Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...

36
How to Protect Your Organization Inside Out using Identity Nick Hawkins, Senior Director, Product Management, Enterprise, Akamai

Transcript of Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network...

Page 1: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

How to Protect Your Organization Inside Out using Identity

Nick Hawkins,Senior Director, Product Management, Enterprise, Akamai

Page 2: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Users & Applications Are Moving Outside

Users• Mobile• Digital ecosystem• Global distribution• Remote workers

Applications• IaaS & SaaS• Hybrid• Inconsistent visibility, security & control• Confusing end-user experience

App #2

App #1

App #3

Page 3: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Threats Are Moving Inside• Security architecture vulnerabilities

leveraged in complex attacks

• Malware, phishing & data exfiltration

• Credential theft

• Single factor authentication

• Lateral network movement

App #1

App #2

App #3

Page 4: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

There is no

INSIDE

Page 5: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Zero Trust Approach Is Gaining Traction

• Users & Apps inside a perimeter• Trust, but verify• Full network access

• Users & apps anywhere• Verify & never trust• Access only to authorized

apps

Page 6: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

What is Zero Trust?Key principles:

● The network is always assumed to be hostile.

● External and internal threats exist on the network at all times.

● Network locality is not sufficient for deciding trust in a network.

● Every device, user, and network flow is authenticated and authorized.

● Policies must be dynamic and calculated from as many sources of data as possible.

Page 7: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Different Approaches To Implement Zero Trust

Option #1Network Segmentation

Option #2Software Defined Perimeters

Option #3Identity Aware Proxies

Page 8: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

What is Network Micro-segmentation?

8 | Presentation title here | © 2018 Akamai | Confidential

• Divide the network into small logical segments• Only authorized end-points can access• Smaller segments present a reduced

attack surface • Typically uses firewalls to connect

network segments into security zones.• Zones secured with their own access

rules• Uses ever smaller micro-perimeters to

keep workflows secure.

Page 9: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Network SegmentationAdvantages● Great for Protection from East-West lateral

movement

Drawbacks● Fragile● Operational nightmare to maintain● Expensive● Shared resources used by entire Enterprise● Even more complex to implement in hybrid IaaS/

On-prem● Often implemented within Corp WAN

Page 10: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Things Get Complicated

VERY FAST• Shared Infrastructure• Multitude of Touch Points• Apps in the Cloud• Mobile Workforce• High Maintenance

Page 11: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

What about A Software Defined Perimeter (SDP)?

• Three main components• Client, Controller, Gateway

• Identity & authorization occur centrally at Controller• based on least access

principles• Open up on-demand

tunnels to applications after auth-n & auth-z

• Clients at user devices, SDP Gateways in DMZ

Page 12: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Software Defined Perimeter (Tunnel)

Advantages● Familiar: Most Similar to legacy Remote Access VPN● Relatively Fast to Eliminate VPN

Drawbacks● Limited Architecture: A tunnel is just a tunnel● Service Insertion not possible due to tunnel architecture● Push Complexity with Legacy Auth down to Each Application

Page 13: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Identity Aware Proxy (IAP)• Cloud-based Proxy architecture• Identity verification and authorization

occur in the cloud based on least access principles

• Unlike SDP which uses tunnels, IAP provides access to applications, whitelisted for authenticated and authorized users, at the application layer (Layer 7) using standard HTTPs or websockets over TLS

• Trusted Identity Store to verify users and devices before allowing them access to applications.

• Cloak the applications and assets in the cloud or behind the firewall

• Clientless for Web apps

Page 14: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Benefits

App #2

App #1

App #3Auth + Data PathControls

• No network connectivity - Least privilege per app• No company owned devices to third parties• No security appliance stack in cloud infrastructure

Third PartiesRemote WorkersRemote sites

Page 15: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Benefits

• Identity & Access Occur in the Cloud

• Easy to scale and users can be anywhere Internet access is.

• Reduces Corporate Networks to Guest Wifi!

• Strong Authentication and Authorization

• The proxy must know who you are, your machine posture, and

where you are going before you can reach any application.

• Application Access vs. Network Access

• Users are granted access to apps through the proxy, not

through the network!

Page 16: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Identity Aware ProxyAdvantages• Long Term Flexibility with Proxy Architecture

• Service Insertion for features like WAF, CDN, etc• Auth Bridging• Unify multiple Islands of Identity

• Future Capabilities likely to include Password Vaulting and Shared Accounts

Drawbacks• More of a departure for Helpdesk support compared to network

centric solutions• Can be more work to get started

Page 17: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

17

Identity Aware Proxy (IAP) Architecture

AppsEAA Connector

● Auth-N,Z before connect● Secured data path● Integrated HA, Load balancing● Multiple IDP support● SSO and auth bridging● Managed & Unmanaged

devices

EAA SAML IDP(Auth Path Only)

EAADPoP

Internet

Apps

Internet

SaaS

IaaS

Data Center

Auth &Data Path

VPC

EAA Connector AD

User > Browser

TLS

Clientless

With Client

User > Desktop Apps > EAA Client

EAA Client

Page 18: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

● No limit on number or connectors

● Simplify Micro segmentation○ Network level for coarse

segmentation○ EAA for fine grained per

app segmentation

EAADPoP

Internet

App 1Segment 1

Data Center

18

IAP Compliments Network Segmentation

AD

User > Browser

TLS

Clientless

With Client

User > Desktop Apps > EAA Client

EAA Client App 2

App 3

App 4

Segment 2

Segment 3

Segment 4

Page 19: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Are you ready to start your Zero Trust Journey?

Page 20: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

8 Steps To Zero Trust

App Precheck Access Proxy Prep

Test Lab Enrollment

Security Upgrade

Performance Upgrade

External User Enrollment

Internal User Enrollment

VLAN Migration

1 2 3 4 5 6 7 8

8 Steps To Zero TrustA comprehensive guide & roadmap to Zero Trust by Akamai CTO Charlie Gero

Zero Trust Ref. ArchitectureSimple visual guide on how to apply Zero Trust across common environments

akamai.com/zerotrust

Moving Beyond Perimeter SecurityA comprehensive & achievable roadmap to less risk

Page 21: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Thank you [email protected]

https://www.linkedin.com/in/nickhawk

@SingaporeNick

Page 22: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Credential stuffing threats

Aseem Ahmed,Senior Product Manager, Cloud Security, Akamai

Page 23: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Reconnaissance Weaponization Delivery Exploitation Action

©2018 AKAMAI | FASTER FORWARDTM

Understanding credential stuffing

BOT KILL CHAIN

• Identify target website with high account value

• Purchase list of stolen credentials on dark web

• Build or rent a botnet to automate validation

• Build or buy software tools to evade detection

ü

• Purchase compromised account for target site

• Use purchased account credentials to login

• Perform fraudulent transactions using compromised account

OBJ

ECTI

VES • Validate list of stolen

credentials against login page of target website

• Resell validated account credentials on dark web

Page 24: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Randomizeduser agent

Browserimpersonation

Sessionreplay

Fullcookiesupport

JavaScriptsupport

Browserfingerprintspoofing

Recordedhuman

behavior

Multiple IPs Low

request rateSingle

IP

Simple Sophisticated

Evolving bot sophistication

Credential Stuffing

Page 25: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Anatomy of an attack tool

SENTRY MBA

SIGN IN BAG

LOGIN CREATE ACCOUNT

1 Data breach results in lists of

user credentials for sale on dark web marketplace

2 Website login workflow defined

as a Sentry MBA config for sale on dark web marketplace

3 BYO, hire to build, or utilize a

ready-made botnet for rent on dark web marketplace

Page 26: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Anatomy of an attack tool

1 Data breach results in lists of user credentials for sale on dark web marketplace

2 Website login workflow defined as a Sentry MBA config for sale on dark web marketplace

3 BYO, hire to build, or utilize a ready-made botnet for rent on dark web marketplace

SIGN IN BAG

LOGIN CREATE ACCOUNT

SENTRY MBA

©2018 AKAMAI | FASTER FORWARDTM

Page 27: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

What is your attack surface ?

Page 28: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

ATTACK CAMPAIGN ANALYSIS

1,000,000

4,000,000

Standard Web APIs

Average Campaign Size (By Number of Accounts)

ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!

Page 29: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Case study - Login Abuse:Fortune 500 FSI

Page 30: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP
Page 31: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

High cost of credential stuffing attacks - APAC

Page 32: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP
Page 33: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

• Data breaches are on the rise fueling credential stuffing

• Difficult to differentiate between users, employees and attackers

• Business Impact is a factor of money lost, costs of prevention, remediation costs and value of lost customer

Page 34: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP
Page 35: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

35 | Presentation title here | © 2018 Akamai | Confidential

What can you do?

Along with websites secure your web APIs and Login

Enforce strong credential management & policies

Multifactor Authentication can help if costs are not prohibitive

Use defense in depth such as a bot management strategy

Page 36: Protect Your Organization Inside Out using Identity | Akamai · Simplify Micro segmentation Network level for coarse segmentation EAA for fine grained per app segmentation EAA DPoP

Thank you [email protected]

https://www.linkedin.com/in/aseem-ahmed-4256941b/