AWS 가 제공하는 제로 트러스트 서비스, Cisco와 함께하면 보다 더 안전한 애플리케이션 접속 환경을 구현할 수 있습니다. Cisco Duo 와의 연동을 통해 보다 안전한 AWS VPC 애플리케이션 접속 방안을 소개합니다.

1. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S E O U L | M A Y 4 , 2 0 2 3

2. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cisco !!
Jinhyun Lee ( )
Technical Solutions Architect – Security
Cisco Systems

3. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero Trust Network Access on AWS
Cisco Duo
Demo
Summary
Agenda

4. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero Trust Network Access on AWS

5. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why Zero Trust?
MFA , ,
Attacks bypassing
security are on the
rise
Attack surface is
growing with cloud
migration
,
Stolen credentials
account for >80%
of web app attacks
, ,
Source: 2022 Verizon DBIR
https://www.verizon.com/business/resources/reports/2
022/dbir/2022-dbir-data-breach-investigations-
report.pdf
– “Zero Trust” –

6. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
As of Today- Remote Access to Application on AWS
Remote
User and Device App
App
App
User Verification
RA VPN
or
S2S VPN
Attacker,
Unauthorized
Direct Access
Stolen Credential Data Breach
Decentralized Policy Lack of Visibility
Permit SG
x.x.x.x 443

7. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero Trust Network Access
NIST: 800-207 Zero Trust Architecture Gartner : Market Guide for Zero Trust Network Access
Never Trust Authentication & Authorization Per-session base grant Continuous verification
Identify & Context VPN-Less
Policy & Visibility Software Defined Perimeter

8. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now, AWS Zero Trust Network Access
Remote
User and Device
VPN-Less
Software Defined Perimeter
(SDP)
App
App
App
Continous
Assesement
Every Access
User/Group
& Device
Access Verification
Centralized
Policy
& Visibility

9. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero Trust Network Access /w Cisco Duo
AWS Verified
Access
VPN-less access to
corporate applications
Continuous
Policy
Assessment
User/Group
Device
Verification

10. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero Trust Network Access Traffic Flow
VPC
Corporate Engineering
Application
AWS Verified Access
ec2-engineering.edge-
ava.amazonaws.com
ava-web.gssokor.com
ava-web.gssokor.com
CNAME
ec2-engineering.edge-
ava.amazonaws.com
Route53
Trust Provider
1
2
3
5
MFA/SSO
& Continuous Verification
✓ User/ID, MFA
✓ OS, Browser
✓ Device Health
✓ BOYD
✓ Application AuthZ
VPC
Application
4

11. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Duo

12. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Duo for Zero Trust
User
&
Device
On-Prem
&
Cloud
2 Factor Authentication
Password-less
Self-Enrollment
2FA Device Control
Device Local Log On RDP/VDI
VPN, Wire/Wireless MFA Linux/Unix Shell
Single Sign-On (SAML, OIDC)
Trust Endpoint
User/Group
Policy
Device Health IP/Geo Location
BYOD Control
VPN-less
Software Define
Perimeter (SDP)
OS/Browser
Version
Checking AV/EDR
Zero Trust Workforce
Risk-Based
Authentication
Secure Access by Duo
MFA

13. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Duo Device Health & Trust Endpoint
• Corp managed asset status
• Biometrics (Touch/Face) status
• Screen lock status
• OS condition (tampered) status
• Encryption status
• Platform type
• Device OS type
• Device OS version
• Device owner
• Duo Mobile version
• Corp managed asset status
• Disk encryption
• Firewall enabled
• Device password
• OS patch level (Win 10)
• Third party agents
• OS type & versions
• Browser type & versions
• Flash & Java plugins versions
• OS, browser and plugins status
Mobile Devices Laptops / Desktops

14. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Duo Adaptive policy
•
•
• (Geolocation)
• IP Network Address / Range
• /Tor
•
/BYOD (Trusted endpoint)
• OS, browsers, Flash/Java
• Software
• Out of Date / Up to Date
• Mobile security status
• , , ,
/

15. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Duo Risk Based Authentication
UEBA (User & Entity Behavior Analytics)
ACCESS PATTERN
AUTH PATTERN
RISK SIGNAL ANLYSIS
DEVICE TRUST
LOCATION
WI-FI FINGERPRINT
KNOWN ATTACK PATTERN

16. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Duo Passwordless
Unlocks
Two Factor
Something You Are
-> ,
Password
Something You Have
-> , , Key
User ID Grant!

17. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Duo Continuous Risk Detection

18. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Verified Access Configuration /w Duo
AWS Verified Access
Verified Access
Instance
Trust Provider
Access Group
VPC
Corporate Engineering
Application
OIDC Federation

19. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summary

20. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Duo on AWS
MFA, Zero Trust for App, Single-Sign On, AWS CLI/Console, AWS Workspace etc..

21. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ASSESS CONNECT SECURE OBSERVE & OPERATE
IWO
Cloud Planning
App Discovery & APM
AppDynamic
s
Multi-Cloud Connectivity Hybrid Cloud SDN
WAN Insights
Secure Connect (SASE)
Viptella SD-
WAN
Cloud Network
Controller, Nexus DB
Meraki SD-
WAN ThousandEyes
Infrastructure Protection
Secure Firewall
Duo
Zero Trust Access
(ZTA)
Umbrella
Secure Services
Edge (SSE)
Secure Workload, AppD Secure,
Panoptica
Application Security
Secure X, Cloud
Analytics & Insights
Thread Detection &
Response (XDR)
Full Stack
Observability
AppD, IWO,
ThousandEyes
Cloud Optimization
IWO
Calisti

22. © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jinhyun Lee ( )
jinhlee@cisco.com