Zero Trust Security in the Modern Workplace -Everything you need to know

Webinar 27th Nov2019

Webinar Speakers

Sandip Kumar PandaCEO, Co-founder at InstaSafe

Rasool IrfanTrusted Cyber Security Adviser

3 key takeaways from today’s webinar

Gen Z and Modern Workplace1

Zero Trust in tomorrow’s business context2

InstaSafe Zero Trust Security Solutions3

Gen Z

• Gen Z or iGen or Centennials have birth years as being 1996 to the present• Gen Z are currently over 23 million in the United States. Within the next five years, they

will become the fastest-growing generation in both the workplace and the marketplace

• Gen Z are highly educated; wants to make a difference in the world and more diverse than Millennials

• Gen Z are not at all concerned or not concerned that companies will use their personal online data in a way that could harm them

• GenZ are mobile first, completely immersed and must be able to work anytime, anywhere, and via any device

Modern Workplace Ecosystem

Business Drivers Technology Services

Account Management

Consulting / StrategyApplication Development

End User Support

Service Integrations

Service Delivery

Implementation

ReportingTraining/ Awareness

Planning / Designing

Security Workplace Automation

IoT

Mobility Smart Spaces

UCC

Drive Innovation Improve Productivity

Improve Collaboration

Enable flexible workforce

www.instasafe.com

CHALLENGES WITH TODAY’S LEGACY SOLUTIONS / REMOTE ACCESS

Untrusted hosts are given access to the secure Intranet

Stolen passwords used to gain full access to Intranet

Fixed to some extent using 2FA

Client can become a bot in a DDoS attack

Cannot perform granular control of access – i.e. allow access only on ”need-to-know” basis

Need to back-haul traffic in a multi-DC or Hybrid setup (Private + Public Cloud)

Cannot add remote users to AD Domain or push Group Policies

LEGACY SOLUTIONS

Operative definition of ‘Zero Trust Architecture’

Zero Trust Architecture provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions

in information systems and services

Zero Trust Components

Resource (System, data or

Application)

untrusted trust

Zero trust in tomorrow’s business context

WORKPLACES

FACTORIES

Any Place Any Time

Wired Desktops

Corporate Laptops

Minimal Purchases

PCTablets

MacBook'siPads

Chromebooks

OT Systems

PlantsManufacturing

3rd Party owned DevicesLaptops

BYOD

Photocopier

Partner Network Wireless Access Critical Systems

Printers / Outsource Mgmt.

Smartphones

Access Points, Smart SystemsExtended Network ERP, SAP, etc.

SaaS

Email, Office AppsStorage/ Backup

Back office, IAM

IaaS, PaaS

Webservers, DevOpsB2C, APIs

Cloud Services

Internet of Things

5G

IPv6

Zero Trust Network Guiding Principles

Secure communication regardless of network location

Make application invisible to attackers

User authentication is dynamic and strictly enforced

Per user with per session limited to per app in micro

tunnel

All data sources and computing services are considered resources

Systems are maintained and monitored in more secure

state

Zero Trust Components

Control Plane

Data Plane

Policy EnginePolicy

Administrator

Policy Enforcement

Point

Resource

Continuous Diagnostics

and Mitigation

Systems

Compliance Systems

Threat Intelligence

Certificates & Identity

Management Systems

Data Access Policies

Security Logging, Audit & Correlation

Framework to adopt Zero Trust in Modern Workplace

Plan

Execute

Define vision and strategy

Design Zero Trust in Modern Workplace

Security service and technology selection Security management Continuous

improvement

Market Demand for Zero Trust Access

Market Pains:• Traditional application access solutions

(e.g. VPNs) do not meet the needs of modern enterprises:

• Cloud applications, mobile workforce, 3rd party access

• Attackers targeting access technology vulnerabilities to enter corporate networks

Software Defined Perimeter (SDP):• Allows secure and flexible access to cloud

and on-prem applications

• Leverages the principals of Zero Trust access

• Trust is continuously verified; access is limited

By 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA).

By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.

By 2023, 40% of enterprises will have adopted ZTNA for other use cases described in this research

InstaSafe Zero Trust Security Solutions

Gartner – Zero Trust Network Access

Zero trust network access replacestraditional technologies, which requirecompanies to extend excessive trust toemployees and partners to connect andcollaborate.Security and risk management leadersshould plan pilot ZTNA projects foremployee/partner-facing applications.

“… SDPs will become a mainstream approach of enterprises …….

InstaSafe named by Gartner as a Represented Vendor in Report –Market Guide for Zero Trust Network Access

INSTASAFE SECURE ACCESS

Venture backed | India & USA | 100+ customers, with global footprints |4 times CIO Choice awardee

“Restricting users only to the resources they need to perform their job” and continuously monitoring their activities.

The True “Zero Trust” Secure Access Solution

We are Trusted by

Existing Approaches—Securing Access to the Cloud

DMZ

VPN

Complex

• Increased timeto market

• Cumbersome and confusing user experience

• Maintain agents/ appliances

• Lateral movement around entire network

• Increased network attack surface

• Compliance readiness failure

Insecure

• High infrastructure and licensing costs

• Duplication required• High operational costs

Expensive

VPNs, firewalls, & DMZs—not up to the challenge

Our Approach—Securing Access to the Cloud

Zero Trust-based Secure application access

Personal Device

Customer

Partner

Contractor

PartnerPersonal Device

Partner

How It Works

Zero Trust-based application access

ISA Controller

EmployeeAffiliate

Chain PartnerContractorB2b Partner

B2c CustomerContextualPrevention Application

Servers

Deploy Connectors& Connect To Secure

Access Cloud

Point-to-pointAccess

ApplicationLayer

Monitor &Log Activities

Authenticate UserValidate Device Health

Point-to-pointAccess

Anyone to anywhere – simple and secure app access

Deploy in Minutes

Cloud Alternative to Traditional Access Methods

ISA SDP

Connectivity Direction Connectivity Direction

AWS/Azure/Google/On-Prem

Traditional DMZ—Connected via the Network

InstaSafe Secure Access—SDP-based Cloud Native Connectivity

Internet/MPLS

ProxySSLVPNBastion

Jump Host

Corporate DMZ

ApplicationsServices

Workloads

AWS/Azure/Google/On-Prem

Connectivity Direction Connectivity Direction

Internet/MPLSInternet/MPLS

ApplicationsServices

Workloads

Internet Internet

Superior Architecture Improves Security

HTTPSHTTPS

TLS Connectivity

• Indirect HTTPS connections established between users and applications using a reverse proxy

• Authenticated devices never gain direct access to the application server or network

• Eliminates OS or SSL/TLS vulnerabilities such as HeartBleed

• Policies can govern specific user actions and prevent data exfiltration

No direct connection to the application

Alternative Approach

• Uses a (VPN-like) endpoint client to connect users to applications through the cloud

• Authenticated users requesting access, gain direct layer 4 level access to the application server

• Approach exposes applications to network-based attacks such as OS or TLS vulnerabilities from malicious or infected users

Direct connectivity to the application server and network

Key Enterprise Use Cases

Applying Zero Trust access to secure corporate applications

Secure access for DevOps

Simple and secure access for dev environments

Secure access to corporate apps migrating to IaaS

Reduces complexity while improving security

Secure access for 3rd party users, M&A, & BYODAllows modern workforce to work from anywhere

22

Secure Access to applications hosted in AWS for Remote users

I need to:

Provide a secure, simple and easy way for my users and contractors to access corporate applications distributed across AWS cloud and OnPremises without switching agents.

provide application access for BYOD (unmanaged) devices without data leaks.

Mitigate credential sharing and Device switching between the users. Authenticate user and user devices before accessing the application. Integrate MFA to satisfy compliance and security needs. support all users devices and operating systems. Provide rule and role based access. Maintain all access logs which user accessed which application at what time? eliminate complexities in managing secure access.

Provide Zero-Trust access to cloud and on-premises applications while reducing complexity

DevOps

Multi Cloud Peering

IaaSOn-Premises

I need to: Provide a secure and economical access for workloads

distributed across AWS,Azure and GCP Make my applications invisible from Internet. Make this connections live quick. have proper monitoring for connections and HA in place. Mitigate risks of network based attacks.

Provide Zero-Trust while reducing complexity

Site to Cloud Peering

IaaSOn-Premises

I need to: Provide a secure and economical access between AWS

workloads and Onprem Isolate my ERP(SAP,Oracle..) API’s to Private network and

can be used only by web application hosted in AWS. Be independent of ISP and public network.

Provide Zero-Trust access to cloud and on-premises

Encrypted Peering

I need to:

Encrypt the application traffic between my two intra zone VPC’s and Inter cloud VPC’s according to the compliance.

Define granular policies and control over application traffic. Make my applications invisible from Internet without exposing

applications over public network.

Provide encryption for compliance & risk management

DevOps

Secure Access for 3rd Parties & BYOD

I need to:

• Support the needs of the modern workforce using BYODs while working from anywhere

• Let 3rd parties access corporate applications without exposing my network

• Account for identity, device posture and sensitivity of resources when providing application access

Securely let 3rd parties (e.g. suppliers and partners) and BYOD devices access corporate applications

Contractor BYOD

Secure Access for DevOps Managing Development and Production Environments

I need to:

• Allow DevOps resources to securely access multiple cloud environment from anywhere

• Dynamically provision and deprovision access to VMs, PaaS and IaaS environments

• Full audit trail over DevOps actions in cloud environments

Give DevOps teams with agile access to cloud environment without compromising security

DevOps

Solution: InstaSDP’s Simple, Elastic, Zero Trust based Software Defined Perimeter

Leading Retail conglomerate Digital Transformation Journey

What we did: InstaSafe Gateway InstaSafe Controller InstaSafe User Agent

Problem: Complexity X Increased Attack Surfaces X Hardware Boxes X

Scalability X Cost X Maintenance X

Result: SAAS Delivered

Simple Dashboard

Cost Reduced

Easily Scalable

Security Enhanced

Infrastructure Blackened

VPN InstaSafe

Zero Day Protection

DDoS Prevention

User Experience

Security

Visibility and Control

Scalability

IT Support

Network Monitoring

Proxy Server

Firewall

VPN InstaSafe SDP

VPN InstaSafeCo

st

Upto 70% Cost

Reduction in TCO

InstaSafe compared to Legacy VPN

Experience: Zero Trust @ InstaSafe

Proof of Value Projects:• DevOps access

– Development environment– RDP or SSH access

• Corporate application access– Migration Projects/Apps– Hybrid IaaS or on-premises

• BYOD & 3rd party access– Select users / vendors– Select applications– Select devices

One of the top pilots

enterprises should budget for in 2019

You will see: • Simple & Flexible solution• Ease of deployment/use; no

agent required• Zero-Trust Access to

corporate applications

*Zero Trust Is an Initial Step on the Roadmap to CARTA - 12/18

Try Now

End-to-end secure path to cloud migration

Q&A

Thank You

sales@instasafe.com