SlideShare a Scribd company logo

Practical Enterprise Security Architecture

Priyanka Aash
Priyanka Aash

This document summarizes two innovative approaches to enterprise security architecture: Google's BeyondCorp architecture and the Cloud Security Alliance's Software Defined Perimeters (SDP). BeyondCorp aims to remove network-based attacks by implementing zero-trust network access based on continuous device/user authentication and authorization. SDP uses cryptographic protocols and dynamic firewalls to create on-demand, air-gapped networks between initiating and accepting hosts. The document then discusses how organizations can implement these approaches using existing security tools and outlines steps to develop an enterprise security architecture.

Technology
1 of 48
Download to read offline
1 PRACTICALENTERPRISE SECURITY ARCHITECTURE DR. RAJESH P. DEO JULY 2016 
2 . 1 ABSTRACT What is a practical enterprise security architecture? We look at two innovations in this area; 1) Google's BeyondCorp architecture, and, 2) Cloud Security Alliance's Software De ned Perimeters (SDP). We look at how these approaches may lead to better defenses against network-based attacks, and what can we do practically within traditional organizations? 
3 . 1 FIRST, THANKS AND GRATITUDE Burgess Cooper, Partner at Ernst & Young for this speaking opportunity Bikash Barai, for discussing material and sneaking me into already busy schedule. Rushit Choksey, Vijay Kumar and Tanoy Bose, partners-in-crime at Ernst & Young since 2015- Mr. K. K. Mookhey, Principle Consultant at Network Intelligence, for opportunity to work with them on infosec from 2011-2015. Most of all, Devendra Parulekar, Ex-Partner at Ernst & Young for a second opportunity to work with Ernst & Young's talented infosec team since 2015-.
4 . 1 $WHOAMI Senior Manager at Ernst & Young, Mumbai, 2015-. Started in Information Security as a Penetration Tester with Ernst & Young in 2000-2001. Escaped to complete a Ph.D. in Astronomy (2007), worked as a post-doc… :) Long-time Linux and open-source enthusiast, pythonista Wanna-be start-up founder… So this ts, right…; sounds shy, anyway lets begin…
5 . 1 OBLIGATORY MEME AND RULE 1 IN SECURITY ARCHITECTURES There are levels of survival we are prepared to accept.
6 . 1 WHAT IS ENTERPRISE SECURITY ARCHITECTURE? Enterprise a project or undertaking, especially a bold or complex one; a business or company; entrepreneurial economic activity. Security a state of being free from danger or threat; a thing pledged as a guarantee of an undertaking to be forefeited in case of default. Architecture the complex or carefully designed structure; the art or practice of designing and constructing; the conceptual structure and logical organization of a computer or computer-based system. ESA A carefully designed structure to mitigate danger or threat to a business and facilitate economic activity.
6 . 2 Enterprise architectures are business focused Aligned with business objectives Aligned with technology objectives of the business Advise and guidance for strategic leaders Standardization and process models for operational leaders Did I mention Business Attributes? Oh Boy! Enterprise architects explain business risk to technology leaders. Enterprise architects explain technology risk to business leaders. Enterprise security architect makes sure security is not an after thought.
6 . 3 The determined hacker cares about understanding your networks and how to nd suitable entry and exit points. This makes network security an inherent part of ESA designs.
7 . 1 COMPONENTS OF A PRACTICAL ESA Vision, where do we want to be? Strategy and Planning Business Drivers De ne direction and action plan with budgets Framework, a cohesive collection of do's and don't. Security Requirements and Design Principles Policies, procedures, standards, and guidelines Risk Management and Assessment Methods Taxonomy and Catalogs Vulnerabilities, Threats and Actors Risks and Controls Security Domains to group Risks and Controls Architecture Layers to group Security Domains Process De nitions and Flowcharts Data Classi cation, and Risk Model
8 . 1 A PRACTICALESA BLUEPRINT Figure 2: Source: Arctech Security Architecture Blueprint, Gunnar Peterson
9 . 1 KEY PRINCIPLES The risk management approach allows the security team to be agile in responding to business threats. The security architecture must de ne reusable security services so that developers can leverage common design patterns that improve security for all applications.
10 . 1 ARCHITECTURE LIFECYCLE Figure 3: Image Source: Arctech Security Architecture Blueprint, Gunnar Peterson
11 . 1 GOOGLE'S BEYONDCORP APPROACH Today's organization do not have a perimeter. Software as a Service (SaaS) model is winning from consumer perspective. HTTPS is like a micro-service to IPSEC VPN VDI is like a micro-service to Remote Desktop/ VNC BYOD: Work and play from anywhere, from any network Large organizations want to publish internal applications directly on the Internet Data sync to more than one device: laptop, tablets, smart phones How to ensure data protection? end-point remediation? and automation of security processes? without compromising on data security?
12 . 1 BEYONDCORP INFRASTRUCTURE COMPONENTS Figure 4: BeyondCorp Infrastructure Components; Image Source: BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40, No. 1
13 . 1 KEY IDEAS Resources are an enumeration of all applications, services, databases, networks that are subject to access control. Trust tiers and tiered access segregate network and applications into layers of increasing sensitivity. Each resource is associated with a minimum trust tier required for access. Traditional network segmentation is implemented through VLAN and Firewall ACLs
13 . 2 Application URLs published only through reverse proxy CNAME redirection. Fine-grained access policy mapped to trust tier and user identity Access proxy makes policy decision based on trust tier assigned to a device. If the device state degrades, it loses access to high-sensitivity applications and is assigned to a remediation VLAN.
14 . 1 KEY IMPLEMENTATION COMPONENTS Certi cate Authority to issue identities to devices and users Device management agent software for device pro ling Access Control Engine, a policy enforcement service referenced by "Gateways". Device Inventory Service, a service that continuously collects and normalizes and publishes changes about state of devices. Gateways are SSH servers, Web proxies or 802.1x-enabled networks
14 . 2 Requirements for BeyondCorp to function 802.1x enabled networks Access Policy, a programmatic representation of authorization policy consisting of remote resources, user identity decision and assign trust tier. Applications with support for evaluation of the Access Policy as well as real-time credentials and multi-factor authentication. A common method to publish applications via the access proxy.
15 . 1 DEVICE INVENTORY SERVICE Figure 5: BeyondCorp Device Inventory Service, Image Source: BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40, No. 1
15 . 2 Observed Data vs. Prescribed Data Continuous ingest, process, normalize cycle Trust evaluation and tier assignment through Trust Inferer Communicate access policy data structure to access policy engine
16 . 1 BEYONDCORP ACCESS FLOW Figure 6: BeyondCorp Components and Access Flow, Image Source: BeyondCorp, A New Approach to Enterprise Security, Ward & Beyer, Dec 2014, ;login:, Vol 39, No. 6
A Walk-through Example Engineers access either public Wi-Fi or corporate network using his/her managed device. If on corporate LAN, device presents its certi cate to RADIUS server, which assigns the device to appropriate unprivileged internal VLAN if authenticated, else to a remediation VLAN. The engineer accesses an application with his/her web browser. The request is directed to the access proxy. The laptop provides its device certi cate. The access proxy does not recognize the user and redirects to the SSO system.
16 . 2 16 . 3 The engineer provides his or her primary and second-factor authentication credentials, is authenticated by the SSO system, is issued a token, and is redirected back to the access proxy. The access proxy now has the device certi cate, which identi es the device, and the SSO token, which identi es the user.
16 . 4 The Access Control Engine performs the speci c authorization check con gured for app.corp.google.com. Following set of authorization checks is made on every request. The user is con rmed to be in the engineering group. The user is con rmed to possess a suf cient trust level. The device is con rmed to be a managed device in good standing. The device is con rmed to possess a suf cient trust level. If all these checks pass, the request is passed to an appropriate back-end to be serviced. If any of the above checks fails, the request is denied.
17 . 1 CAN MERE MORTALS IMPLEMENT THIS? Mostly Yes, the key technologies are already part of the standard enterprise stack 802.1x certi cate based authentication Certi cate roll-out for devices and users SSO/Federation (SAML) enabled applications Publish applications with DNS/CNAME through high-availability reverse proxy Application authentication with user certi cates and fall-back to real- time domain credentials and two-factor tokens. Network segmentation with VLANs and rewalled data-center access Segmentation between corporate wireless and guest wireless networks Net ow monitoring to track network anomaly and usage End-point pro ling through agent data on end-point health
17 . 2 What is missing? or What you must design? Format for access policy data structure Trust Tier classi cation based on user roles and device mapping Device Inventory Service Access Policy Engine (a web service queried by network access gateways and application reverse proxies to permit access dynamically) So, basically unless you are a software house, no… One can always out-source this part…
18 . 1 SOFTWARE DEFINED PERIMETERS Adopted by Cloud Security Alliance (CSA). A version 1.0 speci cation has been published in April 2014. On-demand, dynamically provisioned, air-gapped (sic) networks. Based on work ows invented by the Department of Defense (DoD) and used by three-letter US Federal Agencies. CSA has followed NIST guidelines on cryptographic protocols for its speci cation. So called "Black Cloud"
SDP ARCHITECTURE Figure 7: SDP Architecture, Source: Software De ned Perimeters Speci cation Version 1.0, CSA, April 2014
19 . 120 . 1 SDP ARCHITECTURE CONTROLS Figure 8: SDP Architecture with Controls, Source: Software De ned Perimeter - Hackathon Paper, CSA, April 2014
21 . 1 FIVE LAYERS OF SECURITY CONTROLS Single Packet Authorization (SPA) Mutual TLS (mTLS/transparent MFA) Device Validation (DV) Dynamic Firewalls Application Binding
22 . 1 SDP ARCHITECTURE COMPONENTS Initiating Hosts Accepting Hosts SDP Controller Dynamic Gateways/Firewalls Federated Identity Service
23 . 1 SDP PROTOCOL WORKFLOW Figure 9: SDP Protocol Work ow, Source: Software De ned Perimeters Speci cation Version 1.0, CSA, April 2014 The protocol also supports sessions and dynamic tunneling of communication between IH and AH.
24 . 1 SDP SINGLE PACKET AUTHORIZATION / RFC 4226 HMAC-OTP based Anyone remember port-knocking?, kinda similar except cloud-scale Apparently survived sustained 10 billion packet attack in April 2014 Hackathon organized by CSA. Vidder, a US-based security startup is implementing and offering this architecture as a SaaS service.
25 . 1 SDP USE CASES Enterprise Application Isolation Protection for Cloud Service Models SaaS Private Cloud Hybrid Cloud Integration Internet-of-Things DDoS Prevention
26 . 1 OBLIGATORY MEME 2 Figure 10: Wait did you just say DDoS?, I can stop bullets?!
27 . 1 FIN We have started with the architect and ended with a hacker! Thank you for your time! Questions?
28 . 1 HOW TO BUILD YOUR OWN ARCHITECTURE? Bring/Build Your Own Architecture (BYOA) But, read Zachman, TOGAF and SABSA to understand what they are trying to solve. NIST 800-53, NIST Cybersecurity Architecture, ISF Standard of Good Practice, ISO27001:2013, ENISA guidelines all offer good starting points. Adopt a catalog set/ taxonomy and iterate to improve it.
28 . 2 De ne information classi cation schema. Create inventory of applications prioritized by information classi cation. Perform risk assessment for these applications.
28 . 3 Implement DR setup for mission-critical applications Implement network isolation for mission-critical applications Implement network zones of differing trust levels
28 . 4 Implement network access based on device identity and health Implement centralized and unique user identity and behavior ngerprinting Implement transparent multi-factor authentication
28 . 5 Implement secure DNS services and publish application URLs Implement single-sign-on with federation services Implement mutual TLS authentication via Enterprise CA certi cates Implement enterprise certi cate pinning
28 . 6 Implement end-user device hardening Implement continuous device health monitoring Implement pervasive detection capabilities Implement focused security monitoring process
28 . 7 Implement privileged identity and access management. Maintain audit records of administrative activity via AAA logs and operating system audit and logging functions (e.g. Linux's auditd).
28 . 8 Implement a vulnerability management program De ne strong baseline hardening criteria for operating systems and web applications. Continuously execute application and infrastructure penetration tests to nd and remediate weaknesses
28 . 9 Implement system development life cycle program and processes On-boarding and secure device initialization Secure deployment and integrity validation for OS and applications Secure operations and patching processes Secure decommissioning and media disposal Implement a software security and threat-modeling program to manage application development risks.
28 . 10 Implement a security maturity program Apply capability maturity model to all information security programs and measure year-on-year improvements and changes. Measure Security Metrics Aggregate up the management / process pyramid Provide drill-down the management / process pyramid
29 . 1 MODERN SYSTEM ARCHITECTURES Windows 10 and ahead… Virtualization Based Security (VBS) Hyper-Visor Code Integrity (HVCI) Credential Guard - Local Security Authority Protection, no more PTH! Device Guard with UEFI/SecureBoot Integrity Hardware binding for core cryptography operations as in mobile devices Measured Boot - Measuring Device Integrity through TPM chips Remote Device Health Attestation through Measured Boot data
29 . 2 Linux is evolving too… UEFI/SecureBoot Support on Enterprise Linux KVM/Xen hypervisors to support VBS Containers with Solaris Zones and ZFS Application Containers - Docker, LXC etc. Modern Sysvinits supporting veri ed boot - Systemd, Upstart, SMF SELinux for RBAC GrSecurity for exploit mitigation

Recommended

Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
SABSAcourses
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
SABSAcourses
 

Recommended

Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
SABSAcourses
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
The Open Group SA
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
SABSAcourses
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
SABSAcourses
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
Maganathin Veeraragaloo
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paper
SABSAcourses
 
Compliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRCompliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPR
SABSAcourses
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
Bob Rhubart
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
Priyanka Aash
 

More Related Content

What's hot

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 

What's hot (20)

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paper
 
Compliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRCompliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPR
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 

Viewers also liked

Viewers also liked (19)

Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
SACON Orientation
SACON OrientationSACON Orientation
SACON Orientation
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Workshop on Endpoint Memory Forensics
Workshop on Endpoint Memory ForensicsWorkshop on Endpoint Memory Forensics
Workshop on Endpoint Memory Forensics
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 

Similar to Practical Enterprise Security Architecture

Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
Lisa Brown
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Cristian Garcia G.
 
Design and Implementation of a Web Based Access Control System
Design and Implementation of a Web Based Access Control SystemDesign and Implementation of a Web Based Access Control System
Design and Implementation of a Web Based Access Control System
Serhan
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
aksit_services
 
Beyond Security Article_Cyber Security_April_2015
Beyond Security Article_Cyber Security_April_2015Beyond Security Article_Cyber Security_April_2015
Beyond Security Article_Cyber Security_April_2015
RAVI PRAKASH
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Private Cloud
 

Similar to Practical Enterprise Security Architecture (20)

Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISE
 
Design and Implementation of a Web Based Access Control System
Design and Implementation of a Web Based Access Control SystemDesign and Implementation of a Web Based Access Control System
Design and Implementation of a Web Based Access Control System
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
Cruatech Services Intro
Cruatech Services IntroCruatech Services Intro
Cruatech Services Intro
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
Dynamic Based face authentication using Video-Based Method
Dynamic Based face authentication using Video-Based MethodDynamic Based face authentication using Video-Based Method
Dynamic Based face authentication using Video-Based Method
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
 
Beyond Security Article_Cyber Security_April_2015
Beyond Security Article_Cyber Security_April_2015Beyond Security Article_Cyber Security_April_2015
Beyond Security Article_Cyber Security_April_2015
 
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
 
Block Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter BrochureBlock Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter Brochure
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Practical Enterprise Security Architecture

  • 2. 2 . 1 ABSTRACT What is a practical enterprise security architecture? We look at two innovations in this area; 1) Google's BeyondCorp architecture, and, 2) Cloud Security Alliance's Software De ned Perimeters (SDP). We look at how these approaches may lead to better defenses against network-based attacks, and what can we do practically within traditional organizations? 
  • 3. 3 . 1 FIRST, THANKS AND GRATITUDE Burgess Cooper, Partner at Ernst & Young for this speaking opportunity Bikash Barai, for discussing material and sneaking me into already busy schedule. Rushit Choksey, Vijay Kumar and Tanoy Bose, partners-in-crime at Ernst & Young since 2015- Mr. K. K. Mookhey, Principle Consultant at Network Intelligence, for opportunity to work with them on infosec from 2011-2015. Most of all, Devendra Parulekar, Ex-Partner at Ernst & Young for a second opportunity to work with Ernst & Young's talented infosec team since 2015-.
  • 4. 4 . 1 $WHOAMI Senior Manager at Ernst & Young, Mumbai, 2015-. Started in Information Security as a Penetration Tester with Ernst & Young in 2000-2001. Escaped to complete a Ph.D. in Astronomy (2007), worked as a post-doc… :) Long-time Linux and open-source enthusiast, pythonista Wanna-be start-up founder… So this ts, right…; sounds shy, anyway lets begin…
  • 5. 5 . 1 OBLIGATORY MEME AND RULE 1 IN SECURITY ARCHITECTURES There are levels of survival we are prepared to accept.
  • 6. 6 . 1 WHAT IS ENTERPRISE SECURITY ARCHITECTURE? Enterprise a project or undertaking, especially a bold or complex one; a business or company; entrepreneurial economic activity. Security a state of being free from danger or threat; a thing pledged as a guarantee of an undertaking to be forefeited in case of default. Architecture the complex or carefully designed structure; the art or practice of designing and constructing; the conceptual structure and logical organization of a computer or computer-based system. ESA A carefully designed structure to mitigate danger or threat to a business and facilitate economic activity.
  • 7. 6 . 2 Enterprise architectures are business focused Aligned with business objectives Aligned with technology objectives of the business Advise and guidance for strategic leaders Standardization and process models for operational leaders Did I mention Business Attributes? Oh Boy! Enterprise architects explain business risk to technology leaders. Enterprise architects explain technology risk to business leaders. Enterprise security architect makes sure security is not an after thought.
  • 8. 6 . 3 The determined hacker cares about understanding your networks and how to nd suitable entry and exit points. This makes network security an inherent part of ESA designs.
  • 9. 7 . 1 COMPONENTS OF A PRACTICAL ESA Vision, where do we want to be? Strategy and Planning Business Drivers De ne direction and action plan with budgets Framework, a cohesive collection of do's and don't. Security Requirements and Design Principles Policies, procedures, standards, and guidelines Risk Management and Assessment Methods Taxonomy and Catalogs Vulnerabilities, Threats and Actors Risks and Controls Security Domains to group Risks and Controls Architecture Layers to group Security Domains Process De nitions and Flowcharts Data Classi cation, and Risk Model
  • 10. 8 . 1 A PRACTICALESA BLUEPRINT Figure 2: Source: Arctech Security Architecture Blueprint, Gunnar Peterson
  • 11. 9 . 1 KEY PRINCIPLES The risk management approach allows the security team to be agile in responding to business threats. The security architecture must de ne reusable security services so that developers can leverage common design patterns that improve security for all applications.
  • 12. 10 . 1 ARCHITECTURE LIFECYCLE Figure 3: Image Source: Arctech Security Architecture Blueprint, Gunnar Peterson
  • 13. 11 . 1 GOOGLE'S BEYONDCORP APPROACH Today's organization do not have a perimeter. Software as a Service (SaaS) model is winning from consumer perspective. HTTPS is like a micro-service to IPSEC VPN VDI is like a micro-service to Remote Desktop/ VNC BYOD: Work and play from anywhere, from any network Large organizations want to publish internal applications directly on the Internet Data sync to more than one device: laptop, tablets, smart phones How to ensure data protection? end-point remediation? and automation of security processes? without compromising on data security?
  • 14. 12 . 1 BEYONDCORP INFRASTRUCTURE COMPONENTS Figure 4: BeyondCorp Infrastructure Components; Image Source: BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40, No. 1
  • 15. 13 . 1 KEY IDEAS Resources are an enumeration of all applications, services, databases, networks that are subject to access control. Trust tiers and tiered access segregate network and applications into layers of increasing sensitivity. Each resource is associated with a minimum trust tier required for access. Traditional network segmentation is implemented through VLAN and Firewall ACLs
  • 16. 13 . 2 Application URLs published only through reverse proxy CNAME redirection. Fine-grained access policy mapped to trust tier and user identity Access proxy makes policy decision based on trust tier assigned to a device. If the device state degrades, it loses access to high-sensitivity applications and is assigned to a remediation VLAN.
  • 17. 14 . 1 KEY IMPLEMENTATION COMPONENTS Certi cate Authority to issue identities to devices and users Device management agent software for device pro ling Access Control Engine, a policy enforcement service referenced by "Gateways". Device Inventory Service, a service that continuously collects and normalizes and publishes changes about state of devices. Gateways are SSH servers, Web proxies or 802.1x-enabled networks
  • 18. 14 . 2 Requirements for BeyondCorp to function 802.1x enabled networks Access Policy, a programmatic representation of authorization policy consisting of remote resources, user identity decision and assign trust tier. Applications with support for evaluation of the Access Policy as well as real-time credentials and multi-factor authentication. A common method to publish applications via the access proxy.
  • 19. 15 . 1 DEVICE INVENTORY SERVICE Figure 5: BeyondCorp Device Inventory Service, Image Source: BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40, No. 1
  • 20. 15 . 2 Observed Data vs. Prescribed Data Continuous ingest, process, normalize cycle Trust evaluation and tier assignment through Trust Inferer Communicate access policy data structure to access policy engine
  • 21. 16 . 1 BEYONDCORP ACCESS FLOW Figure 6: BeyondCorp Components and Access Flow, Image Source: BeyondCorp, A New Approach to Enterprise Security, Ward & Beyer, Dec 2014, ;login:, Vol 39, No. 6
  • 22. A Walk-through Example Engineers access either public Wi-Fi or corporate network using his/her managed device. If on corporate LAN, device presents its certi cate to RADIUS server, which assigns the device to appropriate unprivileged internal VLAN if authenticated, else to a remediation VLAN. The engineer accesses an application with his/her web browser. The request is directed to the access proxy. The laptop provides its device certi cate. The access proxy does not recognize the user and redirects to the SSO system.
  • 23. 16 . 2 16 . 3 The engineer provides his or her primary and second-factor authentication credentials, is authenticated by the SSO system, is issued a token, and is redirected back to the access proxy. The access proxy now has the device certi cate, which identi es the device, and the SSO token, which identi es the user.
  • 24. 16 . 4 The Access Control Engine performs the speci c authorization check con gured for app.corp.google.com. Following set of authorization checks is made on every request. The user is con rmed to be in the engineering group. The user is con rmed to possess a suf cient trust level. The device is con rmed to be a managed device in good standing. The device is con rmed to possess a suf cient trust level. If all these checks pass, the request is passed to an appropriate back-end to be serviced. If any of the above checks fails, the request is denied.
  • 25. 17 . 1 CAN MERE MORTALS IMPLEMENT THIS? Mostly Yes, the key technologies are already part of the standard enterprise stack 802.1x certi cate based authentication Certi cate roll-out for devices and users SSO/Federation (SAML) enabled applications Publish applications with DNS/CNAME through high-availability reverse proxy Application authentication with user certi cates and fall-back to real- time domain credentials and two-factor tokens. Network segmentation with VLANs and rewalled data-center access Segmentation between corporate wireless and guest wireless networks Net ow monitoring to track network anomaly and usage End-point pro ling through agent data on end-point health
  • 26. 17 . 2 What is missing? or What you must design? Format for access policy data structure Trust Tier classi cation based on user roles and device mapping Device Inventory Service Access Policy Engine (a web service queried by network access gateways and application reverse proxies to permit access dynamically) So, basically unless you are a software house, no… One can always out-source this part…
  • 27. 18 . 1 SOFTWARE DEFINED PERIMETERS Adopted by Cloud Security Alliance (CSA). A version 1.0 speci cation has been published in April 2014. On-demand, dynamically provisioned, air-gapped (sic) networks. Based on work ows invented by the Department of Defense (DoD) and used by three-letter US Federal Agencies. CSA has followed NIST guidelines on cryptographic protocols for its speci cation. So called "Black Cloud"
  • 28. SDP ARCHITECTURE Figure 7: SDP Architecture, Source: Software De ned Perimeters Speci cation Version 1.0, CSA, April 2014
  • 29. 19 . 120 . 1 SDP ARCHITECTURE CONTROLS Figure 8: SDP Architecture with Controls, Source: Software De ned Perimeter - Hackathon Paper, CSA, April 2014
  • 30. 21 . 1 FIVE LAYERS OF SECURITY CONTROLS Single Packet Authorization (SPA) Mutual TLS (mTLS/transparent MFA) Device Validation (DV) Dynamic Firewalls Application Binding
  • 31. 22 . 1 SDP ARCHITECTURE COMPONENTS Initiating Hosts Accepting Hosts SDP Controller Dynamic Gateways/Firewalls Federated Identity Service
  • 32. 23 . 1 SDP PROTOCOL WORKFLOW Figure 9: SDP Protocol Work ow, Source: Software De ned Perimeters Speci cation Version 1.0, CSA, April 2014 The protocol also supports sessions and dynamic tunneling of communication between IH and AH.
  • 33. 24 . 1 SDP SINGLE PACKET AUTHORIZATION / RFC 4226 HMAC-OTP based Anyone remember port-knocking?, kinda similar except cloud-scale Apparently survived sustained 10 billion packet attack in April 2014 Hackathon organized by CSA. Vidder, a US-based security startup is implementing and offering this architecture as a SaaS service.
  • 34. 25 . 1 SDP USE CASES Enterprise Application Isolation Protection for Cloud Service Models SaaS Private Cloud Hybrid Cloud Integration Internet-of-Things DDoS Prevention
  • 35. 26 . 1 OBLIGATORY MEME 2 Figure 10: Wait did you just say DDoS?, I can stop bullets?!
  • 36. 27 . 1 FIN We have started with the architect and ended with a hacker! Thank you for your time! Questions?
  • 37. 28 . 1 HOW TO BUILD YOUR OWN ARCHITECTURE? Bring/Build Your Own Architecture (BYOA) But, read Zachman, TOGAF and SABSA to understand what they are trying to solve. NIST 800-53, NIST Cybersecurity Architecture, ISF Standard of Good Practice, ISO27001:2013, ENISA guidelines all offer good starting points. Adopt a catalog set/ taxonomy and iterate to improve it.
  • 38. 28 . 2 De ne information classi cation schema. Create inventory of applications prioritized by information classi cation. Perform risk assessment for these applications.
  • 39. 28 . 3 Implement DR setup for mission-critical applications Implement network isolation for mission-critical applications Implement network zones of differing trust levels
  • 40. 28 . 4 Implement network access based on device identity and health Implement centralized and unique user identity and behavior ngerprinting Implement transparent multi-factor authentication
  • 41. 28 . 5 Implement secure DNS services and publish application URLs Implement single-sign-on with federation services Implement mutual TLS authentication via Enterprise CA certi cates Implement enterprise certi cate pinning
  • 42. 28 . 6 Implement end-user device hardening Implement continuous device health monitoring Implement pervasive detection capabilities Implement focused security monitoring process
  • 43. 28 . 7 Implement privileged identity and access management. Maintain audit records of administrative activity via AAA logs and operating system audit and logging functions (e.g. Linux's auditd).
  • 44. 28 . 8 Implement a vulnerability management program De ne strong baseline hardening criteria for operating systems and web applications. Continuously execute application and infrastructure penetration tests to nd and remediate weaknesses
  • 45. 28 . 9 Implement system development life cycle program and processes On-boarding and secure device initialization Secure deployment and integrity validation for OS and applications Secure operations and patching processes Secure decommissioning and media disposal Implement a software security and threat-modeling program to manage application development risks.
  • 46. 28 . 10 Implement a security maturity program Apply capability maturity model to all information security programs and measure year-on-year improvements and changes. Measure Security Metrics Aggregate up the management / process pyramid Provide drill-down the management / process pyramid
  • 47. 29 . 1 MODERN SYSTEM ARCHITECTURES Windows 10 and ahead… Virtualization Based Security (VBS) Hyper-Visor Code Integrity (HVCI) Credential Guard - Local Security Authority Protection, no more PTH! Device Guard with UEFI/SecureBoot Integrity Hardware binding for core cryptography operations as in mobile devices Measured Boot - Measuring Device Integrity through TPM chips Remote Device Health Attestation through Measured Boot data
  • 48. 29 . 2 Linux is evolving too… UEFI/SecureBoot Support on Enterprise Linux KVM/Xen hypervisors to support VBS Containers with Solaris Zones and ZFS Application Containers - Docker, LXC etc. Modern Sysvinits supporting veri ed boot - Systemd, Upstart, SMF SELinux for RBAC GrSecurity for exploit mitigation