csa presentation - software defined perimeter

© Cloud Security Alliance, 2016

Software Defined Perimeter

Junaid IslamCo Chair

© Cloud Security Alliance, 2016

Agenda•Architecture•Achievements•Action Plan

© Cloud Security Alliance, 2014.

Security Challenge

Connect to Application

Denial of Service

Provide Credentials

Credential TheftServer Exploitation

MultifactorToken

Connection HijackingAPT/Lateral Movement

© Cloud Security Alliance, 2014.

Security Challenge

Connect to Application

Provide Credentials

MultifactorToken

© Cloud Security Alliance, 2014.

SDP Security Model

Connect to Application

Provide Credentials

MultifactorToken

© Cloud Security Alliance, 2014.

SDP Security Architecture

479729cec9a2187c914df2b3078e320f

1. Dev

ice

Auth2

SDP Controller

SDPGateways

2. User Authentication & AuthorizationEnterprise identity: separation of trustSAML IdP integrated with LDAP groups

0. One time on-boardingClient root of trustDigital artifacts & thin client

3. Dynamically Provisioned ConnectionsApplications isolated and protectedUsability: portal page of applications

3. Dynamic

Connection2. Use

r

Auth2

3. Dynamic Connection

Hosting& IaaS

DMZ &Data Center

SDP

ClientCryptoClientCryptoGatewa

yIP’s1. Device Authentication & Authorization

SPA: anti DDoS, defeats SSL attacksmTLS & fingerprint: anti credential theft

SAMLIdP

IssuingCA

© Cloud Security Alliance, 2014.

Achievements (last 2 years)

• Version 1 specification

• 3 SDP Hackathons (4th in progress)

• Gartner endorsement as “next big thing”

• 4 Workgroups• Enterprise• FISMA Moderate• Auto/IoT• DDoS

© Cloud Security Alliance, 2014.

Action Plan

• 2 new workgroups• IaaS• IoT

• Version 2 specification• Content challenge

• Increased outreach • The future is looks good!

??? ?© Cloud Security Alliance, 2016