SlideShare a Scribd company logo

Cryptzone: What is a Software-Defined Perimeter?

Download as PPTX, PDF
Cryptzone
Cryptzone

Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.

Software
1 of 17
What is a Software-Defined Perimeter?
What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
SDP in Action 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel
SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
To Learn More View Why a Software-Defined Perimeter

Recommended

AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 

Recommended

AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 

More Related Content

What's hot

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 

What's hot (20)

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
 

Similar to Cryptzone: What is a Software-Defined Perimeter?

DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Deep Dive on AWS IoT Core
Deep Dive on AWS IoT CoreDeep Dive on AWS IoT Core
Deep Dive on AWS IoT Core
Amazon Web Services
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
Nicolas Destor
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World Paris
Julien SIMON
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
Dan Selman
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)
Azad Kaki
 

Similar to Cryptzone: What is a Software-Defined Perimeter? (20)

DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
Deep Dive on AWS IoT Core
Deep Dive on AWS IoT CoreDeep Dive on AWS IoT Core
Deep Dive on AWS IoT Core
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World Paris
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
 
authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)
 

Recently uploaded

Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 

Recently uploaded (20)

Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 

Cryptzone: What is a Software-Defined Perimeter?

  • 2. What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
  • 3. How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
  • 4. SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
  • 6. SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 7. SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 8. 3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 9. 4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 10. 4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 11. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
  • 12. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
  • 13. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
  • 14. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
  • 15. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
  • 16. Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
  • 17. To Learn More View Why a Software-Defined Perimeter

Editor's Notes

  1. New slides
  2. Secure military networks Controller is the authentication point typically linked with one or more Identity providers Controller contains descriptive user access policies define access to applications Clients are securely onboarded All connections based on mutual TLS connectivity Traffic is securely tunneled from Client through Gateway to Protected Applications
  3. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  4. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  5. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  6. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  7. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  8. Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications