Do you want to ensure that users accessing your data are secure no matter where they're coming from or going to? Secure access is the next evolution of network based access control harnessing new endpoint technologies to secure corporate owned and BYOD devices.
Understand how to apply contextual access policy, create endpoint compliant access, access visibility and a simplified user experience from on-boarding to off-boarding a mobile workforce.
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
1. Solving access for Hybrid IT
Jeff Green SVP Products
Solving Access for Hybrid IT
2. Securing access is a challenge
Solving Access for Hybrid IT
97%
ENTERPRISES
SUFFERED A
BREACH
134
BEFORE BREACHES WERE
DISCOVERED
DAYS
Gigamon 2015
1%
55%
PC
Mobile
How we are connecting
2011
2015
Hacking 38%
(up 8%)
Employee
Negligence
15% (doubled)
Insider Theft
10%
Physical Theft
10%
Subcontractors
9%
Primary sources of breaches
Accidental
Exposure
13%
Data on the Move
7%
3. Old NAC:
PC and Datacenter
NetworkAccess
Access
PC Datacenter, Campus
VS
New Access:
Hybrid IT
SecureAccess
Visibility
Compliance
Authentication
Access Control
Datacenter,
Cloud, SaaS, Campus
BYOD
Solving Access for Hybrid IT
How we connect is more complex
4. All Major OSs
On-the-go
Home network
Untrusted LAN
Guest Wi-Fi
Corporate Network
• Enterprise applications
• VDI, terminal services
Datacenter
Cloud SaaS
• Apps
Cloud IaaS
• AWS, Azure
Mobile Apps
• Apps
Mobility Hybrid IT,
Cloudification
VDI
Datacenter
Consolidation
The new reality and challenges of Hybrid IT
Solving Access for Hybrid IT
MAM/MDM
VPN
Mobile GW
Web GW
Cloud Security GW
NAC
6. Secure Access Architecture
Solving Access for Hybrid IT
Remote &
Mobile
users
Protected
Resources
Firewall Switch
Wireless
LAN
Remote Access
Cloud Access
Network Access
Datacenter
Access
Single
Management
Console
CampusSaaS/Cloud Data Center
Employees
Guests
Protected
Resources
7. Secure the Endpoint
Solving Access for Hybrid IT
MDMRemote &
Mobile
users
Protected
Resources
Firewall Switch
Wireless
LAN
Remote Access
Cloud Access
Network Access
Datacenter
Access
Single
Management
Console
CampusSaaS/Cloud Data Center
Employees
Guests
Securing the endpoint
• Native app single sign-on
• Transparent strong authentication
• Device compliance check
• Conditional Access Policies
• Improved user experience
• Integration with mobility
management
Protected
Resources
8. Secure Mobile and Cloud
Solving Access for Hybrid IT
Remote &
Mobile
users
Protected
Resources
Firewall Switch
Wireless
LAN
Remote Access
Cloud Access
Network Access
Datacenter
Access
Single
Management
Console
CampusSaaS/Cloud Data Center
Employees
Guests
Mobile and Cloud access
• Easy BYOD on/off-boarding for
laptops, smartphones and tablets
• Contextual Access control
• Compliance policy for access
• Identity tied back to the enterprise
• Device & Identity tie
Protected
Resources
9. Secure Access Architecture
Solving Access for Hybrid IT
Remote &
Mobile
users
Protected
Resources
Firewall Switch
Wireless
LAN
Remote Access
Cloud Access
Network Access
Datacenter
Access
Single
Management
Console
CampusSaaS/Cloud Data Center
Employees
Guests
Network and Datacenter access
• Device compliance check
• Conditional Access Policies
• Enforcement points throughout the
network
• Guest user access
Protected
Resources
10. Visibility
Solving Access for Hybrid IT
Remote &
Mobile
users
Protected
Resources
Firewall Switch
Wireless
LAN
Remote Access
Cloud Access
Network Access
Datacenter
Access
Single
Management
Console
CampusSaaS/Cloud Data Center
Employees
Guests
Visibility into the network
• Understand compliance
• Understand the what, who, when,
how
• Understand contractors and third
party access
• Understand devices hitting the
network and the risk they may
cause
Protected
Resources
11. Summary
Solving Access for Hybrid IT
Access is evolving
Hybrid IT
Is/has changed the way we secure data. Hybridity is important.
Endpoint
Becomes important in solving the access problems introduced
with Hybrid IT
Identity and Device
Whilst strong identity and auth is important tying in device and
its compliance is now key
Visibility
Understanding what is going on in your network (inc cloud) is
vital
Gigamon survey
97% of enterprises breached, total cost around 2B – average enterprise breach costs $2-3M
These breaches go undetected for 134 days.
The survey suggests that deploying NAC reduces the breach cost by 20%
eMarketer
Use of mobile phones has grown from an average of 40 minutes to 3 hours
Use of laptops has stayed flat in the same period
ITRC - US
Businesses – 71 breaches - 40% of breaches publically reported and some 5m records
Educational – 58 breaches – 700k records 7.4% of overall breaches e.g. Boston Uni
Emails sent to wrong recipients, websites hacked, ftp sites publically expose, laptops with data stolen
Access whether on the network or remote has changed over the years we only used to worry about controlling access.
Authorization was really about the user and a password (maybe 2FA)
Today we want to understand the device, the user and the compliance level of the device.
All of this becomes part of the authorization decision
Visibility into users, device and applications becomes more important in policy than resources, ports and IPs in Hybrid IT
How we are connecting has changed – no longer just a corporate port
The devices we use has changed from 1 laptop to multiple devices
From one heterogeneous OS to many proprietary to closed/opensource
The different types of networks we connect to bring different types of risk
The types of devices have different risk profiles
Mobilizing Access and Applications is demanding
We have a number of access gateways for cloud security (CASB), Data-center (VPN/Firewall/NAC)
We have created a number of management technologies for the endpoint MDM, SMS, Tivoli
We have tried to mobilize PC applications and infrastructure with VDI which doesn’t work on tablets and phones well
On the hosting front we are moving applications to the data center to cloud without a solid plan for security
We are deploying SaaS based services for ease and cost being driven out of the business side more than IT
Creating consistent access policy across many of these environments becomes challenging
Multiple consoles, Multiple policies hard to rationalize
Security posture becomes impossible to assess yet attest
Securing access to application, data and services is infinitely more challenging than the old world of DC only.
Finding one vendor that ticks all the boxes to provide security across this hybrid environment is hard. We are often left stitching disparate solutions together. Sometimes ones that were not necessarily designed to work together
It is important to find a vendor or series of vendors that are open and can create the glue in the solution
Securing data in motion is almost pointless when the data rests unencrypted on a device.
Authenticating a user without checking the posture of the device could mean that malware steels the information/IP
Accessing info without adequate authentication and identity capability means anyone with a lost device could access IP
Allowing employees to access information without device compliance could mean an apt or malware could be stealing data. According to Impima 35% of data loss is due to malware and 72% that suffer major losses shutdown in 24 months.
Having visibility into what is happening in the environment from the data centers and cloud apps being used to the devices and users connecting to them. Getting this visibility is hard and being able to manage multiple solutions is tough. Finding the glue will help lessen complexity of reporting and configuration
A secure access architecture include dealing with Cloud, DC and Campus
It includes dealing with Mobile, Laptop and desktop
Needs to enable access not restrict it
Hybrid IT includes cloud, DC and campus
Need a VPN to allow remote access to the DC
Need Cloud GW manage access to the cloud or SaaS based services
Need a network access control service to manage access to the DC and campus for employees in the office
Above all of this an identity management system such Active Directory with 2/MFA
Ideally one management console to manage this. Policies should be central around users and not resources
Vendor who has independence and can work well within an eco-system of products such that you can protect your existing investments and adapt to new demands
Securing the endpoint becomes very important
Outside to outside the organization
Single sign on on the endpoint become important for native and html apps
Create consistent password and user management policies across the hybrid environment
Authentication is important an many companies delivering MFA. Authentication becomes around data not access. Give example
Understanding the compliance of device becomes important to protecting your data. Is it encrypted, protected or vulnerable
Conditional access is all about making decisions and conditioning access based on the user, auth level and device compliance/trust
User experience is also key for user adoption to prevent users working around the system and controls. Today access can be clumsy and cumbersome for the end user
If you need to create security on the endpoint this can be achieved by using a MDM or MAM solution for mobile users. This should them be integrated into your access policy. You can make conditional access policy through integrations with MDM solutions to determine compliance with policies or to assign access roles. Give examples
Enabling mobile access to resources within the DC and the cloud requires you to think about new ways to manage device lifecycle for managed and unmanaged devices. Simplifying access to the network. An onboarding of a device should be simple and provision access to the VPN, Wi-Fi networks install all appropriate software and provision certificates for stronger identity and authentication.
Contextual access control can be extended to cloud services allowing you to control access to a service based on a devices compliance or authentication level
The identity can be tied back to the enterprise by use a cloud / mobile GW as an identity provider using SAML. This can work for native and HTML based apps. Thus SAML based assertions can be based on the authenticated user back to the AD or LDAP server using 2/MFA
You can also tie the identity to the device using auth chaining with device cert and the user credentials
Conditional access that lets you roam from outside the network to inside without re-authentication
Enforcement point throughout the network that allow you to provide consistent user policy across access gateways, Wi-Fi Aps, VPN or Firewalls. This gives you the ability to enforce access through multiple entry/access points
Create a secured access environment for visitors and guests that allows self service and easy provisioning of users. Creating a segmented environment for users to safely access the internet without a burden being placed on an IT team
Visibility become key to securing access. You have challenges of dealing with managed and unmanaged devices (BYOD) understanding what is hitting your network and accessing resources when often many resources are protected with a basic authentication.
Integration with management platforms such as MDM and inventory management systems show your corporate or organizational devices that are under management. But there are many devices that may not be under management such as printers and IP phones. These unmanaged devices are usually discovered using profiler technologies. However the endpoint is important in providing total visibility when Cloud based services and mobility come into play. Once mobile devices are outside the corporate network access cloud services all visibility is lost unless you force it through the infrastructure which often places unnecessary load on gateway boxes. The endpoint can provide vital information on applications use, and the risk the device might pose such as unpatched vulnerabilities.
Understanding the 5W’s of visibility
Who – the user that is authenticating
Which – the device they are using
What – what application and data are they accessing
When – the time at which they access and patterns of behavior
Where – what location are they accessing things from
Hybrid IT is changing the way we fundamentally think about security. The perimeter and protecting data is not longer inside our four walls. The advent of mobility has changes the way in which we access data and when we access it.
Endpoint becomes important around solving access to cloud technologies. This includes providing single sign on and password policy across multiple app in the datacenter and/or cloud. It also provides visibility into cloud apps being used outside of the organizations four walls.
Identity of the user and tying the device to that identity become important it makes it harder for a hacked device or hacked user to be exploited. Your banks does this when you log in on a new machine
Visibility of what is going on in your network is key and allows you to react and adjust controls appropriately