This document summarizes two innovative approaches to enterprise security architecture: Google's BeyondCorp architecture and the Cloud Security Alliance's Software Defined Perimeters (SDP). BeyondCorp aims to remove network-based attacks by implementing zero-trust network access based on continuous device/user authentication and authorization. SDP uses cryptographic protocols and dynamic firewalls to create on-demand, air-gapped networks between initiating and accepting hosts. The document then discusses how organizations can implement these approaches using existing security tools and outlines steps to develop an enterprise security architecture.
2. 2 . 1
ABSTRACT
What is a practical enterprise security architecture? We look at two
innovations in this area; 1) Google's BeyondCorp architecture, and, 2) Cloud
Security Alliance's Software De ned Perimeters (SDP). We look at how these
approaches may lead to better defenses against network-based attacks, and
what can we do practically within traditional organizations?
3. 3 . 1
FIRST, THANKS AND GRATITUDE
Burgess Cooper, Partner at Ernst & Young for this speaking opportunity
Bikash Barai, for discussing material and sneaking me into already busy
schedule.
Rushit Choksey, Vijay Kumar and Tanoy Bose, partners-in-crime at Ernst &
Young since 2015-
Mr. K. K. Mookhey, Principle Consultant at Network Intelligence, for
opportunity to work with them on infosec from 2011-2015.
Most of all, Devendra Parulekar, Ex-Partner at Ernst & Young for a second
opportunity to work with Ernst & Young's talented infosec team since
2015-.
4. 4 . 1
$WHOAMI
Senior Manager at Ernst & Young, Mumbai, 2015-.
Started in Information Security as a Penetration Tester with Ernst & Young
in 2000-2001.
Escaped to complete a Ph.D. in Astronomy (2007), worked as a post-doc…
:)
Long-time Linux and open-source enthusiast, pythonista
Wanna-be start-up founder…
So this ts, right…; sounds shy, anyway lets begin…
5. 5 . 1
OBLIGATORY MEME AND RULE 1 IN SECURITY
ARCHITECTURES
There are levels of survival we are prepared to accept.
6. 6 . 1
WHAT IS ENTERPRISE SECURITY ARCHITECTURE?
Enterprise
a project or undertaking, especially a bold or complex one; a business or
company; entrepreneurial economic activity.
Security
a state of being free from danger or threat; a thing pledged as a
guarantee of an undertaking to be forefeited in case of default.
Architecture
the complex or carefully designed structure; the art or practice of
designing and constructing; the conceptual structure and logical
organization of a computer or computer-based system.
ESA
A carefully designed structure to mitigate danger or threat to a business and
facilitate economic activity.
7. 6 . 2
Enterprise architectures are business focused
Aligned with business objectives
Aligned with technology objectives of the business
Advise and guidance for strategic leaders
Standardization and process models for operational leaders
Did I mention Business Attributes? Oh Boy!
Enterprise architects explain business risk to technology leaders.
Enterprise architects explain technology risk to business leaders.
Enterprise security architect makes sure security is not an after thought.
8. 6 . 3
The determined hacker cares about understanding your networks and how
to nd suitable entry and exit points.
This makes network security an inherent part of ESA designs.
9. 7 . 1
COMPONENTS OF A PRACTICAL ESA
Vision, where do we want to be?
Strategy and Planning
Business Drivers
De ne direction and action plan with budgets
Framework, a cohesive collection of do's and don't.
Security Requirements and Design Principles
Policies, procedures, standards, and guidelines
Risk Management and Assessment Methods
Taxonomy and Catalogs
Vulnerabilities, Threats and Actors
Risks and Controls
Security Domains to group Risks and Controls
Architecture Layers to group Security Domains
Process De nitions and Flowcharts
Data Classi cation, and Risk Model
10. 8 . 1
A PRACTICALESA BLUEPRINT
Figure 2: Source: Arctech Security Architecture Blueprint, Gunnar Peterson
11. 9 . 1
KEY PRINCIPLES
The risk management approach allows the security team to be agile in
responding to business threats.
The security architecture must de ne reusable security services so that
developers can leverage common design patterns that improve security
for all applications.
13. 11 . 1
GOOGLE'S BEYONDCORP APPROACH
Today's organization do not have a perimeter.
Software as a Service (SaaS) model is winning from consumer perspective.
HTTPS is like a micro-service to IPSEC VPN
VDI is like a micro-service to Remote Desktop/ VNC
BYOD: Work and play from anywhere, from any network
Large organizations want to publish internal applications directly on the
Internet
Data sync to more than one device: laptop, tablets, smart phones
How to ensure data protection? end-point remediation? and automation of
security processes? without compromising on data security?
14. 12 . 1
BEYONDCORP INFRASTRUCTURE COMPONENTS
Figure 4: BeyondCorp Infrastructure Components; Image Source:
BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016,
;login:, Vol 40, No. 1
15. 13 . 1
KEY IDEAS
Resources are an enumeration of all applications, services, databases,
networks that are subject to access control.
Trust tiers and tiered access segregate network and applications into layers
of increasing sensitivity.
Each resource is associated with a minimum trust tier required for access.
Traditional network segmentation is implemented through VLAN and
Firewall ACLs
16. 13 . 2
Application URLs published only through reverse proxy CNAME
redirection.
Fine-grained access policy mapped to trust tier and user identity
Access proxy makes policy decision based on trust tier assigned to a device.
If the device state degrades, it loses access to high-sensitivity applications
and is assigned to a remediation VLAN.
17. 14 . 1
KEY IMPLEMENTATION COMPONENTS
Certi cate Authority to issue identities to devices and users
Device management agent software for device pro ling
Access Control Engine, a policy enforcement service referenced by
"Gateways".
Device Inventory Service, a service that continuously collects and
normalizes and publishes changes about state of devices.
Gateways are SSH servers, Web proxies or 802.1x-enabled networks
18. 14 . 2
Requirements for BeyondCorp to function
802.1x enabled networks
Access Policy, a programmatic representation of authorization policy
consisting of remote resources, user identity decision and assign trust
tier.
Applications with support for evaluation of the Access Policy as well as
real-time credentials and multi-factor authentication.
A common method to publish applications via the access proxy.
19. 15 . 1
DEVICE INVENTORY SERVICE
Figure 5: BeyondCorp Device Inventory Service, Image Source: BeyondCorp,
Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40,
No. 1
20. 15 . 2
Observed Data vs. Prescribed Data
Continuous ingest, process, normalize cycle
Trust evaluation and tier assignment through Trust Inferer
Communicate access policy data structure to access policy engine
21. 16 . 1
BEYONDCORP ACCESS FLOW
Figure 6: BeyondCorp Components and Access Flow, Image Source:
BeyondCorp, A New Approach to Enterprise Security, Ward & Beyer, Dec
2014, ;login:, Vol 39, No. 6
22. A Walk-through Example
Engineers access either public Wi-Fi or corporate network using his/her
managed device. If on corporate LAN, device presents its certi cate to
RADIUS server, which assigns the device to appropriate unprivileged
internal VLAN if authenticated, else to a remediation VLAN.
The engineer accesses an application with his/her web browser. The
request is directed to the access proxy. The laptop provides its device
certi cate.
The access proxy does not recognize the user and redirects to the SSO
system.
23. 16 . 2
16 . 3
The engineer provides his or her primary and second-factor authentication
credentials, is authenticated by the SSO system, is issued a token, and is
redirected back to the access proxy.
The access proxy now has the device certi cate, which identi es the
device, and the SSO token, which identi es the user.
24. 16 . 4
The Access Control Engine performs the speci c authorization check
con gured for app.corp.google.com.
Following set of authorization checks is made on every request.
The user is con rmed to be in the engineering group.
The user is con rmed to possess a suf cient trust level.
The device is con rmed to be a managed device in good standing.
The device is con rmed to possess a suf cient trust level.
If all these checks pass, the request is passed to an appropriate back-end
to be serviced.
If any of the above checks fails, the request is denied.
25. 17 . 1
CAN MERE MORTALS IMPLEMENT THIS?
Mostly Yes, the key technologies are already part of the standard
enterprise stack
802.1x certi cate based authentication
Certi cate roll-out for devices and users
SSO/Federation (SAML) enabled applications
Publish applications with DNS/CNAME through high-availability
reverse proxy
Application authentication with user certi cates and fall-back to real-
time domain credentials and two-factor tokens.
Network segmentation with VLANs and rewalled data-center access
Segmentation between corporate wireless and guest wireless networks
Net ow monitoring to track network anomaly and usage
End-point pro ling through agent data on end-point health
26. 17 . 2
What is missing? or What you must design?
Format for access policy data structure
Trust Tier classi cation based on user roles and device mapping
Device Inventory Service
Access Policy Engine (a web service queried by network access
gateways and application reverse proxies to permit access dynamically)
So, basically unless you are a software house, no…
One can always out-source this part…
27. 18 . 1
SOFTWARE DEFINED PERIMETERS
Adopted by Cloud Security Alliance (CSA).
A version 1.0 speci cation has been published in April 2014.
On-demand, dynamically provisioned, air-gapped (sic) networks.
Based on work ows invented by the Department of Defense (DoD) and
used by three-letter US Federal Agencies.
CSA has followed NIST guidelines on cryptographic protocols for its
speci cation.
So called "Black Cloud"
28. SDP ARCHITECTURE
Figure 7: SDP Architecture, Source: Software De ned Perimeters
Speci cation Version 1.0, CSA, April 2014
29. 19 . 120 . 1
SDP ARCHITECTURE CONTROLS
Figure 8: SDP Architecture with Controls, Source: Software De ned
Perimeter - Hackathon Paper, CSA, April 2014
30. 21 . 1
FIVE LAYERS OF SECURITY CONTROLS
Single Packet Authorization (SPA)
Mutual TLS (mTLS/transparent MFA)
Device Validation (DV)
Dynamic Firewalls
Application Binding
32. 23 . 1
SDP PROTOCOL WORKFLOW
Figure 9: SDP Protocol Work ow, Source: Software De ned Perimeters
Speci cation Version 1.0, CSA, April 2014
The protocol also supports sessions and dynamic tunneling of
communication between IH and AH.
33. 24 . 1
SDP SINGLE PACKET AUTHORIZATION / RFC 4226
HMAC-OTP based
Anyone remember port-knocking?, kinda similar except cloud-scale
Apparently survived sustained 10 billion packet attack in April 2014
Hackathon organized by CSA.
Vidder, a US-based security startup is implementing and offering this
architecture as a SaaS service.
34. 25 . 1
SDP USE CASES
Enterprise Application Isolation
Protection for Cloud Service Models
SaaS
Private Cloud
Hybrid Cloud Integration
Internet-of-Things
DDoS Prevention
35. 26 . 1
OBLIGATORY MEME 2
Figure 10: Wait did you just say DDoS?, I can stop bullets?!
36. 27 . 1
FIN
We have started with the architect and ended with a
hacker! Thank you for your time! Questions?
37. 28 . 1
HOW TO BUILD YOUR OWN ARCHITECTURE?
Bring/Build Your Own Architecture (BYOA)
But, read Zachman, TOGAF and SABSA to understand what they are
trying to solve.
NIST 800-53, NIST Cybersecurity Architecture, ISF Standard of Good
Practice, ISO27001:2013, ENISA guidelines all offer good starting
points.
Adopt a catalog set/ taxonomy and iterate to improve it.
38. 28 . 2
De ne information classi cation schema.
Create inventory of applications prioritized by information classi cation.
Perform risk assessment for these applications.
39. 28 . 3
Implement DR setup for mission-critical applications
Implement network isolation for mission-critical applications
Implement network zones of differing trust levels
40. 28 . 4
Implement network access based on device identity and health
Implement centralized and unique user identity and behavior
ngerprinting
Implement transparent multi-factor authentication
41. 28 . 5
Implement secure DNS services and publish application URLs
Implement single-sign-on with federation services
Implement mutual TLS authentication via Enterprise CA certi cates
Implement enterprise certi cate pinning
43. 28 . 7
Implement privileged identity and access management.
Maintain audit records of administrative activity via AAA logs and
operating system audit and logging functions (e.g. Linux's auditd).
44. 28 . 8
Implement a vulnerability management program
De ne strong baseline hardening criteria for operating systems and web
applications.
Continuously execute application and infrastructure penetration tests to
nd and remediate weaknesses
45. 28 . 9
Implement system development life cycle program and processes
On-boarding and secure device initialization
Secure deployment and integrity validation for OS and applications
Secure operations and patching processes
Secure decommissioning and media disposal
Implement a software security and threat-modeling program to manage
application development risks.
46. 28 . 10
Implement a security maturity program
Apply capability maturity model to all information security programs and
measure year-on-year improvements and changes.
Measure Security Metrics
Aggregate up the management / process pyramid
Provide drill-down the management / process pyramid
47. 29 . 1
MODERN SYSTEM ARCHITECTURES
Windows 10 and ahead…
Virtualization Based Security (VBS)
Hyper-Visor Code Integrity (HVCI)
Credential Guard - Local Security Authority Protection, no more
PTH!
Device Guard with UEFI/SecureBoot Integrity
Hardware binding for core cryptography operations as in mobile
devices
Measured Boot - Measuring Device Integrity through TPM chips
Remote Device Health Attestation through Measured Boot data
48. 29 . 2
Linux is evolving too…
UEFI/SecureBoot Support on Enterprise Linux
KVM/Xen hypervisors to support VBS
Containers with Solaris Zones and ZFS
Application Containers - Docker, LXC etc.
Modern Sysvinits supporting veri ed boot - Systemd, Upstart, SMF
SELinux for RBAC
GrSecurity for exploit mitigation