Crypto-Segmentation: Protecting Networked Applications When Firewalls Fail

Transcription

1 SESSION ID: SPO-R02 Crypto-Segmentation: Protecting Networked Applications When Firewalls Fail Satyam Tyagi Chief Technology Officer Certes Networks Adam Boone Chief Marketing Officer Certes Networks

2 They are already inside we just have not found them 2

3 Security Crisis: Outdated Architecture Borderless Enterprises Apps digitized, extended outside firewall, rise of Shadow IT Firewalls Fail Access for working = access for hacking Segmentation Chaos SSL, TLS, IPsec, VPN, DMZs, VLANs, ACLs Performance hits Gaps & trade-offs SSL#3 IPsec SSL#2 SSL#1 VLAN#1 Trusted Network No encryption ACL#1 Access Attacks HTTPS No encryption SSL#4 3

4 Impact: Data Breach Crisis In 60% of cases, attacker compromise organization in minutes 75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours) Breach discovery is days or weeks 4

5 The Post-Trust World No internal network can be fully trusted No user can be fully trusted Assume the breach has already happened Architecture based solely on perimeter security (firewalls, IDS/IPS) to keep the bad guys out is obsolete Common strategy is to use network segmentation 5

6 The Dirty Secret of Network Segmentation December 2014 global IT manager survey (Spiceworks) No LAN Crypto- Segmentation Problem: Segmentation of traffic is tied to network infrastructure; disconnected from business rules 66

7 Segmentation Chaos: Fragmentation Attempting to isolate traffic hop by hop, app by app Consumer grade encryption, out of your control VLANs, ACLs, VPNs, IPsec, SSL, TLS, DMZs 77

8 Segmentation Chaos: Too Many Tools Where are VLANs defined and enforced? Are they encrypted? How are WAN links encrypted? Who controls keys? How are they managed? SSL SSL SSL SSL Patient Record App Sensitive Record App Other Network App SSL HQ Data Center VLAN 2 VLAN 1 LAN How many of the apps have their own embedded encryption? Who controls it? What s in it? Do they contain Heartbleed? DR Backup VLAN 1 MPLS Label1 VLAN 2 LAN WAN Internet Siloed Fragmented Gaps HTTPS MPLS Label2 VPN Physician s smartphone Hospital Doctor s office SSL How are apps encrypted to mobile devices? Is it enterprise grade encryption? Who controls keys and algorithms? 88

9 Epic Segmentation Fail Attack Steps VPN: Protection Failed 1 Phishing Steals Password Weak password security PoS System 3. PoS Malware Billing System Other Systems 4. Exf Malware IDS Monitoring 2 VPN established across Internet Anywhere across Internet 3 Malware Installed on PoS No segregation of PoS and Billing 4 Malware Installed No segregation PoS 3. PoS Malware 5. Dump CC 6. Exfiltrate CC 5 Dump CC data No segregation 9 6 CC Exfiltrated VPN: no restriction on outbound connectivity Contractor Retailer Network Internet VPN Access Contractor Network 3. PoS Malware FW/VPN PoS Steal Password PoS 3. PoS Malware 9 Exfiltration Server Attacker

10 Back to the Drawing Board 10

11 What is Security? (Orange Book) Policy: Rules of Security Accountability: Identity and Authorization Assurance: Cannot be bypassed Objective: Move IT security away from the infrastructure and closer to the business rules 11

12 A New Blueprint 12

13 What Is Crypto-Segmentation? Role-based access to cryptographically isolated networked applications Crypto-segments defined per application based on business rules User roles and business policy determine access rights based on verified identity Maintain complete control of keys and key lifecycle Centralizes audit logging for all access Compromise of network, application, user does not compromise crypto-segments: no lateral movement 13

14 Crypto-Segmentation Architecture Sales Enterprise Directory Admin App Crypto-Segments Policy Orchestrator Users and Roles CRM App Billing App Policies & Keys Policy Enforcer VPN Policy Enforcer Policy Enforcer Sales VPN Admin 14

15 Security Evolved Cryptographically assured segmentation Compromises in one segment can not propagate to another segment Strong user identity and role enforcement End-to-end security with no network dependency Security team in control Keys, policies, auditing: orchestrated across all apps, users, networks 15

16 Crypto-Segmentation in Action PoS 3. PoS Malware 3. PoS Malware Enc 3. Stop PoS System 3. PoS Malware Enc 5. Stop Billing System 5. Dump CC Enc Retailer Network 4. Stop 4. Exf Other Malware Systems Enc 6. Exfiltrate CC 6. Stop IDS Monitoring Internet Crypto-Segmentation Per-app flow Per-user multi-factor access control Contractor Network Enc Contractor PoS Steal Password 3. PoS Malware 2. Stop 1. Stop PoS Exfiltration Server Attacker 16

17 Summary: Question the status quo What are your business-driven security requirements? What happens when they change? Does your current network security architecture help or hinder? How does it hold in the new realities of BYOD, mobile, public cloud, SaaS? What happens when a breach takes place? 17

18 Apply Crypto-Segmentation Make a list of your current applications Prioritize most sensitive Which user roles need access when and where? Crypto-segment along these dimensions Make Business needs drive security, not security risk drive business practices I cannot secure this, it will not be on your mobile 18

19 Thank you Satyam Tyagi, CTO, Adam Boone, CMO, CertesNetworks.com 19