sowaredefinedperimeter( - cloudsec · " ncr " new delhi " chennai " pune ....
TRANSCRIPT
So#ware Defined Perimeter Building Secure Global Networks in Age of Technology ConsumerisaAon
FREDDY TAN, MSc, CISSP, SMSCS APAC STRATEGY ADVISOR CLOUD SECURITY ALLIANCE
#CLOUDSEC
About the Cloud Security Alliance • Global, not-for-profit organisation • 300 member driven organiza0on with over 58,000 individual members in 65
chapters worldwide • Building best practices and a trusted cloud ecosystem • Agile philosophy, rapid development of applied research
– GRC: Balance compliance with risk management – Reference models: build using existing standards – Identity: a key foundation of a functioning cloud economy – Champion interoperability – Enable innovation – Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to
help secure all other forms of computing.”
CSA APAC in a nutshell " Official chapters
" Japan " Korea " Greater China Regional Coordinating Body
" Beijing " Shanghai " Hong Kong & Macau " Taiwan
" Thailand " Singapore " India Regional Coordinating Body
" Mumbai " Bangalore
" Australia " New Zealand
" In development " Malaysia " Indonesia " Pakistan " India
" NCR " New Delhi " Chennai " Pune
TECH CONSUMERIZATION It’s all interconnected
4 www.cloudsec.com | #CLOUDSEC <insert speaker organization logo>
• IPv4 uses 32-‐bit (four-‐byte) addresses, which limits the address space to 4,294,967,296 (232) addresses
Internet Trends
• IPv6 uses a 128-‐bit address, allowing 2128, or approximately 3.4×1038 or equals 340 trillion trillion trillion addresses, or 51,557,934,381,960,373,252,026,455,671 addresses per person
• IPV6 creates new opportuni0es for businesses, but also for the on-‐line hackers and criminals
Internet Trends
New Digital Landscape
• Internet of Things (IoT) – By the year 2015 more than 6 billion devices and systems will be connected to each other and exchanging data via the internet
– Ericsson has a vision of 50 billion connected devices by 2020
Tech consumeriza0on: It’s all interconnected
" Cloud
" Smart Mobile
" Big Data
" Social
" Internet of Things
" Digital Natives
Corporate IT Trends " Consumerization of IT " BYOD " Mobile everything " # devices / person " BU initiated SaaS " Federation of IT BU’s " Globalization
Key trust Issues in cloud
" Transparency & visibility from providers " Compatible laws across jurisdictions " Data sovereignty " Incomplete standards " Lack true multi-tenant technologies & architecture " Incomplete Identity Management implementations " Risk Concentration
Cyber a[acks are everywhere
* Inside a Hacker’s Playbook - Trustwave
Once upon a 0me, things where simple
PC
Employees Servers Mac
VPN Firewall
Perimeter
Sales Guy
Mobility, clouds & outsourcing changed everything
PC
Servers Mac
Perimeter
Access Audit Logging
Configuration Compliance
Intrusion Detection
Network Firewall
VPN
Access Control
Intrusion Prevention
Clouds
DDoS Prevention
Intrusion Detection
Web Proxy Server
URL Content Monitoring
Intrusion Prevention
Web Access Scanning
VPN Firewall
Mobile
Contractors
Partner
Mobile Device Mgt
Sales Guy
The concept of trust has changed
• No device, no person can be “Trusted” • But legacy vendors / system integrators
– Have not changed – Recommend 20 year old tools
• We need a new paradigm
SOFTWARE DEFINED PERIMETER (SDP) CSA’s Soeware Defined Perimeter (SDP) research project
16 www.cloudsec.com | #CLOUDSEC <insert speaker organization logo>
SDP provides a solu0on for the open enterprise
PC
Employees Servers Mac
Sales Guy
Perimeter
Mobile
Contractors
Partner
Clouds
The CSA’s Software Defined Perimeter (SDP) research project represents a breakthrough approach to security, and is a collaboration among more than 100 companies and U.S. government organizations. Companies such as Coca-Cola, Verizon Communications Inc., Mazda Motor Corp. and other members of the CSA are contributing to a new standard for perimeter security.
What's different? • Also called a “Black Cloud”
– Application infrastructure is effectively “black” without visible DNS information or IP addresses
• Standardization of "Need-to-know" access model – Connectivity based on a need-to-know model – Deployed with DoD for many years but rarely seen in the commercial world
• Integrates latest ideas from NIST & other experts – Mutual TLS DHE, Device attestation, identity-based access
• Public domain project – Integrates existing standards & best practices into an industry standard
SDP: elas0c, encrypted containers
Software Defined Perimeter • Identity-based access • Any device to any infrastructure • Strong cryptographic attestation • Complimentary to SDN • Leverages cloud strengths
Personal Devices
App Infrastructure
Physical/Virtual Infrastructure
Internet of Things
SDP applica0ons
" Enterprise Application Isolation
" Private Cloud and Hybrid Cloud
" Software as a Service
" Infrastructure as a Service
" Platform as a Service
" Cloud-Based VDI
" Internet-of-Things
SDP standard model
Initiating Host
SDP Controller
Accepting Host
Data
Basic workflow
SDP Controller
IdP AD
API to Request Access
Mutual TLS
API to Verify Identity
API to Provision Access
1
2
3
. . . a bit more detail IdP AD
Location Service
Fingerprint Service PKI Software
Attestation
SDP Controller
Security Controls Single Packet Authentication PKI / Key Verification Dynamic Firewall DHE Mutual TLS Device Fingerprint Software Verification Geo Location Application Whitelisting Identity Verification Group Policy Whitelisted Services
Trusted App
Mutual TLS
access control
data
What SDP Delivers . . .a lot!
APT / Malware Scan the network Pass-the-hash Pass-the-ticket Password cracking OS & application exploits SQLi and injection attacks Cross Site Scripting (XSS) Directory traversal Attack the backup servers
SQL / Server Protocol Injection Session Hijack Cross Site Scripting Object Reference Misconfiguration Clear Text Function Reference Cross Site Forgery Component Exploits URL Re-direction
Denial of Service Application Exploits Resource exhaustion Bandwidth consumption
Man-in-the-Middle Wi-Fi Hot Spot Fake Site ARP Spoofing DHCP Starvation MAC Table Flood SPAN Port
SDP Hackathon during RSA Conference Apr 2015
" Test of the SDP security model
" "Inside attack" scenario
" Open to the public: Top Prize of USD10,000!
" NOTHING HAPPENED?!
" No one was able to circumvent even the "rst of the "ve SDP security controls layers (single packet authorization protocol), despite more than 5 billion packets being "red at the SDP.
Follow-‐ups
26
.
www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Contacts
Copyright © 2014 Cloud Security Alliance
Help Us Secure Cloud Computing
" www.cloudsecurityalliance.org
" www.isc2.org/ccsp/default.aspx
" LinkedIn: www.linkedin.com/groups?gid=1864210
" Twitter: @cloudsa
" My contact details:
FREDDY TAN, MSc, CISSP, SMSCS APAC STRATEGY ADVISOR CLOUD SECURITY ALLIANCE
#CLOUDSEC
Click to edit Master text styles • Click to edit Master text styles
– Second level • Third level
– Fourth level » Fieh level
CLICK TO EDIT MASTER TITLE STYLE
30 <insert speaker organization logo>
Click to edit Master text styles • Click to edit Master text
styles – Second level
• Third level – Fourth level
» Fieh level
Click to edit Master text styles • Click to edit Master text
styles – Second level
• Third level – Fourth level
» Fieh level
CLICK TO EDIT MASTER TITLE STYLE
31 <insert speaker organization logo>
Click to edit Master Atle style Click to edit Master text styles
CLICK TO EDIT MASTER TITLE STYLE
32 <insert speaker organization logo>
SLIDE DIVIDER Click to edit Master text styles
33 www.cloudsec.com | #CLOUDSEC <insert speaker organization logo>
BLANK SLIDE
34 <insert speaker organization logo>