practical enterprise security architecture
TRANSCRIPT
1
PRACTICAL ENTERPRISESECURITY ARCHITECTURE
DR. RAJESH P. DEOJULY 2016
2 . 1
ABSTRACTWhat is a practical enterprise security architecture? We look at two
innovations in this area; 1) Google's BeyondCorp architecture, and, 2) CloudSecurity Alliance's Software De�ned Perimeters (SDP). We look at how theseapproaches may lead to better defenses against network-based attacks, and
what can we do practically within traditional organizations?
3 . 1
FIRST, THANKS AND GRATITUDEBurgess Cooper, Partner at Ernst & Young for this speaking opportunityBikash Barai, for discussing material and sneaking me into already busyschedule.Rushit Choksey, Vijay Kumar and Tanoy Bose, partners-in-crime at Ernst &Young since 2015-Mr. K. K. Mookhey, Principle Consultant at Network Intelligence, foropportunity to work with them on infosec from 2011-2015.Most of all, Devendra Parulekar, Ex-Partner at Ernst & Young for a secondopportunity to work with Ernst & Young's talented infosec team since2015-.
4 . 1
$ WHOAMISenior Manager at Ernst & Young, Mumbai, 2015-.Started in Information Security as a Penetration Tester with Ernst & Youngin 2000-2001.Escaped to complete a Ph.D. in Astronomy (2007), worked as a post-doc…:)Long-time Linux and open-source enthusiast, pythonistaWanna-be start-up founder…So this �ts, right…; sounds �shy, anyway lets begin…
5 . 1
OBLIGATORY MEME AND RULE 1 IN SECURITYARCHITECTURES
There are levels of survival we are prepared to accept.
6 . 1
WHAT IS ENTERPRISE SECURITY ARCHITECTURE?Enterprise
a project or undertaking, especially a bold or complex one; a business orcompany; entrepreneurial economic activity.
Securitya state of being free from danger or threat; a thing pledged as aguarantee of an undertaking to be forefeited in case of default.
Architecturethe complex or carefully designed structure; the art or practice ofdesigning and constructing; the conceptual structure and logicalorganization of a computer or computer-based system.
ESAA carefully designed structure to mitigate danger or threat to a business andfacilitate economic activity.
6 . 2
Enterprise architectures are business focusedAligned with business objectivesAligned with technology objectives of the businessAdvise and guidance for strategic leadersStandardization and process models for operational leadersDid I mention Business Attributes? Oh Boy!
Enterprise architects explain business risk to technology leaders.Enterprise architects explain technology risk to business leaders.Enterprise security architect makes sure security is not an after thought.
6 . 3
The determined hacker cares about understanding your networks and howto �nd suitable entry and exit points.This makes network security an inherent part of ESA designs.
7 . 1
COMPONENTS OF A PRACTICAL ESAVision, where do we want to be?Strategy and Planning
Business DriversDe�ne direction and action plan with budgets
Framework, a cohesive collection of do's and don't.Security Requirements and Design PrinciplesPolicies, procedures, standards, and guidelinesRisk Management and Assessment Methods
Taxonomy and CatalogsVulnerabilities, Threats and ActorsRisks and ControlsSecurity Domains to group Risks and ControlsArchitecture Layers to group Security DomainsProcess De�nitions and FlowchartsData Classi�cation, and Risk Model
8 . 1
A PRACTICAL ESA BLUEPRINT
Figure 2: Source: Arctech Security Architecture Blueprint, Gunnar Peterson
9 . 1
KEY PRINCIPLESThe risk management approach allows the security team to be agile inresponding to business threats.The security architecture must de�ne reusable security services so thatdevelopers can leverage common design patterns that improve securityfor all applications.
10 . 1
ARCHITECTURE LIFECYCLE
Figure 3: Image Source: Arctech Security Architecture Blueprint, GunnarPeterson
11 . 1
GOOGLE'S BEYONDCORP APPROACHToday's organization do not have a perimeter.Software as a Service (SaaS) model is winning from consumer perspective.HTTPS is like a micro-service to IPSEC VPNVDI is like a micro-service to Remote Desktop/ VNCBYOD: Work and play from anywhere, from any networkLarge organizations want to publish internal applications directly on theInternetData sync to more than one device: laptop, tablets, smart phonesHow to ensure data protection? end-point remediation? and automation ofsecurity processes? without compromising on data security?
12 . 1
BEYONDCORP INFRASTRUCTURE COMPONENTS
Figure 4: BeyondCorp Infrastructure Components; Image Source:BeyondCorp, Design to Deployment at Google, Osborn et.al., Spring 2016,
;login:, Vol 40, No. 1
13 . 1
KEY IDEASResources are an enumeration of all applications, services, databases,networks that are subject to access control.Trust tiers and tiered access segregate network and applications into layersof increasing sensitivity.Each resource is associated with a minimum trust tier required for access.Traditional network segmentation is implemented through VLAN andFirewall ACLs
13 . 2
Application URLs published only through reverse proxy CNAMEredirection.Fine-grained access policy mapped to trust tier and user identityAccess proxy makes policy decision based on trust tier assigned to a device.If the device state degrades, it loses access to high-sensitivity applicationsand is assigned to a remediation VLAN.
14 . 1
KEY IMPLEMENTATION COMPONENTSCerti�cate Authority to issue identities to devices and usersDevice management agent software for device pro�lingAccess Control Engine, a policy enforcement service referenced by"Gateways".Device Inventory Service, a service that continuously collects andnormalizes and publishes changes about state of devices.Gateways are SSH servers, Web proxies or 802.1x-enabled networks
14 . 2
Requirements for BeyondCorp to function802.1x enabled networksAccess Policy, a programmatic representation of authorization policyconsisting of remote resources, user identity decision and assign trusttier.Applications with support for evaluation of the Access Policy as well asreal-time credentials and multi-factor authentication.A common method to publish applications via the access proxy.
15 . 1
DEVICE INVENTORY SERVICE
Figure 5: BeyondCorp Device Inventory Service, Image Source: BeyondCorp,Design to Deployment at Google, Osborn et.al., Spring 2016, ;login:, Vol 40,
No. 1
15 . 2
Observed Data vs. Prescribed DataContinuous ingest, process, normalize cycleTrust evaluation and tier assignment through Trust InfererCommunicate access policy data structure to access policy engine
16 . 1
BEYONDCORP ACCESS FLOW
Figure 6: BeyondCorp Components and Access Flow, Image Source:BeyondCorp, A New Approach to Enterprise Security, Ward & Beyer, Dec
2014, ;login:, Vol 39, No. 6
16 . 2
A Walk-through Example
Engineers access either public Wi-Fi or corporate network using his/hermanaged device. If on corporate LAN, device presents its certi�cate toRADIUS server, which assigns the device to appropriate unprivilegedinternal VLAN if authenticated, else to a remediation VLAN.The engineer accesses an application with his/her web browser. Therequest is directed to the access proxy. The laptop provides its devicecerti�cate.The access proxy does not recognize the user and redirects to the SSOsystem.
16 . 2
16 . 3
The engineer provides his or her primary and second-factor authenticationcredentials, is authenticated by the SSO system, is issued a token, and isredirected back to the access proxy.The access proxy now has the device certi�cate, which identi�es thedevice, and the SSO token, which identi�es the user.
16 . 4
The Access Control Engine performs the speci�c authorization checkcon�gured for app.corp.google.com.
Following set of authorization checks is made on every request.The user is con�rmed to be in the engineering group.
The user is con�rmed to possess a suf�cient trust level.The device is con�rmed to be a managed device in good standing.
The device is con�rmed to possess a suf�cient trust level.If all these checks pass, the request is passed to an appropriate back-endto be serviced.
If any of the above checks fails, the request is denied.
17 . 1
CAN MERE MORTALS IMPLEMENT THIS?Mostly Yes, the key technologies are already part of the standardenterprise stack
802.1x certi�cate based authenticationCerti�cate roll-out for devices and usersSSO/Federation (SAML) enabled applicationsPublish applications with DNS/CNAME through high-availabilityreverse proxyApplication authentication with user certi�cates and fall-back to real-time domain credentials and two-factor tokens.Network segmentation with VLANs and �rewalled data-center accessSegmentation between corporate wireless and guest wireless networksNet�ow monitoring to track network anomaly and usageEnd-point pro�ling through agent data on end-point health
17 . 2
What is missing? or What you must design?Format for access policy data structureTrust Tier classi�cation based on user roles and device mappingDevice Inventory ServiceAccess Policy Engine (a web service queried by network accessgateways and application reverse proxies to permit access dynamically)
So, basically unless you are a software house, no…One can always out-source this part…
18 . 1
SOFTWARE DEFINED PERIMETERSAdopted by Cloud Security Alliance (CSA).A version 1.0 speci�cation has been published in April 2014.On-demand, dynamically provisioned, air-gapped (sic) networks.Based on work�ows invented by the Department of Defense (DoD) andused by three-letter US Federal Agencies.CSA has followed NIST guidelines on cryptographic protocols for itsspeci�cation.So called "Black Cloud"
SDP ARCHITECTURE
Figure 7: SDP Architecture, Source: Software De�ned PerimetersSpeci�cation Version 1.0, CSA, April 2014
19 . 120 . 1
SDP ARCHITECTURE CONTROLS
Figure 8: SDP Architecture with Controls, Source: Software De�nedPerimeter - Hackathon Paper, CSA, April 2014
21 . 1
FIVE LAYERS OF SECURITY CONTROLSSingle Packet Authorization (SPA)Mutual TLS (mTLS/transparent MFA)Device Validation (DV)Dynamic FirewallsApplication Binding
22 . 1
SDP ARCHITECTURE COMPONENTSInitiating HostsAccepting HostsSDP ControllerDynamic Gateways/FirewallsFederated Identity Service
23 . 1
SDP PROTOCOL WORKFLOW
Figure 9: SDP Protocol Work�ow, Source: Software De�ned PerimetersSpeci�cation Version 1.0, CSA, April 2014
The protocol also supports sessions and dynamic tunneling ofcommunication between IH and AH.
24 . 1
SDP SINGLE PACKET AUTHORIZATION / RFC 4226HMAC-OTP basedAnyone remember port-knocking?, kinda similar except cloud-scaleApparently survived sustained 10 billion packet attack in April 2014Hackathon organized by CSA.Vidder, a US-based security startup is implementing and offering thisarchitecture as a SaaS service.
25 . 1
SDP USE CASESEnterprise Application IsolationProtection for Cloud Service Models
SaaSPrivate CloudHybrid Cloud IntegrationInternet-of-Things
DDoS Prevention
26 . 1
OBLIGATORY MEME 2
Figure 10: Wait did you just say DDoS?, I can stop bullets?!
27 . 1
FINWe have started with the architect and ended with a
hacker! Thank you for your time! Questions?
28 . 1
HOW TO BUILD YOUR OWN ARCHITECTURE?Bring/Build Your Own Architecture (BYOA)
But, read Zachman, TOGAF and SABSA to understand what they aretrying to solve.NIST 800-53, NIST Cybersecurity Architecture, ISF Standard of GoodPractice, ISO27001:2013, ENISA guidelines all offer good startingpoints.
Adopt a catalog set/ taxonomy and iterate to improve it.
28 . 2
De�ne information classi�cation schema.Create inventory of applications prioritized by information classi�cation.Perform risk assessment for these applications.
28 . 3
Implement DR setup for mission-critical applicationsImplement network isolation for mission-critical applicationsImplement network zones of differing trust levels
28 . 4
Implement network access based on device identity and healthImplement centralized and unique user identity and behavior�ngerprintingImplement transparent multi-factor authentication
28 . 5
Implement secure DNS services and publish application URLsImplement single-sign-on with federation servicesImplement mutual TLS authentication via Enterprise CA certi�catesImplement enterprise certi�cate pinning
28 . 6
Implement end-user device hardeningImplement continuous device health monitoringImplement pervasive detection capabilitiesImplement focused security monitoring process
28 . 7
Implement privileged identity and access management.Maintain audit records of administrative activity via AAA logs andoperating system audit and logging functions (e.g. Linux's auditd).
28 . 8
Implement a vulnerability management programDe�ne strong baseline hardening criteria for operating systems and webapplications.Continuously execute application and infrastructure penetration tests to�nd and remediate weaknesses
28 . 9
Implement system development life cycle program and processesOn-boarding and secure device initializationSecure deployment and integrity validation for OS and applicationsSecure operations and patching processesSecure decommissioning and media disposal
Implement a software security and threat-modeling program to manageapplication development risks.
28 . 10
Implement a security maturity programApply capability maturity model to all information security programs andmeasure year-on-year improvements and changes.Measure Security Metrics
Aggregate up the management / process pyramidProvide drill-down the management / process pyramid
29 . 1
MODERN SYSTEM ARCHITECTURESWindows 10 and ahead…
Virtualization Based Security (VBS)Hyper-Visor Code Integrity (HVCI)Credential Guard - Local Security Authority Protection, no morePTH!
Device Guard with UEFI/SecureBoot IntegrityHardware binding for core cryptography operations as in mobiledevices
Measured Boot - Measuring Device Integrity through TPM chipsRemote Device Health Attestation through Measured Boot data
29 . 2
Linux is evolving too…UEFI/SecureBoot Support on Enterprise LinuxKVM/Xen hypervisors to support VBSContainers with Solaris Zones and ZFSApplication Containers - Docker, LXC etc.Modern Sysvinits supporting veri�ed boot - Systemd, Upstart, SMFSELinux for RBACGrSecurity for exploit mitigation