© 2017 unisys corporation. all rights reserved. · afterwork event bern 4 may 2017 enabling trust,...

Afterwork event BERN 4 May 2017

Enabling Trust, Security, and Resiliency through Micro-Segmentation

Arnoud Hablous & Fraser Ross


Security is in our DNA – Securing your tomorrow


Why We Need to Change Security

Tighter Regulations

Zero Trust or Earned Trust Model

Changed IT ModelOld security model is dead

Everything is Connected

Escalating ThreatsMust think trust vs. defense and trusted zones vs. security zones


Organized Crime

Gangs

ThievesGlobal

Terrorists

Non-StateActivists

ForeignIntelligence

Services

Rogue Intelligence Employees

InsidersMalicious & Unwitting

Our Environment…in 2017

Business Competitors

Transients


We Must…

ChangeOur Security

Approach


What is Micro-segmentation?

Micro-segmentation limits access to devices or services, to a

restricted group or groups, at the level of granularity required by

the organisation.

Micro-segmentation uses credentials to determine what you

can access, and IP protocol controls to enforce the micro-

segmentation policy.



Segmentation is not new

Door Keys

Controlled access to a restricted

group (those with keys)

Passwords

Compromised credentials affects

one account, not all accounts

Controlled spaces

Barriers and Passes limits access

Network Equipment

Switches, VLANs, Firewalls provide

IP protocol controls



Micro-segmentation limits access to devices or services, to a

restricted group or groups, at the level of granularity required by

the organisation.

Micro-segmentation uses credentials to determine what you

can access, and IP protocol controls to enforce the micro-

segmentation policy.


Why?

SECURITY


Why?

If you find yourself alone, riding in the green fields with the sun on your face, do not be troubled. For you are in Elysium, and you’re already dead!

Blue Skies


Why?

Outlook is Cloudy


Strong Perimeter – Trusted Core


Security built on “Keeping Everything Out”

Walls, Watch, Wait – sufficient in the “Digital Castle” era ?

Click - Targeted Phishing Attacks

Forget - Patching / Legacy

Misconfigure - Firewalls, VLANs, IPS

Business Flexibility

Trust Inside network, accessibility

Cost (vs. Risk)

80% spend on perimeter vs. attackers require 1 success

Digital Castle – Digital City

How big is your perimeter – Multi Site, Multi Cloud










Cost (vs. Risk)






Micro-segmentation – Strengthen the Core

Virtually every company today uses firewalls to enforce perimeter security.However, this security model is problematic because, when that perimeter isbreached, an attacker has relatively easy access to a company’s privilegedintranet. As companies adopt mobile and cloud technologies, the perimeteris becoming increasingly difficult to enforce. -- Google Inc


Micro-Segmentation – already in use physical world

Micro-segmentation – in the digital world:

Protect

High value assets

Restrict damage to individual micro-segments

Prevent Network Enumeration

Segment

Restrict East <-> West traffic

Control North <-> South traffic

Isolate

Key Data & resources


Trust limited to individual segments

Secure your Digital City

On Site, Between Site

In Cloud, Between Cloud

Micro-segmentation – Strengthen the Core

Hatton Garden Safe Deposit Company


Stealth Timeline

JFCOM JILTestbed IO Range

DIACAP – DoD Information Assurance Certification and Accreditation Process MAC – Mission Assurance Category (Level 1 is Highest) DISA – Defense Systems Information Agency EUCOM – European CommandSOCOM – Special Operations Command JFCOM – JOINT Forces Command JIL – Joint Intelligence Laboratory

CWID – Coalition Warrior Interoperability DemonstrationJUICE – Joint User Interoperability Communications Exercise CECOM – Communications Electronics Command (US Army)GTRI – Georgia Tech Research InstituteDJC2 – Deployable Joint Command and ControlNIST – National Institute of Standards and TechnologyNIAP – National Information Assurance Partnership

2005

CWID

08DISA

CWID

09

DISA

JUICE 09CECOM

Combined

Endeavour EUCOM

CWID 05USAF

CWID

10

SOCOM

GTRI DJC2 PMO

SPAWARPrivate LabSSVT Validation:

Failed to compromise

“Large

Integrator”Tests and fails

to break Stealth

IV&VNational Center for

Counter-terrorism and

Cybercrime SOCOMExport LicenseDept of Commerce

FIPS 140-2

Certification

NIST

EAL4+

Certification

NIAP

DIACAP MAC-1

CertificationCWID 10

Network Risk Assessment

CWID 05AF Comm Agency

DIACAP MAC-1

CertificationJFCOM

SOCOMR&D

Prototype

Emerald

Warrior

‘12

SIPRNet

IATT

Independent

Test Client-hired

3rd party: Failed to

compromise

And again… Different client,

different tester:

Failed to

compromise

And

again…

Commercial

& Pub Sector

2006 2007 2008 20142009 2010 2011 20132012

InterOp 2012“Hot New Product”

Award Winning

2015

3rd party QSA

and pen

testing – PCI

Compliance

Frost & Sullivan 2015 New Product Innovation Award

-------------------Encrypted Network Security

http://www.techamericafoundation.org/content/wp-content/uploads/2013/05/ATA-2014-Image-V5.jpg

http://www.networkworld.com/reviews/2014/050514-unisys-test-281247.html

http://www.washingtonpost.com/news/capital-business/wp/2015/04/30/winners-chosen-in-2015-destination-innovation-competition/


Stealth - Layered Security

Layered Approach

Stealth is used as part of Security Strategy to

harden the centre

Works with the existing tactical security

solutions

Can be focused or as far reaching as the

organisation’s strategy requires


How Stealth Works

Encrypt

Cryptographic

Protocols

Secure

Transparent to

Applications;

Cloaked

Endpoints

Segment

Virtual

Communities

of Interest

Least Privilege

Integration

with Identity

Management

Systems

7. Application

6. Presentation

5. Session

4. Transport

3. Network

1. Physical

2. Data Link

NIC

StealthIntercept

Stealth’s Patented Technology Has 4 Key Elements


Physical

• Segregation now a function of logical Stealth

COIs

• Traffic secured between physical devices no

longer reliant on network topology

• Server – Server

• Workstation – Server

• Workstation – Workstation


Virtual Environment

• Stealth communication between VMs

and other physical or virtual systems

on the network

• Segregated from Host OS traffic –

Date in Motion is encrypted

• Mix of Stealth’d and non-Stealth’d on

the same infrastructure


Cloud

• Extended support for Azure and AWS

• Extend datacentre whilst maintaining

North-South control

• East-West Control in physical, virtual

and cloud deployments


Access

• Stealth Remote Access (SRA)

• Cisco ASA 55xx – Required

• Checks credentials (Radius)

• Stealth’d end points connect across

network infrastructure


Asset Protection

• Stealth Virtual Gateway (SVG)

• Stealth’d from SVG inwards

• Physical or VLAN segregation

outwards from SVG

• Hide & Control access to legacy OS

• Hide & Control access to IP device which

can not host Stealth agents


Internal

Users

Dev

External

Users

Controlled Interaction

Stealth

• Stage 1 – Dev Ops ONLY

• Stage 2 – Internal Test Users

• Stage 3 – External Users


Data

PuddlesData

Puddles

Data

Puddles

Data Lake

Unstructured Data

Stealth

• Data Puddles - Storage of Unstructured

data still needs to meet regulatory

requirements

• Access to individual Data Puddles is

restricted by Stealth COI

• Data Lake can span across on premise

and cloud infrastructure – COI Data is

Encrypted in Motion

Data

Puddles

Processing Cluster

Processing Cluster

Processing Cluster

Processing Cluster


Data

PuddlesData

Puddles

Data

Puddles

Data Lake

Unstructured Data

Stealth

• Data Puddles - Storage of Unstructured

data still needs to meet regulatory

requirements

• Access to individual Data Puddles is

restricted by Stealth COI

• Data Lake can span across on premise

and cloud infrastructure – COI Data is

Encrypted in Motion

• Maintain Segregation while using the

same virtual infratstructure

Data

Puddles


Assured Protection in the Cloud


Assured Protection in the Cloud

Stealth

• Who else is sharing the cloud?

• Cryptographically Defines

Boundaries

• Reduce Scope for Audit and

Compliance

• Can be an Extension of your On

Premise Stealth or Completely

standalone

• Your Private Cloud – in a Public

Space

?


Extend into the Cloud on your Terms

Stealth

• Control which users and

services can access the cloud

• Reduce Scope for Audit and

Compliance

• Key material, Stealth Agents

unique to your organisation

• Restrict “Backwash”


Secure Your Valuables

What’s Important to YOU

• Identify Critical data resources

Restrict who can see them

• Identify Critical processing nodes

Restrict who can access them

Personnel

Operations

Financial ?


Buffer Third Party Cloud Services

Firewalls & VLans

• Low granularity of control &

flexibility

Stealth

• Highly flexible – Moves with

User

• Granularity controlled from

configuration server

• Reduced Hardware

• Secure data path

• Restrict ingress back into estate

Gateway Servers

WorkStations


Zusammenfassung

• Unisys Stealth kann flächendeckend oder flexibel zum dedizierten Schutz von kritischen Infrastrukturen eingesetzt werden.

• Der Einsatz von Stealth bedingt keinerlei Anpassung Ihrer IT Infrastruktur.

• Die Microsegementierung Ihres Netzwerkes, da rein softwarebasiert, erfolgt zu einem Bruchteil der Kosten herkömmlicher Lösungen und alle «End Point» werden unsichtbar.

• Andere Verschlüsselungslösungen für Bewegungsdaten werden obsolet.

• Mit dem Einsatz von Stealth erhöhen Sie Ihr «Security-Dispositiv» um Faktoren.

© 2017 Unisys Corporation. All rights reserved

Unisys Managed Security ServicesNext Step

Schedule a workshop and 3 month POC

Show the value in your environment!!

Some requirements for the Stealth:3 x servers (Enterprise Manager & 2 x Authorisation Servers)Test Client (for Stealth installation validation)Test Server (for Stealth installation validation)Certificate for Code signingAccess to the certificate validation server (e.g. OCSP, CRL repository)All servers and clients Domain Joined

Cost: CHF 20’000.-


«Fast» zum Schluss…


Kontakt und weiterführende Informationen

Ergänzende Informationen zum Thema Stealth und Unisys Securityallgemein finden Sie unter: https://unisyssecurity.com/

Kontakt zum Thema: Sprechen Sie mit Ihrem Kundenverantwortlichen der Unisysüber dieses Thema oder kontaktieren Sie einfach:

Martin [email protected]+41 79 240 81 03

https://unisyssecurity.com/

mailto:[email protected]

© 2017 unisys corporation. all rights reserved. · afterwork event bern 4 may 2017 enabling trust,...

Documents