cryptzone: the software-defined perimeter
TRANSCRIPT
What is aSoftware-Defined Perimeter?
What is a Software-Defined Perimeter (SDP)?
Simple. Secure. Dynamic.
A new network security model that dynamically
creates 1:1 network connections between
users and the data they access
2
How Does a SDP Work?
Software-Defined Perimeter
Traditional TCP/IP
Not Identity Centric – Allows Anyone Access
Identity-Centric – Only Authorized Users
“Connect First,Authenticate Second”
“Authenticate First,Connect Second”
3
SDP Architecture
• Controller is the authentication point, containing user access policies
• Clients are securely onboarded
• All connections based on mutualTLS connectivity
• Traffic is securely tunneled fromClient through Gateway
4
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client (Initiating host)
PKI
IdentityManagement
Policy Model
SDP in Action
5
ProtectedApplications
AppGate Controller
AppGateGateway
AppGateClient
Control Channel
Encrypted, Tunneled Data Channel
SDP in Action
6
Controller uses PKI and IAM to establish trustController is an authentication point and policy storeSystem is administered via graphical admin console
1
ProtectedApplications
AppGate Controller
AppGateGateway
AppGateClient
Control Channel
Encrypted, Tunneled Data Channel
PKI
IdentityManagement
Policy Model
Graphical Admin Console
1
SDP in Action
7
Controller uses PKI and IAM to establish trustController is an authentication point and policy storeSystem is administered via graphical admin console
Gateways protect cloud and network resourcesApplication network traffic passes through Gateway
1
2
ProtectedApplications
AppGate Controller
AppGateGateway
AppGateClient
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
IdentityManagement
Policy Model
Graphical Admin Console
1
3
SDP in Action
8
Controller uses PKI and IAM to establish trustController is an authentication point and policy storeSystem is administered via graphical admin console
Gateways protect cloud and network resourcesApplication network traffic passes through Gateway
Clients securely onboarded, authenticate to Controller, communicate with mutual TLS
1
2
3
ProtectedApplications
AppGate Controller
AppGateGateway
AppGateClient
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
IdentityManagement
Policy Model
Graphical Admin Console
1
4
3
SDP in Action
9
Controller uses PKI and IAM to establish trustController is an authentication point and policy storeSystem is administered via graphical admin console
Gateways protect cloud and network resourcesApplication network traffic passes through Gateway
Clients securely onboarded, authenticate to Controller, communicate with mutual TLS
Clients access resources via Gateway• Mutual TLS tunnels for data• Real-time policy enforcement by Gateway
1
2
3
4Protected
Applications
AppGate Controller
AppGateGateway
AppGateClient
2
Control Channel
Encrypted, Tunneled Data Channel
PKI
IdentityManagement
Policy Model
Graphical Admin Console
1
4
3
SDP in Action
10
Controller uses PKI and IAM to establish trustController is an authentication point and policy storeSystem is administered via graphical admin console
Gateways protect cloud and network resourcesApplication network traffic passes through Gateway
Clients securely onboarded, authenticate to Controller, communicate with mutual TLS
Clients access resources via Gateway• Mutual TLS tunnels for data• Real-time policy enforcement by Gateway
Controller can enhance SIEM and IDS with detailed user activity logsController can query ITSM and other systems for context and attributes to be used in Policies
1
2
3
4
5
ProtectedApplications
AppGate Controller
AppGateGateway
AppGateClient
2
Integration with other IT and Security Systems
5SIEM IDS
ITSM
Control Channel
Encrypted, Tunneled Data Channel
PKI
IdentityManagement
Policy Model
Graphical Admin Console
1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
Descriptive Entitlements
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Identity provider Y
Client will authenticate to controller• Check for an Identity claim ProjectX• Launch a script to collect AV state• Send matching entitlements to client
ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
12
Descriptive Entitlements
1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
Controller
Identity provider Y
Client will authenticate to controller• Check for an Identity claim ProjectX• Launch a script to collect AV state• Send matching entitlements to client
Client connects to Gateway• Brings the descriptive entitlement:• SSH access to AWS://tag:SSH=*ProjectX* ProjectX
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
13
Descriptive Entitlements
1
2
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
ControllerCloud API
Identity provider Y
Client will authenticate to controller• Check for an Identity claim ProjectX• Launch a script to collect AV state• Send matching entitlements to client
Client connects to Gateway• Brings the descriptive entitlement:• SSH access to AWS://tag:SSH=*ProjectX*
Gateway connects to local cloud API• What are the instances that have a tag
with Key SSH and Value containing ProjectX
• Translate it to IP access rules
ProjectX ProjectX2
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
14
Descriptive Entitlements
1
2
3
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates
ControllerCloud API
Identity provider Y
Client will authenticate to controller• Check for an Identity claim ProjectX• Launch a script to collect AV state• Send matching entitlements to client
Client connects to Gateway• Brings the descriptive entitlement:• SSH access to AWS://tag:SSH=*ProjectX*
Gateway connects to local cloud API• What are the instances that have a tag
with Key SSH and Value containing ProjectX
• Translate it to IP access rules
Detect changes• Update IP access rules again
ProjectX ProjectX2
Device Posture
Multifactor Authentication
Network Location
Contextual Attributes
Enterprise Identity
Auto-detect Cloud Changes
Custom Attributes
Time
Endpoint Agents
Application Permissions
15
Descriptive Entitlements
1
2
3
4
Summary
16
Utilizes an authenticate first approach
Removes attacks including zero day, DDOS and lateral movement
The Cloud Fabric can now be extended all the way to the user and device
Leverages legacy applications by extending the SDP Architecture
No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.)
• Identity-centric security • Policies on user and cloud instances
Identity-Centric Network Security
To Learn More View Why a Software-Defined Perimeter