is authenticated and authorized.
• Policies must be dynamic and calculated from as many sources of data as possible.
API request constraints
Biometrics
Passive bot detectionAPI keyRequest syntax
ReputationClassification of content
Geo
Time of day
Authentication statePresence/validity of client cert
Malware C&C traffic
Device posture
Unsanctioned cloud storage usage
VISIBILITY & ADAPTIVE POLICY APPLICATION
Identity
Dynamic Threats Demand Context-Aware Defense
Source: https://community.akamai.com/community/cloud-security/blog/2018/04/19/drupalgeddon2-exploitation-overview-one-week-after-poc-code-released
6000 Akamai customer domains were probed in the first week
57% of Fortune Global 100 downloaded vulnerable versions of
Struts after the CVE was announced
Apps, APIs Often Source of CVEs
CVEs Impact Everyone, But How Quickly Can You Fix It?
Legacy Architectures Can Increase Risk
Firewall
App 1
User
App 3
App 2
Client Application Access Control
?
Application Access Control
Global LBDDoSFW/IPSRAS/VPNWAN OptInternal LBMFA
DMZ
User
ClientFirewall
App 1
App 3
App 2
Application Access Control
?
Application Access Control
Firewall
App 1
App 3
App 2
Application Access Control
?
Application Access Control
Datacenter
AWS/Azure
High Cost
Buy, Deploy, Manage
Global LB
DDoS
FW/IPS
RAS/VPN
WAN Opt
Internal LB
MFA
DMZ
Global LB
DDoS
FW/IPS
RAS/VPN
WAN Opt
Internal LB
MFA
DMZ
User Experience
Slow – depends on location of apps, users accessing from various locations and number of VPN gateways
Inconsistent – Different on-prem and off-net experience
Complexity
Many DMZs, Site-to-Site VPNs
Remote Access VPNs Adds Complexity for Hybrid Environments
Perimeter of one
Laptop
Micro Perimeter
Apps
Akamai
Simplifying Application Access Through an Identity Aware Proxy
SaaS
AD/LDAP
On-prem
IaaS
TLSmTLS
mTL
S
SAML
App #1App #2App #3
Identity & AccessSSO & MFAApp SecurityApp Delivery & Acceleration
Centralize security & access controlsFor specific apps across I/SaaS and on-prem
Multi-factor auth for enterprise appsSupports email, SMS, TOTP or Duo
Single sign-on for all enterprise appsAcross I/SaaS and on-prem
Keep users off the corporate networkMake your infrastructure invisible on the Internet
Shift From Network to Simple and Secure Application Access
SIMDA BotnetFamily of backdoors capable of stealing information such as user names, passwords, and certificates. It also executes backdoor commands, compromising the security of the infected systems
CryptojackingHigh risk to system availability and potential risk to system confidentiality due to malicious cryptocurrency mining
Multinational media conglomerate with interests primarily in film and television struggles under deluge of advanced threats and associated alerts and mitigation workflows
Targeted Attacks Are Increasing and Becoming More Sophisticated
Disrupt communications from compromised devicesSevers existing connections from infected devices to malicious actors’ command & control infrastructure
Prevent DNS-based data exfiltrationStops malicious actors from using the DNS protocol to extract enterprise data
z
WWW
DNS
Threats
C&C
AUP
Recursive DNSCloud Security IntelligenceAUP EnforcementZero Day MalwarePhishing
Identify and block access to malicious domains - everywhereRefuse requests to or communication with malicious domains known to host sites used to deliver malware or for phishing
Prevent access to inappropriate contentEasily enforce an enterprise’s acceptable Internet usage policy effectively and consistently
Mitigate Targeted Attacks With Recursive DNS & Threat Intelligence
Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection.
Bottom line: security perimeters belong in the past
Bot Management
Application Security
DDoS Mitigation
API Management
Enterprise Security
Customizable, advanced app rules and API protection
Managed protection against the largest DDoS attacks
Machine learning to mitigate credential abuse & account takeover
Manage access, authentication and rate controls for APIs
Machine learning service to adaptively manage traffic
Malware protection using recursive DNS & Cloud Security Intelligence
Simple, unified & secure enterprise application access
Scalable authoritative DNS service with DDoS protection
Automated, blanket protection for web applications
Manage automated visitor traffic to protect revenue
Adaptive Threat Protection as a Service (ATPaaS?)
No Inside
No VPN
No Passwords
Every app seems like SaaS
Every office is a hotspot
WE DRINK OUR OWN CHAMPAGNE
12
3456
Conduct a Threat Check to determine exposure of devices to malware/phishing
Consider a Zero Trust Architecture Assessment to develop a comprehensive plan to migrate from your current architecture to your goal Zero Trust architecture
a. Profile users and appsb. Develop a customized phasing plan
Stop accumulating technical debt by publishing new apps based on Zero Trust
Begin migration of your Web apps, since they are easy to move to Zero Trust
Once you’ve addressed low hanging fruit with new apps and web apps, work to migrate legacy apps to Zero Trust based on the Zero Trust Architecture Assessment plan you developed earlier
Work to decommission legacy access, including VPN and privileged corporate WiFi/Ethernet segments
Best Practices to Start Your Journey
Exclusive Offer to Gartner Attendees
Come to our booth and sign upfor a 30 day Free Trial
