Software Defined Perimeter:Reducing the Attack Surface

GTSC August 17, 2017

Juanita Koilpillai Waverley Labs

THE STATE OF CYBER SECURITY - STATUS QUO

2

Machine to Machine Connections FORCE securing machines

Access to Services allowed BEFORE Authentication

Firewalls are Static – ONLY network information

BUSINESS SERVICES

IT PERIMETER

-  Conventional wisdom is just that – conventional

Waverley Labs

SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS AREN’T GOOD ENOUGH!

VPNs - don’t scale and once inside the network there is no control over what users can access without additional tools

Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control

3

Key Management - too many to effectively manage ie. user keys, device keys, encryption keys

Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user.

Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/legacy applications that are hard to upgrade

Waverley Labs

THE DIGITAL THREAT LANDSCAPE

4

…. Today, many paths exist to attack enterprises

Insider threats within a user group (role).

External Threats from all over the world..

Insider threats, across user group boundaries.

Waverley Labs

Hackers can’t attack what they can’t see

Insiders can’t steal what they can’t see

Enter Software Defined Perimeters (SDP) •  Connectivity

–  Based on need-to-know access model –  Device posture & identity verified before access to application

infrastructure is granted •  Application infrastructure

–  Effectively invisible or black –  No visible DNS information or IP addresses

•  Combines security protocols previously not integrated –  Single Packet Authentication –  Mutual Transport Layer Security –  Device Validation –  Dynamic Firewalls –  Application Binding

•  Cloud Security Alliance adopted SDP for its membership •  Follows NIST guidelines: crypto protocols & securing apps in

cloud

SDP Architecture

SDPController

ProtectedHost

SDPClientDevice

ControlPlane

DataPlane

AccessinordertoAuthen6cate

PerimeterhasUserContext+Dynamic

Authen6ca6onBeforeAccess

FirewallhasonlyNetwork

Info+Sta6c

ProtectedHost

Current SDP

SDP Integration

SDPController

ProtectedHost

SDPClientDevice

ControlPlane

DataPlane

Firewall/Gatewayprovidesnetwork

awareness

Applica6onprovidesuserawareness

ProtectedHost

Clientprovidesdeviceawareness

SDP cryptographically signs clients into the perimeter

1-Netfacingservershidden

2-LegitusergivenuniqueID

3-Legitusersendsthetoken

4-Perimeterchecksthetoken

5-Validdevice+user=access

SDPController

ProtectedHost

SDPClientDevice

ControlPlane

DataPlane

AuthN+Encryp6onKey

ProtectedHost

Use Case – Anti-DDoS

SDPClientDevice

ControlPlane

DataPlane

AuthN+Encryp6onKey

Todaypacketfilteringandloaddistribu6ontechniquesaffectallgoodtraffic

•  Hostsarehidden•  Clientscoordinatew/mul6pleperimeters•  Goodpacketsknown•  Upstreamroutersinformedaboutbad

packets•  Akamai(contentdistribu6on)•  Avaya(networkinghardware)•  Verizon(networkprovider)etc.

WithSDP

Open Source Community

Software Defined

Perimeter

12

Coca Cola: removing VPN and 2-Factor AuthN has improved user experience Coca Cola: Users access

limited to a single connection to each authorized application – eliminating malware and information theft

Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized

and unauthorized users/devices

Google: Enabled BYOD and reduced the number of company laptops

SDP: New model with many benefits •  Wrap applications in a black cloud – inaccessible by the

bad guys •  Simplifying what has been a complex landscape

–  Point products go to background •  Clear vision to the security failure presenting greatest

risk •  Cost effective

–  Over time eliminate costs of some point solutions and the headcount to manage them

•  Less vulnerable to talent drain –  SDP is smart

•  Lower risk: Effort equal to risk –  Prioritize applications that present the greatest risk –  Optimized by defining failure scenarios

•  Effective assurance for risk insurance

Continue the conversation . . .

Juanita Koilpillai jkoilpillai@waverleylabs.com linkedin.com/in/juanita-koilpillai-5551b111

CybersecurityAssessmentsSDPDesign&Implementa6onDefini6onofFailureScenarios