© 2017 unisys corporation. all rights reserved. · afterwork event bern 4 may 2017 enabling trust,...
TRANSCRIPT
Afterwork event BERN 4 May 2017
Enabling Trust, Security, and Resiliency through Micro-Segmentation
Arnoud Hablous & Fraser Ross
© 2017 Unisys Corporation. All rights reserved. 4
Why We Need to Change Security
Tighter Regulations
Zero Trust or Earned Trust Model
Changed IT ModelOld security model is dead
Everything is Connected
Escalating ThreatsMust think trust vs. defense and trusted zones vs. security zones
© 2017 Unisys Corporation. All rights reserved. 5
Organized Crime
Gangs
ThievesGlobal
Terrorists
Non-StateActivists
ForeignIntelligence
Services
Rogue Intelligence Employees
InsidersMalicious & Unwitting
Our Environment…in 2017
Business Competitors
Transients
© 2017 Unisys Corporation. All rights reserved. 7
What is Micro-segmentation?
Micro-segmentation limits access to devices or services, to a
restricted group or groups, at the level of granularity required by
the organisation.
Micro-segmentation uses credentials to determine what you
can access, and IP protocol controls to enforce the micro-
segmentation policy.
© 2017 Unisys Corporation. All rights reserved. 8
What is Micro-segmentation?
Segmentation is not new
Door Keys
Controlled access to a restricted
group (those with keys)
Passwords
Compromised credentials affects
one account, not all accounts
Controlled spaces
Barriers and Passes limits access
Network Equipment
Switches, VLANs, Firewalls provide
IP protocol controls
© 2017 Unisys Corporation. All rights reserved. 9
What is Micro-segmentation?
Micro-segmentation limits access to devices or services, to a
restricted group or groups, at the level of granularity required by
the organisation.
Micro-segmentation uses credentials to determine what you
can access, and IP protocol controls to enforce the micro-
segmentation policy.
© 2017 Unisys Corporation. All rights reserved. 11
Why?
If you find yourself alone, riding in the green fields with the sun on your face, do not be troubled. For you are in Elysium, and you’re already dead!
Blue Skies
© 2017 Unisys Corporation. All rights reserved. 14
Security built on “Keeping Everything Out”
Walls, Watch, Wait – sufficient in the “Digital Castle” era ?
Click - Targeted Phishing Attacks
Forget - Patching / Legacy
Misconfigure - Firewalls, VLANs, IPS
Business Flexibility
Trust Inside network, accessibility
Cost (vs. Risk)
80% spend on perimeter vs. attackers require 1 success
Digital Castle – Digital City
How big is your perimeter – Multi Site, Multi Cloud
Strong Perimeter – Trusted Core
© 2017 Unisys Corporation. All rights reserved. 15
Security built on “Keeping Everything Out”
Walls, Watch, Wait – sufficient in the “Digital Castle” era ?
Click - Targeted Phishing Attacks
Forget - Patching / Legacy
Misconfigure - Firewalls, VLANs, IPS
Business Flexibility
Trust Inside network, accessibility
Cost (vs. Risk)
80% spend on perimeter vs. attackers require 1 success
Digital Castle – Digital City
How big is your perimeter – Multi Site, Multi Cloud
Strong Perimeter – Trusted Core
© 2017 Unisys Corporation. All rights reserved. 16
Security built on “Keeping Everything Out”
Walls, Watch, Wait – sufficient in the “Digital Castle” era ?
Click - Targeted Phishing Attacks
Forget - Patching / Legacy
Misconfigure - Firewalls, VLANs, IPS
Business Flexibility
Trust Inside network, accessibility
Cost (vs. Risk)
80% spend on perimeter vs. attackers require 1 success
Digital Castle – Digital City
How big is your perimeter – Multi Site, Multi Cloud
Strong Perimeter – Trusted Core
© 2017 Unisys Corporation. All rights reserved. 17
Micro-segmentation – Strengthen the Core
Virtually every company today uses firewalls to enforce perimeter security.However, this security model is problematic because, when that perimeter isbreached, an attacker has relatively easy access to a company’s privilegedintranet. As companies adopt mobile and cloud technologies, the perimeteris becoming increasingly difficult to enforce. -- Google Inc
© 2017 Unisys Corporation. All rights reserved. 18
Micro-Segmentation – already in use physical world
Micro-segmentation – in the digital world:
Protect
High value assets
Restrict damage to individual micro-segments
Prevent Network Enumeration
Segment
Restrict East <-> West traffic
Control North <-> South traffic
Isolate
Key Data & resources
Business Flexibility
Trust limited to individual segments
Secure your Digital City
On Site, Between Site
In Cloud, Between Cloud
Micro-segmentation – Strengthen the Core
Hatton Garden Safe Deposit Company
© 2017 Unisys Corporation. All rights reserved. 19
Stealth Timeline
JFCOM JILTestbed IO Range
DIACAP – DoD Information Assurance Certification and Accreditation Process MAC – Mission Assurance Category (Level 1 is Highest) DISA – Defense Systems Information Agency EUCOM – European CommandSOCOM – Special Operations Command JFCOM – JOINT Forces Command JIL – Joint Intelligence Laboratory
CWID – Coalition Warrior Interoperability DemonstrationJUICE – Joint User Interoperability Communications Exercise CECOM – Communications Electronics Command (US Army)GTRI – Georgia Tech Research InstituteDJC2 – Deployable Joint Command and ControlNIST – National Institute of Standards and TechnologyNIAP – National Information Assurance Partnership
2005
CWID
08DISA
CWID
09
DISA
JUICE 09CECOM
Combined
Endeavour EUCOM
CWID 05USAF
CWID
10
SOCOM
GTRI DJC2 PMO
SPAWARPrivate LabSSVT Validation:
Failed to compromise
“Large
Integrator”Tests and fails
to break Stealth
IV&VNational Center for
Counter-terrorism and
Cybercrime SOCOMExport LicenseDept of Commerce
FIPS 140-2
Certification
NIST
EAL4+
Certification
NIAP
DIACAP MAC-1
CertificationCWID 10
Network Risk Assessment
CWID 05AF Comm Agency
DIACAP MAC-1
CertificationJFCOM
SOCOMR&D
Prototype
Emerald
Warrior
‘12
SIPRNet
IATT
Independent
Test Client-hired
3rd party: Failed to
compromise
And again… Different client,
different tester:
Failed to
compromise
And
again…
Commercial
& Pub Sector
2006 2007 2008 20142009 2010 2011 20132012
InterOp 2012“Hot New Product”
Award Winning
2015
3rd party QSA
and pen
testing – PCI
Compliance
Frost & Sullivan 2015 New Product Innovation Award
-------------------Encrypted Network Security
© 2017 Unisys Corporation. All rights reserved. 20
Stealth - Layered Security
Layered Approach
Stealth is used as part of Security Strategy to
harden the centre
Works with the existing tactical security
solutions
Can be focused or as far reaching as the
organisation’s strategy requires
© 2017 Unisys Corporation. All rights reserved. 21
How Stealth Works
Encrypt
Cryptographic
Protocols
Secure
Transparent to
Applications;
Cloaked
Endpoints
Segment
Virtual
Communities
of Interest
Least Privilege
Integration
with Identity
Management
Systems
7. Application
6. Presentation
5. Session
4. Transport
3. Network
1. Physical
2. Data Link
NIC
StealthIntercept
Stealth’s Patented Technology Has 4 Key Elements
© 2017 Unisys Corporation. All rights reserved. 22
Physical
• Segregation now a function of logical Stealth
COIs
• Traffic secured between physical devices no
longer reliant on network topology
• Server – Server
• Workstation – Server
• Workstation – Workstation
© 2017 Unisys Corporation. All rights reserved. 23
Virtual Environment
• Stealth communication between VMs
and other physical or virtual systems
on the network
• Segregated from Host OS traffic –
Date in Motion is encrypted
• Mix of Stealth’d and non-Stealth’d on
the same infrastructure
© 2017 Unisys Corporation. All rights reserved. 24
Cloud
• Extended support for Azure and AWS
• Extend datacentre whilst maintaining
North-South control
• East-West Control in physical, virtual
and cloud deployments
© 2017 Unisys Corporation. All rights reserved. 25
Access
• Stealth Remote Access (SRA)
• Cisco ASA 55xx – Required
• Checks credentials (Radius)
• Stealth’d end points connect across
network infrastructure
© 2017 Unisys Corporation. All rights reserved. 26
Asset Protection
• Stealth Virtual Gateway (SVG)
• Stealth’d from SVG inwards
• Physical or VLAN segregation
outwards from SVG
• Hide & Control access to legacy OS
• Hide & Control access to IP device which
can not host Stealth agents
© 2017 Unisys Corporation. All rights reserved. 27
Internal
Users
Dev
External
Users
Controlled Interaction
Stealth
• Stage 1 – Dev Ops ONLY
• Stage 2 – Internal Test Users
• Stage 3 – External Users
© 2017 Unisys Corporation. All rights reserved. 28
Data
PuddlesData
Puddles
Data
Puddles
Data Lake
Unstructured Data
Stealth
• Data Puddles - Storage of Unstructured
data still needs to meet regulatory
requirements
• Access to individual Data Puddles is
restricted by Stealth COI
• Data Lake can span across on premise
and cloud infrastructure – COI Data is
Encrypted in Motion
Data
Puddles
Processing Cluster
Processing Cluster
Processing Cluster
Processing Cluster
© 2017 Unisys Corporation. All rights reserved. 29
Data
PuddlesData
Puddles
Data
Puddles
Data Lake
Unstructured Data
Stealth
• Data Puddles - Storage of Unstructured
data still needs to meet regulatory
requirements
• Access to individual Data Puddles is
restricted by Stealth COI
• Data Lake can span across on premise
and cloud infrastructure – COI Data is
Encrypted in Motion
• Maintain Segregation while using the
same virtual infratstructure
Data
Puddles
© 2017 Unisys Corporation. All rights reserved. 31
Assured Protection in the Cloud
Stealth
• Who else is sharing the cloud?
• Cryptographically Defines
Boundaries
• Reduce Scope for Audit and
Compliance
• Can be an Extension of your On
Premise Stealth or Completely
standalone
• Your Private Cloud – in a Public
Space
?
© 2017 Unisys Corporation. All rights reserved. 32
Extend into the Cloud on your Terms
Stealth
• Control which users and
services can access the cloud
• Reduce Scope for Audit and
Compliance
• Key material, Stealth Agents
unique to your organisation
• Restrict “Backwash”
© 2017 Unisys Corporation. All rights reserved. 33
Secure Your Valuables
What’s Important to YOU
• Identify Critical data resources
Restrict who can see them
• Identify Critical processing nodes
Restrict who can access them
Personnel
Operations
Financial ?
© 2017 Unisys Corporation. All rights reserved. 34
Buffer Third Party Cloud Services
Firewalls & VLans
• Low granularity of control &
flexibility
Stealth
• Highly flexible – Moves with
User
• Granularity controlled from
configuration server
• Reduced Hardware
• Secure data path
• Restrict ingress back into estate
Gateway Servers
WorkStations
© 2017 Unisys Corporation. All rights reserved. 35
Zusammenfassung
• Unisys Stealth kann flächendeckend oder flexibel zum dedizierten Schutz von kritischen Infrastrukturen eingesetzt werden.
• Der Einsatz von Stealth bedingt keinerlei Anpassung Ihrer IT Infrastruktur.
• Die Microsegementierung Ihres Netzwerkes, da rein softwarebasiert, erfolgt zu einem Bruchteil der Kosten herkömmlicher Lösungen und alle «End Point» werden unsichtbar.
• Andere Verschlüsselungslösungen für Bewegungsdaten werden obsolet.
• Mit dem Einsatz von Stealth erhöhen Sie Ihr «Security-Dispositiv» um Faktoren.
© 2017 Unisys Corporation. All rights reserved
Unisys Managed Security ServicesNext Step
Schedule a workshop and 3 month POC
Show the value in your environment!!
Some requirements for the Stealth:3 x servers (Enterprise Manager & 2 x Authorisation Servers)Test Client (for Stealth installation validation)Test Server (for Stealth installation validation)Certificate for Code signingAccess to the certificate validation server (e.g. OCSP, CRL repository)All servers and clients Domain Joined
Cost: CHF 20’000.-
© 2017 Unisys Corporation. All rights reserved. 38
Kontakt und weiterführende Informationen
Ergänzende Informationen zum Thema Stealth und Unisys Securityallgemein finden Sie unter: https://unisyssecurity.com/
Kontakt zum Thema: Sprechen Sie mit Ihrem Kundenverantwortlichen der Unisysüber dieses Thema oder kontaktieren Sie einfach:
Martin [email protected]+41 79 240 81 03