APM Overall Use Case Presentation - Final

Editor's Notes

• #2: Today, it’s clear that every business is in the customer experience business. Organizations around the world agree that their primary objective—and the best way to grow their business—is to continuously refine how to best serve their customers and users. And more and more, those relationships start and are nurtured digitally through applications. • Utilities enabling customers to take control of their energy usage. • Online retailers offering personalized experiences based on preference and behavior. • Government agencies streamlining engagement to better serve users. • Energy companies racing toward innovation to deliver better and safer products to their customers. • Even Microsoft—with a dominant share of the productivity market—is adding new customizable capabilities like My Analytics to help users get more time back in their days. In fact, you could argue that Starbucks isn’t even fundamentally a coffee retailer; it’s a technology company that nurtures customer relationships through the experience of coffee.
• #3: Customers and users expect a lot from the organizations they interact with. Personalized experiences. Secure transactions. Apps that are speedy, reliable, and always on. If you deliver on those promises, odds are your customers are going to be happy—and they’re going to tell their family and friends about it. 79% of consumers say that they’ve discovered new products and services online. But their expectations are high:   78% are demanding financial compensation like discounts or coupons for poor digital experiences. And 1 in 3 will leave a brand that they love because of a SINGLE bad experience.
• #4: Everyone in your organization wants to deliver value to customers and partners. Your developers want to move fast using their cloud and pipeline tools of choice, innovate quickly, and get rapid feedback from their applications. Your infrastructure team knows that customers will not tolerate a poor experience, and that reliability, performance, and low latency are non-negotiable. And your security team must protect your company and customer assets at all costs. But what’s getting in the way of you delivering those personalized experiences is a very complex landscape of digital transformation, hyper-speed development, and ever-expanding threat surfaces. Every day it gets more and more challenging to support those critical applications that deliver a great customer experience. [Complex app portfolios] While aspiring to digitally transform, many organizations are stuck somewhere between the old world and the new world—classic monolithic and three-tier architectures alongside cloud-native architectures. We like to call this the “messy middle” and it’s the reality for most companies today. Unsurprisingly, managing this mix of old and new is a significant challenge. At their core, these struggles are the classic tales of silos leading to a lack of visibility. [Lack of visibility] One of the reasons people love the Domino’s Pizza app is the visibility it provides into your order. You can track the entire process, when they’re preparing it, when it’s in the oven, in a box, in the car. The next thing you know, a steaming hot pizza is at your front door. And yet while we can create such visibility into the pizza delivery lifecycle, companies of all shapes and sizes cannot attain the same level of transparency and visibility for their most valuable assets: their applications. [Evolving security threats]  And these applications have become the focal point for cybercriminals, costing businesses more than $100 billion a year and disrupting the customer experience.  The result of all these challenges is that organizations struggle to deliver, scale, and secure their applications, potentially leading to diminished business success and damaged customer relationships.
• #5: We see a future where an application, like a living organism, will naturally adapt based on the environment. It will grow, shrink, defend, and heal itself as needed. The combination of application services, telemetry and automation will enable it to become an adaptive application. Ultimately, adaptive applications will deliver increased revenue, reduced cost, and better protection for application owners. We have been sharing this vision with our customers over the last several quarters and the feedback has been resoundingly positive. Our vision strongly aligns with where enterprises see the greatest opportunities for their applications and their businesses. Through our organic and inorganic investments, we are well on our way to delivering this vision for customers.   Here’s how we’re doing it:
• #6: Let’s start with the concept of an application data path.​ ​ An application data path is the pathway through which application traffic flows to reach an end user—from the application business logic (which could be hosted in a data center) to the end user (a person who is seeking to access the application).​ ​ To illustrate this concept, pick your favorite mobile application. One of my favorites is the Starbucks app.​ ​ Let's say that the application business logic is hosted somewhere near the Starbucks headquarters, just south of downtown Seattle.​ ​ So that's sitting in a data center, and the end user—in this instance let’s say it’s you!—you’re walking out your front door trying to order coffee.​ ​ You're on your mobile phone accessing an application which is sitting in a data center. So all the application traffic caused by your coffee order flows along this application data path.​ ​
• #8: And application services include capabilities that span application security as well as application delivery. ​ ​
• #9: To deliver engaging user experiences, many things need to happen between the application’s business logic and the user.   The application needs to scale as usage increases; It needs to be protected from attacks; and, Its availability must be maintained to meet end-user expectations.   These are elements that are typically not in the functional requirements of the application and typically not addressed when the application was built.   DevOps and site reliability engineering can help address these non-functional requirements. However, non-functional requirements are becoming more complex as the number of microservices-based applications increase.   Furthermore, business applications are increasingly distributed over a multi-cloud environment. They often have multiple generations of application architecture components in them, namely 3-tier, web, mobile, microservices, and even serverless.   This creates the need for application services, such as ingress controller, API gateway, load balancer, web application firewall, etc. which need to be injected in a standard way between the application business logic and the end-user.   Application services help applications operate securely at scale. And distributed application services enable fast and secure digital customer experiences.  
• #10: And so our customer value proposition is quite simple:​ ​ F5 powers applications from development through their entire life cycle so that you can deliver differentiated, high-performing, and secure digital experiences.​ ​ ​
• #14: Zero Trust is not a new concept. Forrester Research began recommending the Zero Trust security model back in 2010. But it’s a concept that’s more relevant and important today than ever. Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinize it as much as possible, assume attackers are already on the network and hiding in it, and get more context and visibility from the control points.
• #15: To enable Zero Trust, organizations must abandon the “Trust, but Verify” approach and now adhere to these three principles: Never trust Always verify Continuously monitor --------------------------------------------- Never Trust Users even if they have been granted access through (what’s left of) perimeter security to the network, or to other apps. Always Verify Users’ identity, device, location, and other contextual parameters upon access attempts to every app. Continuously Monitor Users’ device, location, network access, and other variables at app access and throughout their app session, ensuring security.
• #16: While no vendor can provide everything needed for Zero Trust, F5 can add value with our robust application security portfolio and secure the new control points in a Zero Trust architecture. In our view, these are the four control points that need to be secured. The endpoints that will be accessing the applications The applications (whether the apps are in the cloud, on-premises, or SaaS-based) The identity service The network infrastructure
• #17: So how does F5 help to secure each control point? For the endpoints accessing applications, our trusted app access solutions provide modern authentication for all apps. For the identity service control point, we have deep partnerships with Microsoft, Okta, and Ping. By integrating our trusted app access solutions with these Identity-as-a-Service (IDaaS) providers, we help to bridge the identity gap between cloud-based, SaaS, and mission-critical and custom applications to offer a unified, secure access experience for users. For the network infrastructure, we have application infrastructure security solutions to help protect the network. For the applications, we offer application layer security solutions to provide security at or near the application and protecting the application stack (from layer 4 through 7).
• #18: Here are the four F5 security solution areas (Trusted App Access, App Infrastructure Security, App Layer Security, Fraud) to help you deploy a Zero Trust model.
• #19: Here are the four F5 security solution areas (Trusted App Access, App Infrastructure Security, App Layer Security, Fraud) to help you deploy a Zero Trust model.
• #20: Trusted App Access is about preventing unauthorized access to applications since they are critical to protecting your intellectual property and your data.
• #21: Trusted application access is about tying application access to your identity strategy within your organization. F5 provides simplified access to legacy applications such as classic or custom applications that do not or cannot support modern authentication. F5 ties them to modern identity services that use SAML, OAuth and OIDC. This could be Microsoft Active Directory, Okta, and other IDaaS services. F5 enables classic and custom applications with single sign-on and multi factor authentication, enhancing the user experience, increasing application security, and simplifying the administrative experience. Plus, F5 delivers per request-based application access, versus per session-based access like is available with SSL VPNs, delivering Identity Aware Proxy, leading to Zero Trust Application Access. F5 also supports multiple access use cases including SSL VPN and IAP, as well as protecting API access. F5 simplifies user access to multi-cloud applications using application metadata. And, we also provide continuous security endpoint posture assessments, and the ability to kill a user’s application access – based on per request app access – should their endpoint not meet integrity assessment. This also helps provide enhanced visibility and troubleshooting capabilities.
• #22: Context-aware policy enforcement More comprehensive and granular than simply relying on user identity, group membership, endpoint conditions or geo-locations Access control over third-party SaaS Enables authenticated user access to authorized web and SaaS applications (via SAML 2.0). Brings visibility & control together Simplified Policy Management GUI-based Visual Policy Editor (VPE) makes it easy to design and manage granular access control policies on an individual or group basis
• #23: The struggle to manage and control employee web surfing and Internet application use Potential malware, data leakage, and loss of productivity Corporate compliance policy for acceptable Internet use Visibility into web and network is vital Mitigate data leakage of sensitive/confidential corporate information Unproductive content and Internet apps waste precious network bandwidth and overwhelm the network The need to protect all users, from all locations, over all devices Leverages APM to incorporate and apply context-aware access policies and security Centralized point for all access policy creation and management
• #24: Add-On Module for BIG-IP Family (For BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.) Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.) APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP) Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area). VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.). Endpoint Security More than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.) Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes). Authentication and Authorization Flexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting). Access Control High-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
• #27: Though it seems orgs are willing to deploy without performance, they aren’t willing to let it stay that way. SD-WAN and Optimizations may be the response to the challenge of multi-cloud performance…
• #28: Remote access and application access challenges: Enabling secure remote access to corporate resources from any network, from any device Ensuring secure and fast application performance for remote users Protecting network resources, applications and data from malware, theft or hack, and/or rogue and unauthorized access
• #32: One of the reasons credentials and attacks using credentials are so prevalent today is that they are so successful. And, one of the reasons why credential attacks are so successful is that applications today reside anywhere, and are accessible from everywhere. And it’s not going to change anytime in the future, either. The fact that, according to a McKinsey & Co. report and survey, commissioned by IBM – with figures verified by Microsoft – that 80% of enterprise workloads remain on premises today, even though there has been a surge in migrating applications to the cloud, means that, for the foreseeable future, applications and access to them is going to complex and difficult to secure. Employing cloud, SaaS and on-premises apps presents new authentication and security challenges Multiple points and methods of user authentication Separate systems for IT / network administrators to manage access and security policies Enforcement of secure authentication policies to mission-critical on-premises apps that may not support modern authentication methods Many mission-critical applications can be found on-premises and may lack the ability to be migrated to a new or current standard or platform, such as the cloud, and may not support modern authentication and authorization methods. The ubiquitous nature of apps and access to them creates an access and security nightmare for AppDev, SecOps, and security executives everywhere, in every organization. Applications that can reside nearly anywhere increase the risk of human error, credential theft and attack, account takeover (ATO), and increase the threat landscape and the attack surface
• #33: Employing cloud, SaaS and on-premises apps presents new authentication and security challenges Multiple points and methods of user authentication Separate systems for IT / network administrators to manage access and security policies Enforcement of secure authentication policies to mission-critical on-premises apps that may not support modern authentication methods Many mission-critical applications can be found on-premises and may lack the ability to be migrated to a new or current standard or platform, such as the cloud, and may not support modern authentication and authorization methods. The ubiquitous nature of apps and access to them creates an access and security nightmare for AppDev, SecOps, and security executives everywhere, in every organization. Applications that can reside nearly anywhere increase the risk of human error, credential theft and attack, account takeover (ATO), and increase the threat landscape and the attack surface
• #35: F5 BIG-IP APM and Microsoft Azure Active Directory (AD) together address the authentication and security challenges presented by mission-critical, on-premises (classic), and custom applications Centralizes user authentication (SSO) A single, consolidated system for IT / network administrators to manage enhanced access / security policies Enforces and centralizes secure, modern authentication policies for all apps, wherever they are located – in the cloud (IaaS), SaaS, or on-premises Simplifies management of cloud-based access to mission-critical, on-premises and custom applications
• #38: Employing cloud (IaaS), SaaS and on-premises apps presents new authentication and security challenges Multiple points and methods of user authentication Separate systems for IT / network administrators to manage access and security policies Enforcement of secure authentication policies to mission-critical on-premises apps that may not support modern authentication methods Adopting cloud and still maintaining mission-critical on-premises (legacy) apps Many mission-critical applications can be found on-premises and may lack the ability to be migrated to a new or current standard or platform, such as the cloud, and may not support modern authentication and authorization methods.
• #41: BIG-IP APM includes Identity Aware Proxy, which enables Zero Trust application access through its identity- and context-aware access policies, its per-request-application access capabilities, and its ability to continuously monitor contextual parameters that feed into the identity- and context-aware policies. F5 APM validates every request: User Identity / operational role Device posture Multi-Factor Authentication Step-up Authentication Integration with IDaaS (e.g. Azure AD, Okta, Ping) Transaction logs can be found within: F5 APM and/or BIG-IQ 3rd party applications
• #43: Identity Aware Proxy focuses on identity and access at the application layer, rather than at the network layer. Identity and authorization are centralized and are based on the principles of least privileged access. It provides authenticated and authorized secure access to specific applications using a proxy layer. With the IAP approach, application requests may be terminated, examined or re-examined, and authorized. IAP relies on application-level access controls, not firewall rules. Configured policies reflect user and application intent, not ports and IP addresses IAP requires a root of trusted identity to authenticate (verify) users and their devices, and what they are authorized to access (authorization). This is identity-aware access. The Identity source can be on-premises user directories or cloud-based Identity Providers (IdPs), such as identity-as-a-service (IDaaS). It also requires context-aware access, based on an ever-increasing set of user, device, and other parameters. It can include granularity including day, time of day, user location, device authority and type, continuous device integrity checks, and more. To ensure devices reach a baseline of security, before users are authenticated and their app access authorized, devices are posture checked. Continuous, ongoing posture checking ensures that user devices meet and adhere to security throughout their application session. F5 Access Guard web browser extension provides fast, continuous verification of desktops for adherence to security posture. IAP can also help organizations with cloud migration by allowing them to take a systematic, step-by-step approach to migrating apps to the cloud. It still ensures modern authentication methods – like SSO and MFA – even for apps that cannot be moved to the cloud and not supporting modern authentication standards, like SAML. IAP – and APM – delivers a single layer of access control and security to manage. It also provides a single control point for managing user access to apps, wherever the reside. And, finally, it delivers Zero Trust Application Access, reducing the need for cumbersome, hackable VPNs.
• #48: Source apigee Built in Privacy - Oauth - APM - Built in Privacy , Oauth , Authorization , Threat protection – ASM , OWASP top 10 Visibility & Governance – Visibility to which data is accessed Analytics, Surge Spike arrest – iRules
• #49: APIs are definitely targets. F5 Labs is tracking API incident trends and its getting worse. There are many reasons why this is trending the wrong way. Certainly, the mass proliferation of APIs means there are so many more targets. What is also very interesting is that APIs are often not under the purview of the security teams, meaning that exposed APIs can be completely unknown to the organization's security staff. This takes us back to the question I asked earlier. How can we help our customers better secure their APIs? The answer is that security needs to be integrated into the API lifecycle.
• #50: OWASP 10 exploits (XSS, Tampering, RCI, Data Manipulation)
• #51: APIs are diverse, even within the same organization. They vary based on the function, scale, and risk levels. Some APIs will handle sensitive or regulated data. Some APIs are exposed to the internet, others are internal only. There are 3 common controls that all APIs need. Management, Access controls, and threat defense. However the API use case will drive the logical design for the API and also determine the security controls needed as well as the deployment patterns. F5 has published some verified designs on DevCentral that provide blueprints for a range of deployment patterns. For example we have a design for APIs with highly regulated data, a design for distributed architectures, and several others. Multiple use cases across many industries – patterns to satisfy use cases – all of these patterns may be active in the same enterprise – patterns have common controls Use Cases Patterns  Common Controls ( Security, Mgmt, Gateway) Patterns help you determine where and how these controls are deployed
• #58: Application Traffic Insights (formerly Device ID +)
• #59: As I mentioned earlier, the applications behind a corporate portal and the data within an application are like cash to an attacker. The more sophisticated their methods of disguise become, the better our defenses have to be. There needs to be a reliable way to determine if a user is truly a REAL user: Is this so-called user a human? Are they good, or bad? To be even clearer – is this a legitimate user trying to get their work done? Is it an automated access attempt by a non-human entity? Or is it an attacker with malicious intent?
• #60: An accurate device identifier can detect the evasive movements and behaviors used by attackers today. For instance, a VPN when combined with factors like ASN use, origin time zone, and volume of data being transferred can be suspicious, and be an indicator of malicious behavior.
• #61: Application Traffic Insights is a JavaScript tool. It can be deployed with existing infrastructure in an environment. Application Traffic Insights collects data from different sources – Software, hardware, browser, and more – and collates signals. It creates a unique identifier – to determine between new devices and devices that have visited before. It leverages signals from the leading anti-fraud, anti-bot solution, Shape Enterprise Defense The Application Traffic Insights JavaScript is injected on every web page and app. An API in the JavaScript calls the Application Traffic Insights service There are 2 identifiers provided: A residue based identifier that is based on residues dropped on the user’s browser An attribute-based identifier that’s based on attributes of the user’s browser – plugins, screen size, etc. The 2 main problems with other device identifiers are collision and division. Collision is when 2 or more devices are assigned the same identifier Division is when one device has been assigned 2 or more identifiers The underlying machine learning modules in Application Traffic Insights can link identifiers together for a single device, reducing collision and division. Once the 2 IDs are established and sent back to a customer’s origin servers, existing info on the device can be integrated with info already gathered to determine whether it is an existing versus new device access attempts. Application Traffic Insights can also help uncover security issues, especially If a customer is seeing one account being accessed by many different devices, which can be indicative of an issue.
• #62: Why is Application Traffic Insights superior to existing device identifiers? For existing identifier solution, like traditional cookies It’s extremely unlikely for more than one device to have the same cookie value It’s very likely for one browser to get more than one value for device identifier For traditional browser fingerprinting Changes too frequently Very likely for two or more browsers to get the same value for device identifier Application Traffic Insights: includes a High Efficacy Signal Set based on intensive R&D efforts that ensure a high-quality device identifier Enable is a Highly Available identifier as it is easily deploying on all flows Is easily enabled by JavaScript injection leveraging existing F5 or Shape infrastructure
• #63: Customers can feed Application Traffic Insights into their existing SIEM systems or other internal systems to identify different user groups and take appropriate security measures for each group.
• #64: Application Traffic Insights automatically mitigates attempts by human attackers and automated attacks alike. Integrating with APM, it help ease the login experience for all known, good users. Application Traffic Insights superior to “Remember Me” and captcha. And it reduces login friction.
• #65: Application Traffic Insights can be simply integrated with APM via an iApp template, which can automatically inject Application Traffic Insights’ JavaScript, and route its API calls. It requires minimal configuration.
• #66: And, Application Traffic Insights integrated simply with APM policies, enabling Application Traffic Insights to feed data into APM, and implement risk-based authentication for F5 APM customers.
• #67: Deliberate use of proxy networks Sudden fluctuations in IPs  Unusual Devices accessing user accounts Sudden fluctuations in per user Single device accessing unauthorized accounts Sudden fluctuations in Users  Bad actors spoofing their environment Sudden fluctuations in User Agent  Session hijacking Sudden fluctuations per Session Identifier Login Friction/Credential Stuffing Attacks Sudden fluctuations of Login Success Rate 
• #69: So let's take a look, a closer look at the mobile device BYOD use case. In this particular use case we have a user who works for the finance corporation trying to get to the CRM and finance server. With the use of our APM or access solution from F5 we're able to define a policy such that even though we know the user is authenticated and belongs to us and we know his role, we don't want people with a corporate -- that has a personal device accessing the finance server. We have a policy in place that says that this user must be accessing this from a corporate owned device.   An important thing to point out here is that if it's not corporate owned device, he's able to go get -- whether or not it's a corporate owned device or whether it's a personal device, this is purely a self-help model from the end point perspective where the end user visits an app store to download the F5 edge client onto the end point to access the network.   So in this case we have a policy set up that says we have authenticated the user, they belong to finance; however they're not using a corporate managed device. So we'll let them onto the network but we'll only give them access to the CRM Server.   Alternatively, when the same user downloads the F5 edge client app onto the smart phone, authenticates, and we know that it's a user that's is in finance and they're using a corporate managed device, they're provided access to the finance server as well as the CRM Server. But in either case this user is never allowed to access the human resources server. So in this way we can help with the BYOD case.   Again we can also check the status of that end point to determine whether or not it has been jailbroken in the even that it's an iPhone.
• #71: VDI / RDP – Customers can improve the scale and reliability of their VDI / RDP deployments, while also simplifying VDI infrastructure. Users benefit from SSO, single namespace, acceleration, and a single user portal for both VDI and all other applications. Improves scale / reduces complexity of VDI/RDP deployments SSO, single namespace, acceleration, and single user portal Present OWA, VMWare View next to Citrix Apps in Portal Mode Improved scale and reliability Better user experience + SSO Simplified deployment Improved quality of real-time applications