How to Design a Zero- Trust Architecture Using …...Analytics GA Mapping SID value certificate...

©2019 VMware, Inc.Confidential │ ©2019 VMware, Inc.

How to Design a Zero-Trust Architecture Using Workspace ONE

Arthur TanSales Engineer, End-User Computing, Southeast Asia & Korea, VMware

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

This information is confidential.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.

©2019 VMware, Inc.

Agenda

3

Overview of Zero Trust and BeyondCorp

My and VMware’s take on it

What’s coming next

Adobe - a real life example

©2019 VMware, Inc. 4

Why Is This Important

Companies are struggling with employee expectation, ease of access and flexible workstyles.

Existing security architectures cannot cope with the wider adaption of SaaS.

We need to modernize our application/data access and security to cope with these shifts.


VMware Identity Manager is no more

Long live Workspace ONE Access

Same functionality, just a new name

6©2019 VMware, Inc.

Overview of Zero Trust and BeyondCorpThe why, what and howish


It used to be us vs. them…

Why Do We Need a New Approach?


…but the boundaries are getting blurred

Why Do We Need a New Approach?


Let’s treat all as external

When We Cannot Put Our Trust in the Perimeter


No network can be trusted

Externally routable DNS names (FQDN)

No VPN is to be used

Access to applications requires corporate owned devices and a valid authentication method to identify the user

All traffic flow through a Secure Application Proxy

Hybrid mode, some network trust

Network/Micro Segmentation

VPN can be used

“Never-Trust, Always-Verify”

Zero Trust BeyondCorp

Zero Trust vs. BeyondCorpMy viewpoint


…well, I must trust something.

Never Trust, Always Verify...

Device Trust

• Ownership

• Managed

• Compliant

User Trust

• Method of AuthN

• Behavior

• Geographically makes sense?

• Secured in code

• Data classification

• Role based access

• Federation

• TTL Access Tokens

Application Trust

Transport Trust

• Communication method

• Encryption


Problem is diversity in application types

Why Not Change Security Over Night?


…And Devices


My and VMware’s take on Zero Trust/BeyondCorpMy opinion and VMware’s stand on it


Solution Mappings

VMware Horizon

Workspace ONE Access


Users need one place to access it all

We Need a Hub!

VMware Horizon


Different products/features that can aid in the Transition

VMware Workspace ONE Capabilities

Device Management and Compliance

Per App-VPN

Certificate Management

Kerberos AuthN (iOS)

Mobilization of content/data

Workspace ONE Access

Conditional Access

Single Sign-On

Application Catalog

Horizon 7, Horizon Cloud, Horizon 7 on AWS

Instantaneous mobilization of legacy applications

Cloud delivery of legacy apps

Simplify management and security of existing apps

Allows for SSO into Active Directory

Unified Access Gateway

Supports Workspace ONE UEM

Secured Application Proxy

Identity Bridging for SSO support of legacy apps

Device AuthN

Network Virtualization

Micro Segmentation

Distributed Firewalls

VPN

Workspace ONE Intelligence

User & Device risk score

Device status/remediation

Guide/Nudge users into correct behavior


Absolutely free of charge

My Checklist to Implement Zero Trust/BeyondCorp

Define long term goal

Block any new investments not supporting long term goal

Adapt SaaS based applications where possible

Implement stepping stone technology to ease management of and access to legacy applications

Application portfolio rationalization

Invest in re-coding of applications not supporting new architecture

Identify low hanging fruits and move them to new security architecture

Get rid of Active Directory dependency


Only using released VMware Products

Identify and close gaps

Wanted to support all applications

One of many, many ways to modernize your security

My take on it…and somewhat VMware’s

Building Zero Trust/BeyondCorp


User AuthN Layer

Device AuthN Layer

Entry point Layer

Any Network

Untrusted Devices Trusted Devices

Device AuthN Bypass Layer

Application Back-End Layer

Access Termination Layer

User AuthNBypass Layer

Users


Today’s static/Boolean approach

How Do You Validate Trust of End User’s Devices?


Contextualized Risk Analytics Approach

How Do You Validate Trust of End User’s Devices?


Workspace ONE adds unique capabilities to partners

VMware’s Partnerships


To transform experience and security

It Takes a Village

RUGGEDOS

OS Platform Providers Trust Network Mobile Flows and Experiences


Workspace ONE Intelligence

MAR APR MAY JUN AUG OCT NOV DEC

Workspace ONE Trust Network

Acquisition

Integration

Workspace ONE Send for Microsoft

Integration GA

Horizon Cloud on Azure Government

Partnership

Workspace ONE Privacy Module

SIIA CODiE Award

MDM Channel Security Enhancements

9.5

Cisco Security Connector Integration

4 New Trust Network Partners

Broad Security & Mgmt EnhancementsSSL Certificate Rotation for Tunnel

9.6

Gartner Critical Capabilities for High Security

Mobility Mgmt Report

SafetyNet Attestation API for AndroidTunnel for Android Enterprise and Legacy

1810

Token revocation on Enterprise WipeTrusted Software AuthorityRBAC and TLS for AirLift 1.1

1811

Horizon Cloud on Azure & NSX Cloud

Support

Security Innovations We’ve Delivered 2018


JAN FEB MAR APR MAY JUN JUL AUG

Security Innovations We’ve Delivered 2019

Zero Trust whitepaper

+

+

First UEM to integrate natively with BeyondCorp

Common Criteria Certification EAL2+

Workspace ONE Boxer NIAP

(world’s first)

3 Trust Network Partners are GASecure SDK

Launch

PIV D Android Enterprise Support

2019 SC Award Winner

(Best Mobile security)

Intelligence User and Device Risk

Analytics GA

Mapping SID value certificate requests

for ADCS certificates

1902

19089.7

Mutual authentication between WS1 connector and

Adaptiva Server

Acquisition


What’s Coming Next


VMware Mobile Flows allows for interaction with only a subset of the application’s data without the need of launching the application

Unprecedented user experience

Interact with only a data record or field

Data Access Without Application Access

Custom Connectors

Out-of-the-Box Connectors


Key TakeawaysTo sum it up

No vendor has a 100% complete solution that will solve it all

• Make sure there is a broad partner network

Standards, standards, and standards

• Though there are differences in implementation of standards you will not get locked in

This is a journey

• It will take dedication and motivation to reach your long term goal…

• …and without a well defined long term goal it is impossible to reach it

Keep it simple

• Complexity is a threat to good security

Plan how to get away from on-premises Active Directory dependencies

Adobe did it…So can you!


Unleash Your IT SuperpowersGo from zero to hero with the latest technical resources

on the VMware Digital Workspace Tech Zone

TECHZONE.VMWARE.COM

How to Design a Zero- Trust Architecture Using …...Analytics GA Mapping SID value certificate...

Documents

Transcript of How to Design a Zero- Trust Architecture Using …...Analytics GA Mapping SID value certificate...