Cryptzone: The Software-Defined Perimeter
Download as PPTX, PDF1 like446 views
A Software-Defined Perimeter (SDP) is a dynamic network security model that establishes secure, identity-centric connections between users and applications, prioritizing authentication before connection. It utilizes a controller for authentication and policy management, alongside secure gateways, ensuring that only authorized users access protected resources through mutual TLS. This framework enhances security by eliminating the need for traditional network defenses and allowing for real-time policy enforcement and integration with other IT systems.
Cryptzone: The Software-Defined Perimeter
- 1. What is a Software-Defined Perimeter?
- 2. What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
- 3. How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
- 4. SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
- 5. SDP in Action 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel
- 6. SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
- 7. SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
- 8. 3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
- 9. 4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
- 10. 4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
- 11. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
- 12. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
- 13. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
- 14. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
- 15. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
- 16. Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
- 17. To Learn More View Why a Software-Defined Perimeter
Editor's Notes
- #4: New slides
- #5: Secure military networks Controller is the authentication point typically linked with one or more Identity providers Controller contains descriptive user access policies define access to applications Clients are securely onboarded All connections based on mutual TLS connectivity Traffic is securely tunneled from Client through Gateway to Protected Applications
- #6: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
- #7: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
- #8: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
- #9: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
- #10: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
- #11: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications