Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44

Editor's Notes

• #3: Gigamon survey 97% of enterprises breached, total cost around 2B – average enterprise breach costs $2-3M These breaches go undetected for 134 days. The survey suggests that deploying NAC reduces the breach cost by 20% eMarketer Use of mobile phones has grown from an average of 40 minutes to 3 hours Use of laptops has stayed flat in the same period ITRC - US Businesses – 71 breaches - 40% of breaches publically reported and some 5m records Educational – 58 breaches – 700k records 7.4% of overall breaches e.g. Boston Uni Emails sent to wrong recipients, websites hacked, ftp sites publically expose, laptops with data stolen
• #4: Access whether on the network or remote has changed over the years we only used to worry about controlling access. Authorization was really about the user and a password (maybe 2FA) Today we want to understand the device, the user and the compliance level of the device. All of this becomes part of the authorization decision Visibility into users, device and applications becomes more important in policy than resources, ports and IPs in Hybrid IT
• #5: How we are connecting has changed – no longer just a corporate port The devices we use has changed from 1 laptop to multiple devices From one heterogeneous OS to many proprietary to closed/opensource The different types of networks we connect to bring different types of risk The types of devices have different risk profiles Mobilizing Access and Applications is demanding We have a number of access gateways for cloud security (CASB), Data-center (VPN/Firewall/NAC) We have created a number of management technologies for the endpoint MDM, SMS, Tivoli We have tried to mobilize PC applications and infrastructure with VDI which doesn’t work on tablets and phones well On the hosting front we are moving applications to the data center to cloud without a solid plan for security We are deploying SaaS based services for ease and cost being driven out of the business side more than IT Creating consistent access policy across many of these environments becomes challenging Multiple consoles, Multiple policies hard to rationalize Security posture becomes impossible to assess yet attest
• #6: Securing access to application, data and services is infinitely more challenging than the old world of DC only. Finding one vendor that ticks all the boxes to provide security across this hybrid environment is hard. We are often left stitching disparate solutions together. Sometimes ones that were not necessarily designed to work together It is important to find a vendor or series of vendors that are open and can create the glue in the solution Securing data in motion is almost pointless when the data rests unencrypted on a device. Authenticating a user without checking the posture of the device could mean that malware steels the information/IP Accessing info without adequate authentication and identity capability means anyone with a lost device could access IP Allowing employees to access information without device compliance could mean an apt or malware could be stealing data. According to Impima 35% of data loss is due to malware and 72% that suffer major losses shutdown in 24 months. Having visibility into what is happening in the environment from the data centers and cloud apps being used to the devices and users connecting to them. Getting this visibility is hard and being able to manage multiple solutions is tough. Finding the glue will help lessen complexity of reporting and configuration
• #7: A secure access architecture include dealing with Cloud, DC and Campus It includes dealing with Mobile, Laptop and desktop Needs to enable access not restrict it Hybrid IT includes cloud, DC and campus Need a VPN to allow remote access to the DC Need Cloud GW manage access to the cloud or SaaS based services Need a network access control service to manage access to the DC and campus for employees in the office Above all of this an identity management system such Active Directory with 2/MFA Ideally one management console to manage this. Policies should be central around users and not resources Vendor who has independence and can work well within an eco-system of products such that you can protect your existing investments and adapt to new demands
• #8: Securing the endpoint becomes very important Outside to outside the organization Single sign on on the endpoint become important for native and html apps Create consistent password and user management policies across the hybrid environment Authentication is important an many companies delivering MFA. Authentication becomes around data not access. Give example Understanding the compliance of device becomes important to protecting your data. Is it encrypted, protected or vulnerable Conditional access is all about making decisions and conditioning access based on the user, auth level and device compliance/trust User experience is also key for user adoption to prevent users working around the system and controls. Today access can be clumsy and cumbersome for the end user If you need to create security on the endpoint this can be achieved by using a MDM or MAM solution for mobile users. This should them be integrated into your access policy. You can make conditional access policy through integrations with MDM solutions to determine compliance with policies or to assign access roles. Give examples
• #9: Enabling mobile access to resources within the DC and the cloud requires you to think about new ways to manage device lifecycle for managed and unmanaged devices. Simplifying access to the network. An onboarding of a device should be simple and provision access to the VPN, Wi-Fi networks install all appropriate software and provision certificates for stronger identity and authentication. Contextual access control can be extended to cloud services allowing you to control access to a service based on a devices compliance or authentication level The identity can be tied back to the enterprise by use a cloud / mobile GW as an identity provider using SAML. This can work for native and HTML based apps. Thus SAML based assertions can be based on the authenticated user back to the AD or LDAP server using 2/MFA You can also tie the identity to the device using auth chaining with device cert and the user credentials
• #10: Conditional access that lets you roam from outside the network to inside without re-authentication Enforcement point throughout the network that allow you to provide consistent user policy across access gateways, Wi-Fi Aps, VPN or Firewalls. This gives you the ability to enforce access through multiple entry/access points Create a secured access environment for visitors and guests that allows self service and easy provisioning of users. Creating a segmented environment for users to safely access the internet without a burden being placed on an IT team
• #11: Visibility become key to securing access. You have challenges of dealing with managed and unmanaged devices (BYOD) understanding what is hitting your network and accessing resources when often many resources are protected with a basic authentication. Integration with management platforms such as MDM and inventory management systems show your corporate or organizational devices that are under management. But there are many devices that may not be under management such as printers and IP phones. These unmanaged devices are usually discovered using profiler technologies. However the endpoint is important in providing total visibility when Cloud based services and mobility come into play. Once mobile devices are outside the corporate network access cloud services all visibility is lost unless you force it through the infrastructure which often places unnecessary load on gateway boxes. The endpoint can provide vital information on applications use, and the risk the device might pose such as unpatched vulnerabilities. Understanding the 5W’s of visibility Who – the user that is authenticating Which – the device they are using What – what application and data are they accessing When – the time at which they access and patterns of behavior Where – what location are they accessing things from
• #13: Hybrid IT is changing the way we fundamentally think about security. The perimeter and protecting data is not longer inside our four walls. The advent of mobility has changes the way in which we access data and when we access it. Endpoint becomes important around solving access to cloud technologies. This includes providing single sign on and password policy across multiple app in the datacenter and/or cloud. It also provides visibility into cloud apps being used outside of the organizations four walls. Identity of the user and tying the device to that identity become important it makes it harder for a hacked device or hacked user to be exploited. Your banks does this when you log in on a new machine Visibility of what is going on in your network is key and allows you to react and adjust controls appropriately