5. People are more
connected and more
dispersed today
than ever before.
THE WORLD IS CONNECTED
CONNECTING TO YOUR NETWORK WHEREVER IT MAY BE…
ON-PREMISES PUBLIC CLOUD PRIVATE CLOUD HYBRID CLOUD
6. The network perimeter
as we know it has
disappeared.
People are connecting to your network
in new ways. Your job is to secure these
network connections. And if you don’t,
you face some big security problems.
7. Security becomes hard to manage
across hybrid environments.
There are separate ways people are managing polices
and permissions for cloud vs. on-premises workloads.
It’s complicated, difficult, expensive and dangerous.
ON-PREMISESMANAGEMENT
CLOUD
MANAGEMENT
8. If hackers get in, they’ve hit
the lottery. They can bounce
from place to place, file server
to database. It’s difficult for
security professionals to detect
so hackers can wait and make a
move at the right time.
Lateral movement across the network
becomes a huge security risk.
Many organizations have a flat
architecture – once you’re inside
the network, you can see or
access anything.
9. Securing networks
against cyberwarfare
is impossible.
Well‑funded organizations and
nation‑states with sophisticated skills
are attacking corporate IT systems.
They’re testing your defenses. They
want your stuff. To sell. To ransom.
To embarrass your organization.
WANNACRY MALWARE
An estimated 416,000 systems were infected by
WannaCry malware worldwide.
- MalwareTech, May 16, 2017
HBO HACKERS LEAK TOP EXECUTIVE EMAILS
Hackers delivered a video letter to HBO CEO
Richard Plepler that says, “We successfully breached
into your huge network. …HBO was one of our
difficult targets to deal with but we succeeded (it
took about 6 months).”
- August 2017
YOU ARE PARTICIPATING IN CYBER WAR WHETHER YOU LIKE IT OR NOT
10. Securing the network from employees –
often a weak security link – is hard.
THEY’RE IN YOUR COMPANY RIGHT NOW – DO YOU RECOGNIZE THEM?
THE MALICIOUS
INSIDER
THE COMPROMISED
THIRD PARTY USER
THE NEGLIGENT
INSIDER
THE OVER-PRIVILEGED/
SUPER-PRIVILEGED
THE COMPROMISED
INSIDER
12. Firewalls are configured and forgotten.
Once set up, you really don’t want to change the firewall because it’s
usually a significant change ticket.
13. Firewalls look at port and addresses,
not users.
They’re not designed to address
specific users, which is why admins
are always adding exceptions and
HOLES for access.
PORT 80 OR 443
LogMeIn and TeamViewer use to bypass your
firewalls giving access to your network unless
you protect against traffic from these ports.
PORT 3389
Remote Desktop Protocol (RDP) gives users
a jump box or bastion hosts, and is exposed
to the public. Why? Because an IT person is
working from home so its easier to RDP directly
to a particular box to get work done.
Port holes are common because we are trying
to secure our environments and still make
them usable.
192.153.1.2 : 80
15. VPNs do NOT equal secure
They were never designed to be a security solution.
VPNS AUTHENTICATE
TO EVERYTHING
VPNS ARE SIMPLE
PERIMETER-
BASED SECURITY
VPNS ARE STATIC AND
UNINTELLIGENT
VPNS PROVIDE OVER-
ENTITLED ACCESS
Once authorized, users
have complete access to
the authenticated network.
In a world where the
physical perimeter is
no longer relevant.
While user context and security
threats are ever-changing.
Maximizing your lateral attack
surface and vulnerability.
VPN SERVER
16. Firewalls and VPNs were
designed for an era when we
trusted each other… a lot.
BUT TODAY, WE CAN’T TRUST EVERYBODY.
17. We need a new approach to network
security that is simple enough that a
child would understand the concept.
CONSIDER THIS SCENARIO
If someone knocks on the door to your
house, a 2nd grader would know to ask:
“who are you?” and “what do you want?”
If the two questions are answered
appropriately, only then would the door
be opened to a trusted person.
THAT’S HOW A SOFTWARE
DEFINED PERIMETER WORKS.
LET’S TAKE A LOOK...
18. A Software-Defined Perimeter
is a network security model that
dynamically creates 1:1 network
connections between users and
the data they access.
SDP reduces the attack surface in real-time by creating a discrete,
encrypted network segment of one, making everything else
invisible and inaccessible.
A network segment of one is network micro-segmentation down
to individual users and for each user session!! Now that’s secure!
20. AppGate SDP is user-centric
It provides identity-based access control, creating an individualized perimeter
based on each user and their context.
Device
OS Version
Endpoint Agents
App Permissions
Directory Attributes
Multi-factor Authentication
USER
21. AppGate SDP is dynamic and adaptive.
It adapts to changes in user context, device and security conditions, and it
integrates with your operational systems.
Device
OS Version
Endpoint Agents
App Permissions
Directory Attributes
Multi-factor authentication
Location
Network
Time
Threat Posture
USER
ENVIRONMENT
22. AppGate SDP is programmable
and extensible.
It integrates with your business and operational systems.
Device
OS Version
Endpoint Agents
App Permissions
Directory Attributes
Multi-factor authentication
Location
Network
Time
Threat Posture
Business Systems
Operational Systems
Network Analytics
Cloud Security Groups & Tags
API-driven Entitlements
USER
ENVIRONMENT
ENTERPRISE
23. AppGate SDP Creates a Segment of One.
It gives you fine-grained controls to reduce the available network
attack surface.
Encrypted 1:1 connection
PROTECTED ASSETS
Cloud, Hybrid or On-PremisesENCRYPTED
24. AppGate SDP Creates a Segment of One.
It gives you fine-grained controls to reduce the available network
attack surface.
The user only sees
what they are
authorized to access.
Access is adjusted in real time as
events and conditions warrant.ENCRYPTED
25. How AppGate SDP works:
CONTROL CHANNEL
DATA CHANNEL
PROTECTIVE SERVER
PROTECTIVE SERVER
DATA CHANNEL
1
Using Single-Packet
Authorization, client makes
access request to controller
CONTROLLER
26. How AppGate SDP works:
DATA CHANNEL
PROTECTIVE SERVER
PROTECTIVE SERVER
DATA CHANNEL
1
2
Using Single-Packet
Authorization, client makes
access request to controller
Controller checks context,
passes entitlements to client
CONTROL CHANNEL
CONTROLLER
27. How AppGate SDP works:
CONTROL CHANNEL
DATA CHANNEL
PROTECTIVE SERVER
PROTECTIVE SERVER
DATA CHANNEL
1
2
3
Using Single-Packet
Authorization, client makes
access request to controller
Controller checks context,
passes entitlements to client
Gateway creates “Segment of
One” access rule
CONTROLLER
28. How AppGate SDP works:
CONTROL CHANNEL
DATA CHANNEL
PROTECTIVE SERVER
CONTROLLER
PROTECTIVE SERVER
DATA CHANNEL
1
2
3
4
Using Single-Packet
Authorization, client makes
access request to controller
Controller checks context,
passes entitlements to client
Gateway creates “Segment of
One” access rule
Controller continuously
monitors for context changes,
adapts entitlements accordingly
29. AppGate SDP provides secure,
adaptive network access
Encrypted connection between
user and approved resources
creates custom per-user network
Unauthorized resources are
completely dark – impossible
to detect
Eliminates lateral movement on
internal networks
Policy adapts dynamically to
changes in context
Provides unified access control
across hybrid environments
Sally
Developer
Project X
Charlie
DB Admin
Joe
System Analyst
Project Hawk
30. Learn more about AppGate SDP
DATASHEET VIDEO
AppGate SDP for
AWS
WHITEPAPER
Forrester Report
No More Chewy
Centers:
The Zero Trust Model of
Information Security
AppGate SDP
31. Want to know more?
AWS FREE TRIAL AZURE FREE ACCOUNT
GET IN TOUCH
Click here to get access to a
15-day free trial of AppGate SDP
on AWS marketplace.
Click here to create and view the benefits
of a Microsoft Azure account, including a
$200 credit towards Azure products.
Email: sales@cyxtera.com Twitter: @Cyxtera LinkedIn: linkedin.com/company/cyxtera