Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...
Transcript of Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...
![Page 1: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/1.jpg)
How to Protect Your Organization Inside Out using Identity
Nick Hawkins,Senior Director, Product Management, Enterprise, Akamai
![Page 2: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/2.jpg)
Users & Applications Are Moving Outside
Users• Mobile• Digital ecosystem• Global distribution• Remote workers
Applications• IaaS & SaaS• Hybrid• Inconsistent visibility, security & control• Confusing end-user experience
App #2
App #1
App #3
![Page 3: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/3.jpg)
Threats Are Moving Inside• Security architecture vulnerabilities
leveraged in complex attacks
• Malware, phishing & data exfiltration
• Credential theft
• Single factor authentication
• Lateral network movement
App #1
App #2
App #3
![Page 4: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/4.jpg)
There is no
INSIDE
![Page 5: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/5.jpg)
Zero Trust Approach Is Gaining Traction
• Users & Apps inside a perimeter• Trust, but verify• Full network access
• Users & apps anywhere• Verify & never trust• Access only to authorized
apps
![Page 6: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/6.jpg)
What is Zero Trust?Key principles:
● The network is always assumed to be hostile.
● External and internal threats exist on the network at all times.
● Network locality is not sufficient for deciding trust in a network.
● Every device, user, and network flow is authenticated and authorized.
● Policies must be dynamic and calculated from as many sources of data as possible.
![Page 7: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/7.jpg)
Different Approaches To Implement Zero Trust
Option #1Network Segmentation
Option #2Software Defined Perimeters
Option #3Identity Aware Proxies
![Page 8: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/8.jpg)
What is Network Micro-segmentation?
8 | Presentation title here | © 2018 Akamai | Confidential
• Divide the network into small logical segments• Only authorized end-points can access• Smaller segments present a reduced
attack surface • Typically uses firewalls to connect
network segments into security zones.• Zones secured with their own access
rules• Uses ever smaller micro-perimeters to
keep workflows secure.
![Page 9: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/9.jpg)
Network SegmentationAdvantages● Great for Protection from East-West lateral
movement
Drawbacks● Fragile● Operational nightmare to maintain● Expensive● Shared resources used by entire Enterprise● Even more complex to implement in hybrid IaaS/
On-prem● Often implemented within Corp WAN
![Page 10: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/10.jpg)
Things Get Complicated
VERY FAST• Shared Infrastructure• Multitude of Touch Points• Apps in the Cloud• Mobile Workforce• High Maintenance
![Page 11: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/11.jpg)
What about A Software Defined Perimeter (SDP)?
• Three main components• Client, Controller, Gateway
• Identity & authorization occur centrally at Controller• based on least access
principles• Open up on-demand
tunnels to applications after auth-n & auth-z
• Clients at user devices, SDP Gateways in DMZ
![Page 12: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/12.jpg)
Software Defined Perimeter (Tunnel)
Advantages● Familiar: Most Similar to legacy Remote Access VPN● Relatively Fast to Eliminate VPN
Drawbacks● Limited Architecture: A tunnel is just a tunnel● Service Insertion not possible due to tunnel architecture● Push Complexity with Legacy Auth down to Each Application
![Page 13: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/13.jpg)
Identity Aware Proxy (IAP)• Cloud-based Proxy architecture• Identity verification and authorization
occur in the cloud based on least access principles
• Unlike SDP which uses tunnels, IAP provides access to applications, whitelisted for authenticated and authorized users, at the application layer (Layer 7) using standard HTTPs or websockets over TLS
• Trusted Identity Store to verify users and devices before allowing them access to applications.
• Cloak the applications and assets in the cloud or behind the firewall
• Clientless for Web apps
![Page 14: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/14.jpg)
Benefits
App #2
App #1
App #3Auth + Data PathControls
• No network connectivity - Least privilege per app• No company owned devices to third parties• No security appliance stack in cloud infrastructure
Third PartiesRemote WorkersRemote sites
![Page 15: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/15.jpg)
Benefits
• Identity & Access Occur in the Cloud
• Easy to scale and users can be anywhere Internet access is.
• Reduces Corporate Networks to Guest Wifi!
• Strong Authentication and Authorization
• The proxy must know who you are, your machine posture, and
where you are going before you can reach any application.
• Application Access vs. Network Access
• Users are granted access to apps through the proxy, not
through the network!
![Page 16: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/16.jpg)
Identity Aware ProxyAdvantages• Long Term Flexibility with Proxy Architecture
• Service Insertion for features like WAF, CDN, etc• Auth Bridging• Unify multiple Islands of Identity
• Future Capabilities likely to include Password Vaulting and Shared Accounts
Drawbacks• More of a departure for Helpdesk support compared to network
centric solutions• Can be more work to get started
![Page 17: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/17.jpg)
17
Identity Aware Proxy (IAP) Architecture
AppsEAA Connector
● Auth-N,Z before connect● Secured data path● Integrated HA, Load balancing● Multiple IDP support● SSO and auth bridging● Managed & Unmanaged
devices
EAA SAML IDP(Auth Path Only)
EAADPoP
Internet
Apps
Internet
SaaS
IaaS
Data Center
Auth &Data Path
VPC
EAA Connector AD
User > Browser
TLS
Clientless
With Client
User > Desktop Apps > EAA Client
EAA Client
![Page 18: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/18.jpg)
● No limit on number or connectors
● Simplify Micro segmentation○ Network level for coarse
segmentation○ EAA for fine grained per
app segmentation
EAADPoP
Internet
App 1Segment 1
Data Center
18
IAP Compliments Network Segmentation
AD
User > Browser
TLS
Clientless
With Client
User > Desktop Apps > EAA Client
EAA Client App 2
App 3
App 4
Segment 2
Segment 3
Segment 4
![Page 19: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/19.jpg)
Are you ready to start your Zero Trust Journey?
![Page 20: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/20.jpg)
8 Steps To Zero Trust
App Precheck Access Proxy Prep
Test Lab Enrollment
Security Upgrade
Performance Upgrade
External User Enrollment
Internal User Enrollment
VLAN Migration
1 2 3 4 5 6 7 8
8 Steps To Zero TrustA comprehensive guide & roadmap to Zero Trust by Akamai CTO Charlie Gero
Zero Trust Ref. ArchitectureSimple visual guide on how to apply Zero Trust across common environments
akamai.com/zerotrust
Moving Beyond Perimeter SecurityA comprehensive & achievable roadmap to less risk
![Page 22: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/22.jpg)
Credential stuffing threats
Aseem Ahmed,Senior Product Manager, Cloud Security, Akamai
![Page 23: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/23.jpg)
Reconnaissance Weaponization Delivery Exploitation Action
©2018 AKAMAI | FASTER FORWARDTM
Understanding credential stuffing
BOT KILL CHAIN
• Identify target website with high account value
• Purchase list of stolen credentials on dark web
• Build or rent a botnet to automate validation
• Build or buy software tools to evade detection
ü
• Purchase compromised account for target site
• Use purchased account credentials to login
• Perform fraudulent transactions using compromised account
OBJ
ECTI
VES • Validate list of stolen
credentials against login page of target website
• Resell validated account credentials on dark web
![Page 24: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/24.jpg)
Randomizeduser agent
Browserimpersonation
Sessionreplay
Fullcookiesupport
JavaScriptsupport
Browserfingerprintspoofing
Recordedhuman
behavior
Multiple IPs Low
request rateSingle
IP
Simple Sophisticated
Evolving bot sophistication
Credential Stuffing
![Page 25: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/25.jpg)
Anatomy of an attack tool
SENTRY MBA
SIGN IN BAG
LOGIN CREATE ACCOUNT
1 Data breach results in lists of
user credentials for sale on dark web marketplace
2 Website login workflow defined
as a Sentry MBA config for sale on dark web marketplace
3 BYO, hire to build, or utilize a
ready-made botnet for rent on dark web marketplace
![Page 26: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/26.jpg)
Anatomy of an attack tool
1 Data breach results in lists of user credentials for sale on dark web marketplace
2 Website login workflow defined as a Sentry MBA config for sale on dark web marketplace
3 BYO, hire to build, or utilize a ready-made botnet for rent on dark web marketplace
SIGN IN BAG
LOGIN CREATE ACCOUNT
SENTRY MBA
©2018 AKAMAI | FASTER FORWARDTM
![Page 27: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/27.jpg)
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
What is your attack surface ?
![Page 28: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/28.jpg)
ATTACK CAMPAIGN ANALYSIS
1,000,000
4,000,000
Standard Web APIs
Average Campaign Size (By Number of Accounts)
ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!
![Page 29: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/29.jpg)
Case study - Login Abuse:Fortune 500 FSI
![Page 30: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/30.jpg)
![Page 31: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/31.jpg)
High cost of credential stuffing attacks - APAC
![Page 32: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/32.jpg)
![Page 33: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/33.jpg)
• Data breaches are on the rise fueling credential stuffing
• Difficult to differentiate between users, employees and attackers
• Business Impact is a factor of money lost, costs of prevention, remediation costs and value of lost customer
![Page 34: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/34.jpg)
![Page 35: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP](https://reader033.fdocuments.in/reader033/viewer/2022042414/5f2e461dea2722789e1c1f9b/html5/thumbnails/35.jpg)
35 | Presentation title here | © 2018 Akamai | Confidential
What can you do?
Along with websites secure your web APIs and Login
Enforce strong credential management & policies
Multifactor Authentication can help if costs are not prohibitive
Use defense in depth such as a bot management strategy