SlideShare a Scribd company logo

Cryptzone: What is a Software-Defined Perimeter?

Download as PPTX, PDF
Cryptzone, profile picture
Cryptzone

A Software-Defined Perimeter (SDP) is a security model that creates secure 1:1 connections between users and data by authenticating users before granting access. Utilizing mutual TLS and real-time policy enforcement, SDP architecture involves controllers, gateways, and clients interacting securely, while protecting cloud and network resources. This approach enhances security by removing the need for traditional defenses and focusing on identity-centric policies.

Software
Related topics:
Network Security
1 of 17
Downloaded 100 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
What is a Software-Defined Perimeter?
What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
SDP in Action 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel
SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
To Learn More View Why a Software-Defined Perimeter

More Related Content

PPTX
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
PPTX
Cryptzone AppGate Technical Architecture
Cryptzone
 
PPTX
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
PDF
SDP Glossary v2.0
Shamun Mahmud
 
PPTX
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
PPTX
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
PPTX
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
PPTX
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone
 
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
SDP Glossary v2.0
Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 

What's hot (20)

PPTX
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
PDF
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
PPTX
How sdp delivers_zero_trust
Zscaler
 
PDF
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
PDF
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
PPT
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
PDF
Microservices Security: dos and don'ts
Minded Security
 
PDF
User expert forum user-id
Alberto Rivai
 
PPTX
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
PDF
Security OF The Cloud
Mark Nunnikhoven
 
PDF
Cloud Access Security Brokers
Abhishek Tripathi
 
PPTX
cloud security ppt
Devyani Vaidya
 
PPTX
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
PPTX
Security in microservices architectures
inovia
 
PPTX
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
PDF
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
PDF
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
PDF
Palo Alto Networks CASB
Alberto Rivai
 
PDF
Designing Virtual Network Security Architectures
Priyanka Aash
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
inovia
 
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Priyanka Aash
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Ad

Similar to Cryptzone: What is a Software-Defined Perimeter? (20)

PPTX
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
PDF
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
PPTX
API Security in a Microservice Architecture
Matt McLarty
 
PDF
Nicolas destor pres_f5agility2018
Nicolas Destor
 
PDF
APIConnect Security Best Practice
Shiu-Fun Poon
 
PPTX
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
PPT
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
PPT
Novell® iChain® 2.3
webhostingguy
 
PPT
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
PDF
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
PDF
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld
 
PDF
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
PPT
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
PDF
Workshop AWS IoT @ IoT World Paris
Julien SIMON
 
PPTX
Hyperleger Composer Architecure Deep Dive
Dan Selman
 
PPTX
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
PPSX
authentication and access control(http://4knet.ir)
Azad Kaki
 
PDF
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
API Security in a Microservice Architecture
Matt McLarty
 
Nicolas destor pres_f5agility2018
Nicolas Destor
 
APIConnect Security Best Practice
Shiu-Fun Poon
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
Novell® iChain® 2.3
webhostingguy
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Workshop AWS IoT @ IoT World Paris
Julien SIMON
 
Hyperleger Composer Architecure Deep Dive
Dan Selman
 
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
authentication and access control(http://4knet.ir)
Azad Kaki
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
Ad

Recently uploaded (20)

PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Introduction to Artificial Intelligence
lohedi9363
 
medical staffing services at VALiNTRY
Tiyan Grayson
 

Cryptzone: What is a Software-Defined Perimeter?

  • 2. What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
  • 3. How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
  • 4. SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
  • 6. SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 7. SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 8. 3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 9. 4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 10. 4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 11. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
  • 12. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
  • 13. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
  • 14. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
  • 15. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
  • 16. Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
  • 17. To Learn More View Why a Software-Defined Perimeter

Editor's Notes

  • #4: New slides
  • #5: Secure military networks Controller is the authentication point typically linked with one or more Identity providers Controller contains descriptive user access policies define access to applications Clients are securely onboarded All connections based on mutual TLS connectivity Traffic is securely tunneled from Client through Gateway to Protected Applications
  • #6: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #7: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #8: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #9: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #10: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #11: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications