SlideShare a Scribd company logo

Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems

Government Technology & Services Coalition
Government Technology & Services Coalition

by Juanita Koilpillai, CEO & Founder, Waverley Labs

Government & Nonprofit
1 of 14
Download to read offline
Software Defined Perimeter:
 Reducing the Attack Surface GTSC August 17, 2017 Juanita Koilpillai Waverley Labs
THE STATE OF CYBER SECURITY - STATUS QUO 2 Machine to Machine Connections FORCE securing machines Access to Services allowed BEFORE Authentication Firewalls are Static – ONLY network information BUSINESS SERVICES IT PERIMETER -  Conventional wisdom is just that – conventional Waverley Labs
SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS AREN’T GOOD ENOUGH! VPNs - don’t scale and once inside the network there is no control over what users can access without additional tools Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control 3 Key Management - too many to effectively manage ie. user keys, device keys, encryption keys Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user. Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/ legacy applications that are hard to upgrade Waverley Labs
THE DIGITAL THREAT LANDSCAPE 4 …. Today, many paths exist to attack enterprises Insider threats within a user group (role). External Threats from all over the world.. Insider threats, across user group boundaries. Waverley Labs
Hackers can’t attack what they can’t see
Insiders can’t steal what they can’t see
Enter Software Defined Perimeters (SDP) •  Connectivity –  Based on need-to-know access model –  Device posture & identity verified before access to application infrastructure is granted •  Application infrastructure –  Effectively invisible or black –  No visible DNS information or IP addresses •  Combines security protocols previously not integrated –  Single Packet Authentication –  Mutual Transport Layer Security –  Device Validation –  Dynamic Firewalls –  Application Binding •  Cloud Security Alliance adopted SDP for its membership •  Follows NIST guidelines: crypto protocols & securing apps in cloud
SDP Architecture SDP Controller Protected Host SDP Client Device Control Plane Data Plane Access in order to Authen6cate Perimeter has User Context + Dynamic Authen6ca6on Before Access Firewall has only Network Info + Sta6c Protected Host Current SDP
SDP Integration SDP Controller Protected Host SDP Client Device Control Plane Data Plane Firewall/Gateway provides network awareness Applica6on provides user awareness Protected Host Client provides device awareness
SDP cryptographically signs clients into the perimeter 1-Net facing servers hidden 2-Legit user given unique ID 3-Legit user sends the token 4-Perimeter checks the token 5-Valid device + user = access SDP Controller Protected Host SDP Client Device Control Plane Data Plane AuthN + Encryp6on Key Protected Host
Use Case – Anti-DDoS SDP Client Device Control Plane Data Plane AuthN + Encryp6on Key Today packet filtering and load distribu6on techniques affect all good traffic •  Hosts are hidden •  Clients coordinate w/ mul6ple perimeters •  Good packets known •  Upstream routers informed about bad packets •  Akamai (content distribu6on) •  Avaya (networking hardware) •  Verizon (network provider) etc. With SDP
Open Source Community Software Defined Perimeter 12 Coca Cola: removing VPN and 2-Factor AuthN has improved user experience Coca Cola: Users access limited to a single connection to each authorized application – eliminating malware and information theft Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized and unauthorized users/devices Google: Enabled BYOD and reduced the number of company laptops
SDP: New model with many benefits •  Wrap applications in a black cloud – inaccessible by the bad guys •  Simplifying what has been a complex landscape –  Point products go to background •  Clear vision to the security failure presenting greatest risk •  Cost effective –  Over time eliminate costs of some point solutions and the headcount to manage them •  Less vulnerable to talent drain –  SDP is smart •  Lower risk: Effort equal to risk –  Prioritize applications that present the greatest risk –  Optimized by defining failure scenarios •  Effective assurance for risk insurance
Continue the conversation . . . Juanita Koilpillai jkoilpillai@waverleylabs.com linkedin.com/in/juanita- koilpillai-5551b111 Cybersecurity Assessments SDP Design & Implementa6on Defini6on of Failure Scenarios

Recommended

How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 

Recommended

How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
Ivan Dwyer
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Three ways-zero-trust-security-redefines-partner-access-ch
Three ways-zero-trust-security-redefines-partner-access-chThree ways-zero-trust-security-redefines-partner-access-ch
Three ways-zero-trust-security-redefines-partner-access-ch
Zscaler
 
What Comes After VPN?
What Comes After VPN?What Comes After VPN?
What Comes After VPN?
Zscaler
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Three ways-zero-trust-security-redefines-partner-access-v8
Three ways-zero-trust-security-redefines-partner-access-v8Three ways-zero-trust-security-redefines-partner-access-v8
Three ways-zero-trust-security-redefines-partner-access-v8
Zscaler
 
Faster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsFaster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in aws
Zscaler
 
Secure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureSecure access to applications on Microsoft Azure
Secure access to applications on Microsoft Azure
Zscaler
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
AccuKnox
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare data
Cloudflare
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
Cristian Garcia G.
 
It security
It securityIt security
It security
avi2607
 

More Related Content

What's hot

What's hot (20)

How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Cloud security
Cloud securityCloud security
Cloud security
 
Three ways-zero-trust-security-redefines-partner-access-ch
Three ways-zero-trust-security-redefines-partner-access-chThree ways-zero-trust-security-redefines-partner-access-ch
Three ways-zero-trust-security-redefines-partner-access-ch
 
What Comes After VPN?
What Comes After VPN?What Comes After VPN?
What Comes After VPN?
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
 
Three ways-zero-trust-security-redefines-partner-access-v8
Three ways-zero-trust-security-redefines-partner-access-v8Three ways-zero-trust-security-redefines-partner-access-v8
Three ways-zero-trust-security-redefines-partner-access-v8
 
Faster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsFaster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in aws
 
Secure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureSecure access to applications on Microsoft Azure
Secure access to applications on Microsoft Azure
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare data
 

Similar to Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems

SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
Andy Bochman
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
Real-Time Innovations (RTI)
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Merchant Link
 

Similar to Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems (20)

Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
 
It security
It securityIt security
It security
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass Overview
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
 
Lessson 3
Lessson 3Lessson 3
Lessson 3
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
NetGains Infrastructure Security
NetGains Infrastructure SecurityNetGains Infrastructure Security
NetGains Infrastructure Security
 
NAC_p3.pptx
NAC_p3.pptxNAC_p3.pptx
NAC_p3.pptx
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
Information Security
Information SecurityInformation Security
Information Security
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPN
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 

More from Government Technology & Services Coalition

GTSC's Annual Report 2018
GTSC's Annual Report 2018GTSC's Annual Report 2018
GTSC's Annual Report 2018
Government Technology & Services Coalition
 

More from Government Technology & Services Coalition (20)

GTSC 2020 Annual Report
GTSC 2020 Annual ReportGTSC 2020 Annual Report
GTSC 2020 Annual Report
 
USBP pmod singleton gtsc bde-brief-20200219
USBP pmod singleton gtsc bde-brief-20200219USBP pmod singleton gtsc bde-brief-20200219
USBP pmod singleton gtsc bde-brief-20200219
 
GTSC Annual Report 2019
GTSC Annual Report 2019GTSC Annual Report 2019
GTSC Annual Report 2019
 
ESBG 2/14/2020
ESBG 2/14/2020ESBG 2/14/2020
ESBG 2/14/2020
 
ESBG 2/14/2020
ESBG 2/14/2020ESBG 2/14/2020
ESBG 2/14/2020
 
GTSC 2019 Annual Report
GTSC 2019 Annual ReportGTSC 2019 Annual Report
GTSC 2019 Annual Report
 
TSA's Innovation Task Force
TSA's Innovation Task ForceTSA's Innovation Task Force
TSA's Innovation Task Force
 
GTSC's Annual Report 2018
GTSC's Annual Report 2018GTSC's Annual Report 2018
GTSC's Annual Report 2018
 
GTSC's CBP Day 2019
GTSC's CBP Day 2019GTSC's CBP Day 2019
GTSC's CBP Day 2019
 
GTSC Transportation Security Day Enhancing partnerships with TSA
GTSC Transportation Security Day Enhancing partnerships with TSAGTSC Transportation Security Day Enhancing partnerships with TSA
GTSC Transportation Security Day Enhancing partnerships with TSA
 
GTSC Transportation Security Day - Enterprise Support
GTSC Transportation Security Day - Enterprise SupportGTSC Transportation Security Day - Enterprise Support
GTSC Transportation Security Day - Enterprise Support
 
GTSC Maritime & Port Security Day 2019
GTSC Maritime & Port Security Day 2019GTSC Maritime & Port Security Day 2019
GTSC Maritime & Port Security Day 2019
 
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and PanelGTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
 
GTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
GTSC IRS Day 2019 - Online Services at IRS - Maria CheeksGTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
GTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
 
GTSC Day Feb 28 2019 power point
GTSC Day Feb 28 2019 power pointGTSC Day Feb 28 2019 power point
GTSC Day Feb 28 2019 power point
 
GTSC Annual Report 2018
GTSC Annual Report 2018GTSC Annual Report 2018
GTSC Annual Report 2018
 
GTSC CBP Day 2018 - Roland Suliveras Slides
GTSC CBP Day 2018 - Roland Suliveras SlidesGTSC CBP Day 2018 - Roland Suliveras Slides
GTSC CBP Day 2018 - Roland Suliveras Slides
 
CBP Day 2018 - Samuel Grable Slides
CBP Day 2018 - Samuel Grable SlidesCBP Day 2018 - Samuel Grable Slides
CBP Day 2018 - Samuel Grable Slides
 
Jose Bonilla ORCA Panel GTSC's TSA Day 2018
Jose Bonilla ORCA Panel GTSC's TSA Day 2018Jose Bonilla ORCA Panel GTSC's TSA Day 2018
Jose Bonilla ORCA Panel GTSC's TSA Day 2018
 
DHS HQ Day 2018 - Barry West
DHS HQ Day 2018 - Barry WestDHS HQ Day 2018 - Barry West
DHS HQ Day 2018 - Barry West
 

Recently uploaded

Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budgetCall Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
kumargunjan9515
 
Vasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
Vasai Call Girls In 07506202331, Nalasopara Call Girls In MumbaiVasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
Vasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
Priya Reddy
 
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
MadhuKothuru
 
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
Delhi Call girls
 
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
HyderabadDolls
 

Recently uploaded (20)

The NAP process & South-South peer learning
The NAP process & South-South peer learningThe NAP process & South-South peer learning
The NAP process & South-South peer learning
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCC
 
31st World Press Freedom Day Conference in Santiago.
31st World Press Freedom Day Conference in Santiago.31st World Press Freedom Day Conference in Santiago.
31st World Press Freedom Day Conference in Santiago.
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - Poster
 
Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budgetCall Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Basheerbagh ( 8250092165 ) Cheap rates call girls | Get low budget
 
Time, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie WhitehouseTime, Stress & Work Life Balance for Clerks with Beckie Whitehouse
Time, Stress & Work Life Balance for Clerks with Beckie Whitehouse
 
1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS
 
Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)
 
NAP Expo - Delivering effective and adequate adaptation.pptx
NAP Expo - Delivering effective and adequate adaptation.pptxNAP Expo - Delivering effective and adequate adaptation.pptx
NAP Expo - Delivering effective and adequate adaptation.pptx
 
Make a difference in a girl's life by donating to her education!
Make a difference in a girl's life by donating to her education!Make a difference in a girl's life by donating to her education!
Make a difference in a girl's life by donating to her education!
 
Peace-Conflict-and-National-Adaptation-Plan-NAP-Processes-.pdf
Peace-Conflict-and-National-Adaptation-Plan-NAP-Processes-.pdfPeace-Conflict-and-National-Adaptation-Plan-NAP-Processes-.pdf
Peace-Conflict-and-National-Adaptation-Plan-NAP-Processes-.pdf
 
31st World Press Freedom Day Conference.
31st World Press Freedom Day Conference.31st World Press Freedom Day Conference.
31st World Press Freedom Day Conference.
 
Vasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
Vasai Call Girls In 07506202331, Nalasopara Call Girls In MumbaiVasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
Vasai Call Girls In 07506202331, Nalasopara Call Girls In Mumbai
 
74th Amendment of India PPT by Piyush(IC).pptx
74th Amendment of India PPT by Piyush(IC).pptx74th Amendment of India PPT by Piyush(IC).pptx
74th Amendment of India PPT by Piyush(IC).pptx
 
A Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental CrisisA Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental Crisis
 
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
 
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
Call Girls in Moti Bagh (delhi) call me [8448380779] escort service 24X7
 
2024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 312024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 31
 
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
Just Call VIP Call Girls In Bangalore Kr Puram ☎️ 6378878445 Independent Fem...
 
NGO working for orphan children’s education
NGO working for orphan children’s educationNGO working for orphan children’s education
NGO working for orphan children’s education
 

Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructures/ Systems

  • 1. Software Defined Perimeter:
 Reducing the Attack Surface GTSC August 17, 2017 Juanita Koilpillai Waverley Labs
  • 2. THE STATE OF CYBER SECURITY - STATUS QUO 2 Machine to Machine Connections FORCE securing machines Access to Services allowed BEFORE Authentication Firewalls are Static – ONLY network information BUSINESS SERVICES IT PERIMETER -  Conventional wisdom is just that – conventional Waverley Labs
  • 3. SMART COMPANIES ARE SAYING - CYBER SECURITY SOLUTIONS AREN’T GOOD ENOUGH! VPNs - don’t scale and once inside the network there is no control over what users can access without additional tools Authentication - multi-factor vs. multi-level is hard to implement according to the guidelines. ID mgmt typically not tied to access control 3 Key Management - too many to effectively manage ie. user keys, device keys, encryption keys Firewalls - are static and the more rules that need to be added, the more maintenance it needs, logs are hard to analyze in real-time, onboarding applications is a long process, services are not just exposed to one user. Vulnerability/Patch Mgmt - number of vulnerabilities is increasing, hard to prioritize and IT held hostage by old/ legacy applications that are hard to upgrade Waverley Labs
  • 4. THE DIGITAL THREAT LANDSCAPE 4 …. Today, many paths exist to attack enterprises Insider threats within a user group (role). External Threats from all over the world.. Insider threats, across user group boundaries. Waverley Labs
  • 5. Hackers can’t attack what they can’t see
  • 6. Insiders can’t steal what they can’t see
  • 7. Enter Software Defined Perimeters (SDP) •  Connectivity –  Based on need-to-know access model –  Device posture & identity verified before access to application infrastructure is granted •  Application infrastructure –  Effectively invisible or black –  No visible DNS information or IP addresses •  Combines security protocols previously not integrated –  Single Packet Authentication –  Mutual Transport Layer Security –  Device Validation –  Dynamic Firewalls –  Application Binding •  Cloud Security Alliance adopted SDP for its membership •  Follows NIST guidelines: crypto protocols & securing apps in cloud
  • 10. SDP cryptographically signs clients into the perimeter 1-Net facing servers hidden 2-Legit user given unique ID 3-Legit user sends the token 4-Perimeter checks the token 5-Valid device + user = access SDP Controller Protected Host SDP Client Device Control Plane Data Plane AuthN + Encryp6on Key Protected Host
  • 11. Use Case – Anti-DDoS SDP Client Device Control Plane Data Plane AuthN + Encryp6on Key Today packet filtering and load distribu6on techniques affect all good traffic •  Hosts are hidden •  Clients coordinate w/ mul6ple perimeters •  Good packets known •  Upstream routers informed about bad packets •  Akamai (content distribu6on) •  Avaya (networking hardware) •  Verizon (network provider) etc. With SDP
  • 12. Open Source Community Software Defined Perimeter 12 Coca Cola: removing VPN and 2-Factor AuthN has improved user experience Coca Cola: Users access limited to a single connection to each authorized application – eliminating malware and information theft Coca Cola: Removing access to business applications on the internet is reducing attacks Mazda: easier to isolate authorized and unauthorized users/devices Google: Enabled BYOD and reduced the number of company laptops
  • 13. SDP: New model with many benefits •  Wrap applications in a black cloud – inaccessible by the bad guys •  Simplifying what has been a complex landscape –  Point products go to background •  Clear vision to the security failure presenting greatest risk •  Cost effective –  Over time eliminate costs of some point solutions and the headcount to manage them •  Less vulnerable to talent drain –  SDP is smart •  Lower risk: Effort equal to risk –  Prioritize applications that present the greatest risk –  Optimized by defining failure scenarios •  Effective assurance for risk insurance
  • 14. Continue the conversation . . . Juanita Koilpillai jkoilpillai@waverleylabs.com linkedin.com/in/juanita- koilpillai-5551b111 Cybersecurity Assessments SDP Design & Implementa6on Defini6on of Failure Scenarios