SDP
ソフトウェアー・ディファインド・ペリメーター
(Software Defined Perimeter)
ベライゾンジャパン合同会社
テクニカルソリューション本部 エンタープライズアーキテクト
工藤 清仁
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Enterprise Needs are Changing
Latency
Topology
Connectivity
s
users
Data
Center
location
requirements End Points
cost
Risks
resource
s
customer
tolerance
fixed
Strategy
QoS
balance
Mobile
suppliers
Performance
devices
CPE
applications
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2
Software Defined Perimeter
Temporal Networks as an Open Standard
What Is A Software Defined Perimeter?
 A Security Framework that Protects Application Infrastructure from Network-Based Attacks
 Need-to-Know Connectivity Model With Dynamic Network Assembly
 No visible DNS or IP Addressing
 Cloud based SDPs Create Secure Containers That Hide Workloads and Applications Inside
SDP is open standard created by the Cloud Security Alliance (CSA). Verizon is
a member of the CSA and a contributor to the SDP standard. In reality, SDP is
more of a workflow of existing protocols than a new protocol. It’s based on a
whole set of existing standards.
Opportunity
 Presently shaping the primary emerging standard for Secure Cloud Connectivity
 We will provide the only automated delivery framework for SDP based solutions
 Position Verizon as the primary ‘trust broker’ and dynamic network creation ‘Orchestrator’ for all
secure cloud connected devices within the Internet of Things (IoT)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3
Software Defined Perimeter (SDP)
Why Do We Need SDP?
Traditional Enterprise Perimeters are Broken
– Phishing, BYOD, SaaS, IaaS
– SDP recreates the perimeter anywhere
Traditional fixed perimeters are broken
Traditional Enterprise Network
– Visibility & connectivity to everything
Outside
The Perimeter
Inside
– Security tools to prevent access
SDP Approach
SaaS
– No visibility or connectivity to anyone
– Authenticate, then dynamically build networks
Employees
Servers
Partners
– Mitigates network-based attacks
– Unifying architecture:
• Internet/intranet, PC/mobile, Managed/BYOD
SDP is an Open Standard
Sales Persons
Telecommuters
Contractors
BYOD
Cloud Security Alliance (CSA)
Workflow based on proven standards
• SPA, TLS, SAML, PKI, DHE, RSA, AES, SHA, etc.
SDP Enables Your Enterprise to Maintain Strict Access Control
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
セキュアな発見できないネットワーク
ニュース
"We believe SDP can be a
game changer"
Bob Flores former CTO of the CIA
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
The Software Defined Perimeter (SDP)
What Is It? Defining a New Approach.
• SDP is Based on an Open Standard
– Formed Under the Cloud Security Alliance (CSA)
– Workflows Developed on Proven Standards
• SPA, TLS, SAML, PKI, DHE, RSA, AES, SHA, etc.
• Dynamically Provisioned, Real-Time Networks
– Based on Verizon’s Global Network, Secure Cloud Interconnect and
Other Technologies – But These are Only the Foundation.
– Built Anywhere in the World
– In the Cloud, On the DMZ, In the Data Center, Across the Enterprise
– Or across all these places at the same time
• Our Approach Bridges Public and Private IP
– Public Internet
– Satellite, Wireless, Private IP, CDN
You Can’t Attack What You Can’t See!
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
Software Defined Perimeter
疎結合なネットワーク環境下でのセキュアな接続の確立
セキュア リソース コンテナ
Verizonの
SDPアプリを選択
ユーザ/デバイスと
場所の有効性確認
経路の確立と
アクセスの有効化
トンネルの確保と
リソースへの接続
発見できないネットワークアクセスの実現
5種類の適用方法
Dynamically Configured Browser-Based
Desktop Application(s)
Mobile Device Client Application(s)
Server Client (Protected Server)
Embedded Devices (sensors etc.)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
7
Software Defined Perimeter
Components
Creating the Secure Cloud On-Ramp
1.
Device Attestation
2.
Identity & Role Verification
3.
Application Access Policy
4.
Real-Time Network Provisioning
5.
Dynamic Tunnel Creation
Five Ways to Connect
A.
Dynamically Configured Browser-
B.
Desktop Application(s)
C.
Mobile Device Client Application(s)
D.
Server Client (Protected Server)
E.
Embedded Devices (sensors etc.)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
8
SDP Architecture
How It Works – Workflow (Animation)
PKI
Fingerprint
Service
Software
Attestation
Location,
Time of Day
SAML
IdP
Assertion
AD
Groups
SDP Controller
Client
Gateway
Crypto
IP’s
SDP Gateways
SPA
Device
Geo
User
Mutual
Fingerprint
Attestation
Get
Location
Identity
Page
SPA
TLS
Browser
Apps Software
SDP
Single Packet Authorization
mTLS Control Channel
mTLS Data Channel
Device Authentication & Validation
Single Packet Authorization
Client-specific pinhole in firewall
Mutual TLS
Device Fingerprint
Software attestation
Geo Location, Time of Day
User Authentication & Authorization
Secure Browser
SAML to IdP
Member of Groups
Dynamic Provisioning
Client-specific crypto artifacts
Gateway Addresses
Single Packet Authorization
Mutual TLS
Application binding
Transparent SAML
SDP Enables Your Enterprise to Maintain Strict Access Control
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
How it Works
Secure Non Discoverable Network, Software Defined Perimeter
Five Layers of Security Controls
Dynamic Firewalls
Device Validation (DV)
SDP dynamically binds users to devices, and
then dynamically enables those users to
access protected resources by dynamically
creating and removing firewall rules in the
SDP gateways.
Device validation proves that the key is held
by the proper device. In addition, device
validation attests to the fact that the device
is running trusted software and is being used
by the appropriate user.
Mutual Transport
Layer Security (mTLS)
TLS is typically only used to authenticate
servers to clients, not clients to servers. SDP
uses the full TLS standard to provide mutual,
two-way cryptographic authentications.
Single Packet Authorization
(SPA)
SPA enables SDP to reject all traffic to it from
unauthorized devices. It requires that the
first packet to the controller
cryptographically verifies that it is an
authorized device before being considered
for access to the protected service.
Application Binding (AppB)
After authenticating and authorizing both
the device and the user, SDP creates
encrypted TLS tunnels to the protected
applications. Application binding constrains
authorized applications so they can only
communicate through those encrypted
tunnels, and, simultaneously, blocks all other
applications from using those tunnels.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
RSA, CSA Conference - 2014
SDP Activities… ‘Mother of All Hackathons’
The 1st Time One Cloud has Protected all Others
Verizon
Verizon
Internet
MPLS
Azure
IPsec
AWS
•
•
•
•
•
•
2月に米国で開かれたRSA会議で、
これらの仕組を紹介してトライアル
しましたが、どこの国からもアタッ
クされることはありませんでした。
また、９月に米国で開かれたCSA会
議でも、これらの仕組を試しました。
3
Clouds
104
Countries
30
Days
100,000
Highly Sophisticated Attacks
11,000,000 Advanced Method Attacks
15
Billion Attacks in all
Zero Compromises !
With one SDP Orchestrator and Multiple SDP Gateways in the Cloud, SDP can
Protect ALL Resources in Multiple Clouds
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
RSA Conference - 2015
SDP Activities…
All attacks have failed:
•
•
•
Random commands hitting SDP gateway (this is caused by attackers running automated scripts)
Server exploits attempts on SDP gateway (this is caused by attackers focusing on a specific vector)
Failed SPA attempts (attackers are trying to replay the PCAP)
1157 unique IP addresses from the following countries:
Source Countries:
Japan
Albania, Argentina, Australia, Austria
Belarus, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria
Canada, Chile, China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic
Denmark, Ecuador, France, Germany, Greece, Hong Kong, Hungary
Iceland, India, Indonesia, Iran, Iraq, Ireland, Israel, taly
Kazakhstan, Kenya, Korea, Latvia, Lithuania, Luxembourg
Macao, Malaysia, Mexico, Moldova, Morocco, Nepal, Netherlands
Peru, Philippines, Poland, Portugal, Puerto Rico, Romania, Russian Federation
Saudi Arabia, Seychelles, Singapore, Slovakia, Somalia, South Africa, Spain, Sweden, Switzerland
Taiwan, Thailand, Turkey, Ukraina, United Kingdom, United States, Uruguay
Venezuela, Viet Nam, Yemen
With one SDP Orchestrator and Multiple SDP Gateways in the Cloud, SDP can
Protect ALL Resources in Multiple Clouds
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
SDP and Compliance
Reducing Security Control Complexity
SDP Integrates 14 of the SANS 20 Critical Security Controls
SDP Provides a Cost Effective Compliance Solution
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
Multiple Use Cases
– One Architecture –
 SDP Case Studies… How Is It Being Used Today?
 SDP in Review… How Can It Be Used?
Internet
Internal
• Business & partner portals
• Outsider access
– Issue: Poor passwords & app vulnerabilities
– Issue: Network and VPN connectivity
– SDP: Private Internet portal
– SDP: Precision pinhole access
• Cross-entity collaboration
• BYOD access
– Issue: DoS, SQL injection, man-in-the-middle
– Issue: Malware on uncontrolled devices
– SDP: Invisible to the Internet
– SDP: App access without network access
• Cloud migration
• Internal isolation
– Issue: IaaS develop & deploy, SaaS use &
service
– Issue: Protecting 100% of clients vs. 5% critical
access
– SDP: Private cloud service
– SDP:  Attack surface,  Cost,  Usability
SDP is the Solution to Invitation-Only App Access
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
Case1
Coca-Cola: “Network 2020”
What Verizon Delivers
Objective:
 Re-Define the Connected Consumer Experience
 Protect the Brand and Corporate IP
 Provide Unprecedented Business Agility
 Virtualize Everything – Outsource the Burdens
 Produce Trusted, Real-Time Actionable Knowledge
Managed VPN Service
PKI Infrastructure
SCI Based Accesss to Data Centers
Any Device to Any Infrastructure
SDP
4GLTE
WiFi
Verizon
Trust Broker
Benefits
Consumer
Experience
Business
Operations





100% Secure Interactions
Real-Time Network Creation
Dynamic Hybrid Cloud Ready
Fast & Easy to Implement
Verizon Trust Orchestration
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
Case2
Key Drivers



What Verizon Delivers
Secure UCC for Anyone on Any Network
Any Device – Mobile to PC
Simple Access – 1 Button Click to Join
Industrial Espionage & Corporate Surveillance >$100B
Impact
Sensitive Communications Capability Required
Regardless of Location or Device
Current Solutions: One-off, High Cost, Inflexible
Benefits





Single Click Ease of Use
Existing Technology – No Learning Curve
Hides in Open View
Pure Software – No Special CPE
Instantly Provisioned ‘Black Comms’
Containers
Government & Corporations Need a New Kind of ‘Private’ Communications Assurance
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
Case3
Key Drivers



What Verizon Delivers
Industrial Espionage & Corporate Surveillance >$100B
Impact
Massive Volumes of Consumer Data - Need to Protect
Big Data and Related Information Stores
“Insider Threat” Counter-Measures being sought in
Government and Commercial Enterprises
Insider Attack Shield
Hidden Assets within Hidden Networks
Secure Big Data Apps in Public Cloud
Hidden Data Input
Hidden Analysis
Input
Benefits




Invisible Network Access
Invisible Servers Within SDP
Data Temp Decrypted in RAM Space Only
Reduces Brand Damage Risk Potential
Government & Corporations Need a New Kind of ‘Private’ Communications Assurance
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
17
Case4
Key Drivers



Industrial Espionage & Corporate Surveillance <$100B
Impact
Sensitive Communications Capability Required
Regardless of Location or Device
Current Solutions are Purpose Built, High Cost and
Inflexible
‘Hidden’ Benefits






Single Click Ease of Use
Existing Technology – No Learning Curve
Hides in Open View
Pure Software – No Special CPE
Instantly Provisioned ‘Black Comms’
Containers
Government & Corporations Need a New Kind of ‘Private’ Communications Assurance
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
18