2. THE STATE OF CYBER SECURITY - STATUS QUO
2
Machine to Machine
Connections FORCE
securing machines
Access to Services
allowed BEFORE
Authentication
Firewalls are Static –
ONLY network
information
BUSINESS
SERVICES
IT
PERIMETER
- Conventional wisdom is just that – conventional
Waverley Labs
3. SMART COMPANIES ARE SAYING - CYBER SECURITY
SOLUTIONS AREN’T GOOD ENOUGH!
VPNs - don’t scale and once
inside the network there is no
control over what users can
access without additional tools
Authentication - multi-factor vs. multi-level is
hard to implement according to the guidelines.
ID mgmt typically not tied to access control
3
Key Management - too many
to effectively manage ie. user
keys, device keys, encryption keys
Firewalls - are static and the more rules
that need to be added, the more
maintenance it needs, logs are hard to
analyze in real-time, onboarding
applications is a long process, services are
not just exposed to one user.
Vulnerability/Patch Mgmt
- number of vulnerabilities is
increasing, hard to prioritize
and IT held hostage by old/
legacy applications that are
hard to upgrade
Waverley Labs
4. THE DIGITAL THREAT LANDSCAPE
4
…. Today, many paths exist to attack enterprises
Insider threats within a user group (role).
External Threats from all over the
world..
Insider threats, across user group
boundaries.
Waverley Labs
7. Enter Software Defined Perimeters (SDP)
• Connectivity
– Based on need-to-know access model
– Device posture & identity verified before access to application
infrastructure is granted
• Application infrastructure
– Effectively invisible or black
– No visible DNS information or IP addresses
• Combines security protocols previously not integrated
– Single Packet Authentication
– Mutual Transport Layer Security
– Device Validation
– Dynamic Firewalls
– Application Binding
• Cloud Security Alliance adopted SDP for its membership
• Follows NIST guidelines: crypto protocols & securing apps in
cloud
10. SDP cryptographically signs
clients into the perimeter
1-Net facing servers hidden
2-Legit user given unique ID
3-Legit user sends the token
4-Perimeter checks the token
5-Valid device + user = access
SDP
Controller
Protected
Host
SDP Client
Device
Control Plane
Data Plane
AuthN + Encryp6on Key
Protected
Host
11. Use Case – Anti-DDoS
SDP Client
Device
Control Plane
Data Plane
AuthN + Encryp6on Key
Today packet filtering and load
distribu6on techniques affect
all good traffic
• Hosts are hidden
• Clients coordinate w/ mul6ple perimeters
• Good packets known
• Upstream routers informed about bad
packets
• Akamai (content distribu6on)
• Avaya (networking hardware)
• Verizon (network provider) etc.
With SDP
12. Open Source Community
Software
Defined
Perimeter
12
Coca Cola: removing VPN and
2-Factor AuthN has improved
user experience
Coca Cola: Users access
limited to a single connection
to each authorized
application – eliminating
malware and information
theft
Coca Cola: Removing access to
business applications on the
internet is reducing attacks
Mazda: easier to isolate authorized
and unauthorized users/devices
Google: Enabled BYOD and
reduced the number of
company laptops
13. SDP: New model with many benefits
• Wrap applications in a black cloud – inaccessible by the
bad guys
• Simplifying what has been a complex landscape
– Point products go to background
• Clear vision to the security failure presenting greatest
risk
• Cost effective
– Over time eliminate costs of some point solutions
and the headcount to manage them
• Less vulnerable to talent drain
– SDP is smart
• Lower risk: Effort equal to risk
– Prioritize applications that present the greatest risk
– Optimized by defining failure scenarios
• Effective assurance for risk insurance