Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...
Transcript of Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...
How to Protect Your Organization Inside Out using Identity
Nick Hawkins,Senior Director, Product Management, Enterprise, Akamai
Users & Applications Are Moving Outside
Users• Mobile• Digital ecosystem• Global distribution• Remote workers
Applications• IaaS & SaaS• Hybrid• Inconsistent visibility, security & control• Confusing end-user experience
App #2
App #1
App #3
Threats Are Moving Inside• Security architecture vulnerabilities
leveraged in complex attacks
• Malware, phishing & data exfiltration
• Credential theft
• Single factor authentication
• Lateral network movement
App #1
App #2
App #3
There is no
INSIDE
Zero Trust Approach Is Gaining Traction
• Users & Apps inside a perimeter• Trust, but verify• Full network access
• Users & apps anywhere• Verify & never trust• Access only to authorized
apps
What is Zero Trust?Key principles:
● The network is always assumed to be hostile.
● External and internal threats exist on the network at all times.
● Network locality is not sufficient for deciding trust in a network.
● Every device, user, and network flow is authenticated and authorized.
● Policies must be dynamic and calculated from as many sources of data as possible.
Different Approaches To Implement Zero Trust
Option #1Network Segmentation
Option #2Software Defined Perimeters
Option #3Identity Aware Proxies
What is Network Micro-segmentation?
8 | Presentation title here | © 2018 Akamai | Confidential
• Divide the network into small logical segments• Only authorized end-points can access• Smaller segments present a reduced
attack surface • Typically uses firewalls to connect
network segments into security zones.• Zones secured with their own access
rules• Uses ever smaller micro-perimeters to
keep workflows secure.
Network SegmentationAdvantages● Great for Protection from East-West lateral
movement
Drawbacks● Fragile● Operational nightmare to maintain● Expensive● Shared resources used by entire Enterprise● Even more complex to implement in hybrid IaaS/
On-prem● Often implemented within Corp WAN
Things Get Complicated
VERY FAST• Shared Infrastructure• Multitude of Touch Points• Apps in the Cloud• Mobile Workforce• High Maintenance
What about A Software Defined Perimeter (SDP)?
• Three main components• Client, Controller, Gateway
• Identity & authorization occur centrally at Controller• based on least access
principles• Open up on-demand
tunnels to applications after auth-n & auth-z
• Clients at user devices, SDP Gateways in DMZ
Software Defined Perimeter (Tunnel)
Advantages● Familiar: Most Similar to legacy Remote Access VPN● Relatively Fast to Eliminate VPN
Drawbacks● Limited Architecture: A tunnel is just a tunnel● Service Insertion not possible due to tunnel architecture● Push Complexity with Legacy Auth down to Each Application
Identity Aware Proxy (IAP)• Cloud-based Proxy architecture• Identity verification and authorization
occur in the cloud based on least access principles
• Unlike SDP which uses tunnels, IAP provides access to applications, whitelisted for authenticated and authorized users, at the application layer (Layer 7) using standard HTTPs or websockets over TLS
• Trusted Identity Store to verify users and devices before allowing them access to applications.
• Cloak the applications and assets in the cloud or behind the firewall
• Clientless for Web apps
Benefits
App #2
App #1
App #3Auth + Data PathControls
• No network connectivity - Least privilege per app• No company owned devices to third parties• No security appliance stack in cloud infrastructure
Third PartiesRemote WorkersRemote sites
Benefits
• Identity & Access Occur in the Cloud
• Easy to scale and users can be anywhere Internet access is.
• Reduces Corporate Networks to Guest Wifi!
• Strong Authentication and Authorization
• The proxy must know who you are, your machine posture, and
where you are going before you can reach any application.
• Application Access vs. Network Access
• Users are granted access to apps through the proxy, not
through the network!
Identity Aware ProxyAdvantages• Long Term Flexibility with Proxy Architecture
• Service Insertion for features like WAF, CDN, etc• Auth Bridging• Unify multiple Islands of Identity
• Future Capabilities likely to include Password Vaulting and Shared Accounts
Drawbacks• More of a departure for Helpdesk support compared to network
centric solutions• Can be more work to get started
17
Identity Aware Proxy (IAP) Architecture
AppsEAA Connector
● Auth-N,Z before connect● Secured data path● Integrated HA, Load balancing● Multiple IDP support● SSO and auth bridging● Managed & Unmanaged
devices
EAA SAML IDP(Auth Path Only)
EAADPoP
Internet
Apps
Internet
SaaS
IaaS
Data Center
Auth &Data Path
VPC
EAA Connector AD
User > Browser
TLS
Clientless
With Client
User > Desktop Apps > EAA Client
EAA Client
● No limit on number or connectors
● Simplify Micro segmentation○ Network level for coarse
segmentation○ EAA for fine grained per
app segmentation
EAADPoP
Internet
App 1Segment 1
Data Center
18
IAP Compliments Network Segmentation
AD
User > Browser
TLS
Clientless
With Client
User > Desktop Apps > EAA Client
EAA Client App 2
App 3
App 4
Segment 2
Segment 3
Segment 4
Are you ready to start your Zero Trust Journey?
8 Steps To Zero Trust
App Precheck Access Proxy Prep
Test Lab Enrollment
Security Upgrade
Performance Upgrade
External User Enrollment
Internal User Enrollment
VLAN Migration
1 2 3 4 5 6 7 8
8 Steps To Zero TrustA comprehensive guide & roadmap to Zero Trust by Akamai CTO Charlie Gero
Zero Trust Ref. ArchitectureSimple visual guide on how to apply Zero Trust across common environments
akamai.com/zerotrust
Moving Beyond Perimeter SecurityA comprehensive & achievable roadmap to less risk
Credential stuffing threats
Aseem Ahmed,Senior Product Manager, Cloud Security, Akamai
Reconnaissance Weaponization Delivery Exploitation Action
©2018 AKAMAI | FASTER FORWARDTM
Understanding credential stuffing
BOT KILL CHAIN
• Identify target website with high account value
• Purchase list of stolen credentials on dark web
• Build or rent a botnet to automate validation
• Build or buy software tools to evade detection
ü
• Purchase compromised account for target site
• Use purchased account credentials to login
• Perform fraudulent transactions using compromised account
OBJ
ECTI
VES • Validate list of stolen
credentials against login page of target website
• Resell validated account credentials on dark web
Randomizeduser agent
Browserimpersonation
Sessionreplay
Fullcookiesupport
JavaScriptsupport
Browserfingerprintspoofing
Recordedhuman
behavior
Multiple IPs Low
request rateSingle
IP
Simple Sophisticated
Evolving bot sophistication
Credential Stuffing
Anatomy of an attack tool
SENTRY MBA
SIGN IN BAG
LOGIN CREATE ACCOUNT
1 Data breach results in lists of
user credentials for sale on dark web marketplace
2 Website login workflow defined
as a Sentry MBA config for sale on dark web marketplace
3 BYO, hire to build, or utilize a
ready-made botnet for rent on dark web marketplace
Anatomy of an attack tool
1 Data breach results in lists of user credentials for sale on dark web marketplace
2 Website login workflow defined as a Sentry MBA config for sale on dark web marketplace
3 BYO, hire to build, or utilize a ready-made botnet for rent on dark web marketplace
SIGN IN BAG
LOGIN CREATE ACCOUNT
SENTRY MBA
©2018 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
What is your attack surface ?
ATTACK CAMPAIGN ANALYSIS
1,000,000
4,000,000
Standard Web APIs
Average Campaign Size (By Number of Accounts)
ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!
Case study - Login Abuse:Fortune 500 FSI
High cost of credential stuffing attacks - APAC
• Data breaches are on the rise fueling credential stuffing
• Difficult to differentiate between users, employees and attackers
• Business Impact is a factor of money lost, costs of prevention, remediation costs and value of lost customer
35 | Presentation title here | © 2018 Akamai | Confidential
What can you do?
Along with websites secure your web APIs and Login
Enforce strong credential management & policies
Multifactor Authentication can help if costs are not prohibitive
Use defense in depth such as a bot management strategy
Thank you [email protected]
https://www.linkedin.com/in/aseem-ahmed-4256941b/