Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cryptzone: What is a Software-Defined Perimeter?

770 views

Published on

Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.

Published in: Software
  • Be the first to comment

Cryptzone: What is a Software-Defined Perimeter?

  1. 1. What is a Software-Defined Perimeter?
  2. 2. What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
  3. 3. How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
  4. 4. SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
  5. 5. SDP in Action 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel
  6. 6. SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  7. 7. SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  8. 8. 3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  9. 9. 4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  10. 10. 4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  11. 11. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
  12. 12. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
  13. 13. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
  14. 14. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
  15. 15. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
  16. 16. Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
  17. 17. To Learn More View Why a Software-Defined Perimeter

×