SlideShare a Scribd company logo

Cryptzone: What is a Software-Defined Perimeter?

Download as pptx, pdf
Cryptzone
Cryptzone

Cryptzone explains a Software-Defined Perimeter, a new network security model that dynamically creates 1:1 network connections between users and the data they access.

1 of 17
Downloaded 100 times
What is a Software-Defined Perimeter?
What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
SDP in Action 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel
SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
To Learn More View Why a Software-Defined Perimeter
Ad

Recommended

AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
Shamun Mahmud
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
Cryptzone
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
Ad

More Related Content

What's hot (20)

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
Zscaler
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
Cyxtera Technologies
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
Robb Boyd
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 

Similar to Cryptzone: What is a Software-Defined Perimeter? (20)

DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
Nicolas Destor
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World Paris
Julien SIMON
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
Dan Selman
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)
Azad Kaki
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform IntegrationDEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
Nicolas Destor
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Workshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World ParisWorkshop AWS IoT @ IoT World Paris
Workshop AWS IoT @ IoT World Paris
Julien SIMON
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
Dan Selman
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)
Azad Kaki
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
Chris Munns
 
Ad

Recently uploaded (20)

Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Troubleshooting JVM Outages – 3 Fortune 500 case studies
Troubleshooting JVM Outages – 3 Fortune 500 case studiesTroubleshooting JVM Outages – 3 Fortune 500 case studies
Troubleshooting JVM Outages – 3 Fortune 500 case studies
Tier1 app
 
Do not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your causeDo not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your cause
Fexle Services Pvt. Ltd.
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
Ranking Google
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
wAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptxwAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptx
SimonedeGijt
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
What Do Candidates Really Think About AI-Powered Recruitment Tools?
What Do Candidates Really Think About AI-Powered Recruitment Tools?What Do Candidates Really Think About AI-Powered Recruitment Tools?
What Do Candidates Really Think About AI-Powered Recruitment Tools?
HireME
 
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World ExamplesMastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
jamescantor38
 
Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025
Web Designer
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Adobe InDesign Crack FREE Download 2025 link
Adobe InDesign Crack FREE Download 2025 linkAdobe InDesign Crack FREE Download 2025 link
Adobe InDesign Crack FREE Download 2025 link
mahmadzubair09
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
Robotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptxRobotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptx
julia smits
 
Beyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraftBeyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraft
Dmitrii Ivanov
 
Unit Two - Java Architecture and OOPS
Unit Two - Java Architecture and OOPSUnit Two - Java Architecture and OOPS
Unit Two - Java Architecture and OOPS
Nabin Dhakal
 
Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Troubleshooting JVM Outages – 3 Fortune 500 case studies
Troubleshooting JVM Outages – 3 Fortune 500 case studiesTroubleshooting JVM Outages – 3 Fortune 500 case studies
Troubleshooting JVM Outages – 3 Fortune 500 case studies
Tier1 app
 
Do not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your causeDo not let staffing shortages and limited fiscal view hamper your cause
Do not let staffing shortages and limited fiscal view hamper your cause
Fexle Services Pvt. Ltd.
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
Ranking Google
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
wAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptxwAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptx
SimonedeGijt
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
What Do Candidates Really Think About AI-Powered Recruitment Tools?
What Do Candidates Really Think About AI-Powered Recruitment Tools?What Do Candidates Really Think About AI-Powered Recruitment Tools?
What Do Candidates Really Think About AI-Powered Recruitment Tools?
HireME
 
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World ExamplesMastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
Mastering Selenium WebDriver: A Comprehensive Tutorial with Real-World Examples
jamescantor38
 
Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025
Web Designer
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Adobe InDesign Crack FREE Download 2025 link
Adobe InDesign Crack FREE Download 2025 linkAdobe InDesign Crack FREE Download 2025 link
Adobe InDesign Crack FREE Download 2025 link
mahmadzubair09
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
Robotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptxRobotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptx
julia smits
 
Beyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraftBeyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraft
Dmitrii Ivanov
 
Unit Two - Java Architecture and OOPS
Unit Two - Java Architecture and OOPSUnit Two - Java Architecture and OOPS
Unit Two - Java Architecture and OOPS
Nabin Dhakal
 
Ad

Cryptzone: What is a Software-Defined Perimeter?

  • 2. What is a Software-Defined Perimeter (SDP)? Simple. Secure. Dynamic. A new network security model that dynamically creates 1:1 network connections between users and the data they access 2
  • 3. How Does a SDP Work? Software-Defined Perimeter Traditional TCP/IP Not Identity Centric – Allows Anyone Access Identity-Centric – Only Authorized Users “Connect First, Authenticate Second” “Authenticate First, Connect Second” 3
  • 4. SDP Architecture • Controller is the authentication point, containing user access policies • Clients are securely onboarded • All connections based on mutual TLS connectivity • Traffic is securely tunneled from Client through Gateway 4 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model
  • 6. SDP in Action 6 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console 1 Protected Applications AppGate Controller AppGate Gateway AppGate Client Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 7. SDP in Action 7 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway 1 2 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 8. 3 SDP in Action 8 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS 1 2 3 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 9. 4 3 SDP in Action 9 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway 1 2 3 4 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 10. 4 3 SDP in Action 10 Controller uses PKI and IAM to establish trust Controller is an authentication point and policy store System is administered via graphical admin console Gateways protect cloud and network resources Application network traffic passes through Gateway Clients securely onboarded, authenticate to Controller, communicate with mutual TLS Clients access resources via Gateway • Mutual TLS tunnels for data • Real-time policy enforcement by Gateway Controller can enhance SIEM and IDS with detailed user activity logs Controller can query ITSM and other systems for context and attributes to be used in Policies 1 2 3 4 5 Protected Applications AppGate Controller AppGate Gateway AppGate Client 2 Integration with other IT and Security Systems 5 SIEM IDS ITSM Control Channel Encrypted, Tunneled Data Channel PKI Identity Management Policy Model Graphical Admin Console 1
  • 11. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions Descriptive Entitlements
  • 12. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 12 Descriptive Entitlements 1
  • 13. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* ProjectX Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 13 Descriptive Entitlements 1 2
  • 14. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 14 Descriptive Entitlements 1 2 3
  • 15. All users in ProjectX allowed SSH access to all virtual instances where Tag key equals SSH and value contains ProjectX, if client Anti-Virus has latest updates Controller Cloud API Identity provider Y Client will authenticate to controller • Check for an Identity claim ProjectX • Launch a script to collect AV state • Send matching entitlements to client Client connects to Gateway • Brings the descriptive entitlement: • SSH access to AWS://tag:SSH=*ProjectX* Gateway connects to local cloud API • What are the instances that have a tag with Key SSH and Value containing ProjectX • Translate it to IP access rules Detect changes • Update IP access rules again ProjectX ProjectX2 Device Posture Multifactor Authentication Network Location Contextual Attributes Enterprise Identity Auto-detect Cloud Changes Custom Attributes Time Endpoint Agents Application Permissions 15 Descriptive Entitlements 1 2 3 4
  • 16. Summary 16 Utilizes an authenticate first approach Removes attacks including zero day, DDOS and lateral movement The Cloud Fabric can now be extended all the way to the user and device Leverages legacy applications by extending the SDP Architecture No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.) • Identity-centric security • Policies on user and cloud instances Identity-Centric Network Security
  • 17. To Learn More View Why a Software-Defined Perimeter

Editor's Notes

  • #4: New slides
  • #5: Secure military networks Controller is the authentication point typically linked with one or more Identity providers Controller contains descriptive user access policies define access to applications Clients are securely onboarded All connections based on mutual TLS connectivity Traffic is securely tunneled from Client through Gateway to Protected Applications
  • #6: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #7: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #8: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #9: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #10: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  • #11: Bring Controllers online Integration with Identity, Multi-Factor and PKI services Bring Gateways online Create a mutual TLS connection with Controller after SPA Do not acknowledge Communication from any other host Do not respond to any non-provisioned request Gateways are now in “stealth mode” Bringing Clients online Create mutual TLS connection to Controller after SPA Authenticate to Controller List of authorized Gateways determined for this Client Controller could contact remote services for context Controller creates a list of Gateways Translate your descriptive network entitlements into IP access rules by talking to local cloud API’s. All other apps remain invisible Upload the network entitlements to the matching sites by launching a micro private firewall instance and build an encrypted data tunnel to each one Accept communication from Client Controller instructs Gateways to accept communication from this Client Receive list of IP’s of SDP Gateways Initiating host receives a list of IP’s to connect to Set up mutual TLS Tunnels to transfer data after SPA Client can now connect to the proper applications
  翻译: