Software Defined Perimeter: Securing the Cloud to the Internet of Things

Similar documents
Software Defined Perimeter Working Group. SDP Hackathon Whitepaper

Public Key Infrastructure (PKI)

Security Considerations for DirectAccess Deployments. Whitepaper

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Vidder PrecisionAccess

A Survey on Cloud Security Issues and Techniques

CSA SDP Working Group

Sync Security and Privacy Brief

Deploy Remote Desktop Gateway on the AWS Cloud

Centrify Cloud Connector Deployment Guide

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

App Orchestration 2.0

ISM/ISC Middleware Module

Snow Agent System Pilot Deployment version

Cornerstones of Security

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

SDP Hackathon #4 Analysis & Report

The Convergence of IT Security and Physical Access Control

PULSE SECURE FOR GOOGLE ANDROID

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Security Solution Architecture for VDI

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Cisco Which VPN Solution is Right for You?

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Connectivity to Polycom RealPresence Platform Source Data

Lecture 02b Cloud Computing II

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Our Key Security Features Are:

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

The Convergence of IT Security and Physical Access Control

IINS Implementing Cisco Network Security 3.0 (IINS)

FileCloud Security FAQ

Basics of SSL Certification

A Survey on Security Threats and Security Technology Analysis for Secured Cloud Services

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Public Key Applications & Usage A Brief Insight

PRIVACY, SECURITY AND THE VOLLY SERVICE

CS5008: Internet Computing

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Chapter 10. Cloud Security Mechanisms

The New Key Management:

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Blue Jeans Network Security Features

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Technical White Paper

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Cisco Intercloud Fabric Security Features: Technical Overview

ADDING STRONGER AUTHENTICATION for VPN Access Control

With a little bit of IPv6 magic: Windows 7 DirectAccess

Introduction to SAML

PowerChute TM Network Shutdown Security Features & Deployment

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

VMware vcloud Networking and Security Overview

CTS2134 Introduction to Networking. Module Network Security

Lightweight Security using Identity-Based Encryption Guido Appenzeller

Using Entrust certificates with VPN

Host Access Management and Security Server

Implementing Cisco IOS Network Security

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

EXAM Recertification for MCSE: Server Infrastructure. Buy Full Product.

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Introduction to Mobile Access Gateway Installation

How To Protect Your Cloud From Attack

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

Secure Web Access Solution

The increasing popularity of mobile devices is rapidly changing how and where we

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

vcloud Director User's Guide

THE BLUENOSE SECURITY FRAMEWORK

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

ViSolve Open Source Solutions

Achieving PCI Compliance Using F5 Products

Data Protection: From PKI to Virtualization & Cloud

Choosing an MDM Platform

NEFSIS DEDICATED SERVER

Implementing Cisco IOS Network Security v2.0 (IINS)

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

The English translation Of MBA Standard 0301

Introduction to the Mobile Access Gateway

IIS 6.0SSL Certificate Deployment Guide

Information Security Basic Concepts

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

End-to-end Secure Cloud Services a Pertino whitepaper

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Transcription:

Software Defined Perimeter: Securing the Cloud to the Internet of Things SESSION ID: CDS-T08 Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa

About Cloud Security Alliance Global, not-for-profit organization Building security best practices for next generation IT Research and Educational Programs Cloud Provider Certification CSA STAR User Certification - CCSK The globally authoritative source for Trust in the Cloud To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. 2

Cloud Security Alliance Fast Facts Founded in 2009 Membership stats as of July 2014 57,000 individual members, 75 chapters globally 250 corporate members Offices in Seattle USA, Singapore, Greece, Beijing (2014) Over 30 research projects in 25 working groups Strategic partnerships with governments, research institutions, professional associations and industry www.cloudsecurityalliance.org 3

Software Defined Perimeter Architecture for creating highly secure and trusted end-to-end networks BYOD and Internet of Things Secure virtual private clouds Make network dark until entity is authenticated Create dynamic perimeters around clients, applications and hosts Complementary to Software Defined Networks (SDN)

What's different? Standardization of "Need-to-know" access model Deployed with Classified, Top Secret networks for many years but rarely seen in the commercial world Substantial portions of Internet must be made Dark Integrates latest ideas from NIST & other experts Mutual TLS DHE, Device attestation, identity-based access Public domain project Integrates existing standards & best practices into an industry standard

What s different? We have separated Control communications from Data communications Servers do not accept inbound connections by default effectively making them invisible Controller maintains authorized clients Initiating SDP Controller Data Accepting Initiating Data/Control Internet of Today Accepting 6

SDP Applications Enterprise Application Isolation Infrastructure as a Service (Virtual Private Cloud) Software as a Service Platform as a Service SDP Controller Cloud-based VDI BYOD, Mobile Internet-of-Things Initiating Data Accepting 7

Five Layers of Security Controls Single Packet Authorization (SPA) Mutual Transport Layer Security (mtls) Device Validation Dynamic Firewalls Application Binding SDP Controller Initiating Data Accepting 8

Single Packet Authorization (SPA) Single Packet Authorization One-Time Password Makes server invisible Mitigates DoS attacks, simplifies attack detection Based on RFC 4226 (HMAC-Based One-Time Password Algorithm) Seed: secret 32 bit signed integer for communication pairs Counter: 64 bit unsigned integer for synchronizing communications between pairs Password: generated by the RFC 4226 algorithm After receiving the packet, the server must enable the client to connect via mutual TLS on port 443 9

Mutual Transport Layer Security (mtls) TLS typically only authenticates servers, not clients Mutual TLS is bi-directional authenticates clients Validates both entities as part of the SDP Root certificate must be known valid root Avoid Root CA explosion in common browsers How root certificate is installed outside of SDP specification Cloud orchestration tools may be used 10

Device Validation Validates that the proper device holds the private key Proves that the key is not stolen Not included in version 1.0 specification Common endpoints have many of elements of uniqueness Many methods of device validation in the market 11

Dynamic Firewalls / SDP Gateways SDP Gateway: special version of Accepting that protects servers One initial rule: Deny All Dynamically adds a Permit rule for Initiating to Protected Server as instructed by SDP Controller Initiating SDP Controller Accepting / SDP Gateway 12

Application Binding After authenticating and authorizing both the device and the user, the software defined perimeter creates encrypted TLS tunnels to the protected applications Application binding constrains authorized applications so they can only communicate through those encrypted tunnels SDP simultaneously blocks all other applications from using those tunnels Malware resident on device cannot access encrypted tunnel 13

Basic Workflow PKI Fingerprint Service Software Attestation Location Service IdP AD 14

SDP Virtual Private Cloud Use Case One or more Accepting (s) acting as SDP Gateway Locked Down Virtual Machine template Dynamic expansion via common cloud orchestration tools Dark cloud inside of a public cloud Initiating SDP Controller Accepting / SDP Gateway 15

SDP Internet of Things Use Case Smart Power Meter with SDP client acts as an Initiating Initiating : Meter w/ SDP Client SW SDP Controller Metering S/W bound to Dynamic VPN according to SDP Controller policy SDP client can be quite small - 50k or less SDP Controller provides authorized Power Meter list to Power Company s Servers or Cloud VMs Can use multiple of the Authentication sources, including geolocation Power Meter sends data only to intended destination Accepting / Power Company Cloud/Server 16

SDP Activities SDP Hackathon @ RSA Conference 2014 Whitepaper Conducted in popular public IaaS 10 billion packets no one got past SPA SDP Specification 1.0 Complete protocol specification Foundation for cloud-based applications Download both at https://cloudsecurityalliance.org/research/sdp/#_downloads Pilots/prototypes at large enterprises Next hacking contest & workshop at CSA Congress US Sept 17-19, San Jose, https://cloudsecurityalliance.org/events/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information