Secure Access: The world of - HOME | BKM...•BYOD smartphones cause data leakage •Can’t...
Transcript of Secure Access: The world of - HOME | BKM...•BYOD smartphones cause data leakage •Can’t...
Secure Access: The world of
Bram De Blander | SE North Region | Pulse Secure
Old World: PC and Datacenter
New World: Hybrid IT
VS
Secure Access
“Off-premise” “Anywhere”
Remote Access
Evolved…
BYOD is here for 85% Cloud is an option for 55% IOT is coming for 40%
Dialing Up IT Transformation
IDG Research Services Gartner Gartner
Customers
Partners
Internet Café
Tablets & Smart Phones
Remote Users
WiFi Users
Office UsersConference Rooms
Visitors
Unmanaged Devices
Managed Devices
Corporate Data
The need for Secure AccessOff-premise
On-premise
Climate ControlIoT
Connected TrucksIoT
SaaS
Corporate Data
?I N S I D E T H E N E T W O R K
TrustedO U T S I D E T H E N E T W O R K
Untrusted
! ! ! !Trust
Hybrid IT: Challenges Our Customers See
Visibility
• Can’t verify what’s on the corporate network
• Endpoint compliance gaps enable malware, IoT, breach risks
Compliance
• BYOD smartphones cause data leakage
• Can’t consistently apply access protection by role, device, app
User Experience
• Multiple security clients frustrate users (and IT)
• Multiple logins & access points slow down user productivity
Scalability & Reliability
• Load balancing complexity hinders scale
• Unable to dynamically shift access to IT services in emergency
Inside
Outside
”Outside-Out”
User/Devices/Things“Inside-In”
Resources
“Inside-Out”
Resources
User/Devices/Things”Outside-In”
Outside-In = Remote AccessInside-In = Network SecurityInside-Out = Firewall? Outside-Out = Cloud Security?
VisibilityEnforcementUnified PoliciesEco system
- Fortinet- Palo Alto Networks- Checkpoint- Juniper
Silos!User Experience! Trust
Secure Access Reality in customer networks
A: AuthenticationC: CompliancyR: Role Based Access
Zero Trust Protection Mechanisms§ User Verification
– MFA, Single sign-on via SAML, TOTP (Google Auth)
– Streamline logins & user experience (Office 365)
§ Endpoint Assessments (before & during connection)– Prevent rooted, jailbroken devices connecting– Quarantine, grant, deny access via device policy
§ Access Control & Data protection– Always-on, on-demand secure connection– Policy-based split tunneling for corp data– Provision, configure, wipe mobile devices
PolicyEnforcement
Avoid unmanaged, insecure endpoints introducing malware and data leakage
Identify and segregate IoT devices on commercial network and factory floor
Extend data center policies and extend SSO with Cloud Secure
Isolate compliance-related infrastructure, e.g., PCI DSS, HIPAA Enforce NAC-based micro-segmentation
Use SaaS for basic IT services with SSO and uniform access policy
Provide visibility and control with network profiler, RADIUS and network access control
Switch VPN access and policies from data center with cloud-hosted appliances
Move application development and analytics to private and public cloud
Mitigate endpoint exposures, ransomware risks with “comply to connect” and always-on VPN
Zero Trust Use Cases
Off premise:Employees, Contractors,and Partners
User Endpoints Pulse Connect Secure
PSA
Unified Client
• Unified client for VPN and NAC• Unified policy and enforcement• Endpoint compliance
BYOD Ready
• Onboarding• Guest Management• On-premise & Off-premise
Turnkey
• Profiler• Firewall Integration• MDM/IAM Integration• Cloud Secure
Pulse Secure Ecosystem(MDM, SIEM, IPS, etc.)
User Endpoints Unmanaged Endpoints (Phones, Printers, etc.)
Pulse Policy Secure
On premise:Employees and Guests
PSA
Switches and WLAN
Firewall (optional L4-L7)
ProtectedResources
Federation Services
Pulse Oneand
Pulse Workspace
Pulse Traffic Manager
Secure Access Architecture
Secure Access Portfolio
Pulse Connect Secure
VPN, EndpointCompliance
Pulse One
Centralized Management
Pulse Policy Secure
Visibility, NAC
Pulse Workspace
Mobile Device Access & Compliance
Pulse vADC
Application Delivery Control
User/Devices/Things Resources
User/Devices/Things
”Outside-Out”
“Inside-In”
“Inside-Out”
”Outside-In”
• Evolution – Not Revolution!
• Pulse Secure Solution offers a smooth migration path.
• Existing services can be migrated over time in the pace that suits customers.
Secure Access When ‘Inside’ becomes ‘outside’
Authenticate everything before access
Zero Trust Model
No “inside” or “outside” distinction
Trust established closest to resource
Policy based access (identity & device configuration)
SDP Architecture - Benefits
Simplified User Experience
Centralized Orchestration
Dark/Black Network
1
2
3
SDP ArchitectureSoftware Defined Perimeter (SDP), also called a "Black Cloud", is an approach to computer security which evolved
from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG)
Black Core Network initiative around 2007.
Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and
identity are verified before access to application infrastructure is granted.
Application infrastructure is effectively “black” (a DoD term meaning the infrastructure cannot be detected),
without visible DNS information or IP addresses.
How SDP Augments Zero Trust
§ Rapid deployment, easy to use§ Significantly reduced threat surface
– Many APTs, malware, DDoS attacks mitigated or eliminated
§ Applications & resources rendered “dark”– Can’t attack what you can’t see– Reduced malware spread if gets inside
§ Centralized policy deployment§ Scale secure access on-demand across apps & resources
– Regardless of location
Comparing Zero Trust & SDP
§ No “inside” or “outside” distinction§ Authenticate everything before
access§ Trust established closest to
resource§ Policy-based access
– Identity & device configuration– Other attributes
§ Centralized authentication– User, device, apps
§ Centralized policy enforcement– “Control” vs “data” plane
§ Granular segmentation– Per-application, per-user,
per-device connectivity
§ Significantly reduced threat surface– APTs, Malware, DDoS– Resources “dark”
Zero Trust Model SDP Architecture
Pulse Secure Zero Trust
Wireless Network
SaaS
Wired Network
Protected Resources
DMZ
Pulse OneManager
Pulse Connect Secure
Pulse Policy SecureUniversal Pulse
Client
Guests
Authentication & PKI
PublicPrivateCloudApps and
Resources
Employees
IOTPolicy
Assets, States
Internal Network
Pulse Connect Secure
Pulse Connect Secure
Pulse Secure SDP Evolution
Wireless Network
SaaS
Wired Network
Protected Resources
DMZ
Pulse OneManager
SDP ControllerPulse Policy Secure
SDP Proxy GatewayUniversal Pulse
Client
SDP Client
Guests
Authentication & PKI
PublicPrivateCloudApps and
Resources
Employees
IOTPolicy
Assets, States
Internal Network
Pulse Connect Secure
SDP Gateway
Pulse Connect Secure
SDP Gateway
Pulse Connect Secure
SDP Gateway
How Pulse Secure’s SDP Helps
§ SDP requires authenticate first, connect second– Establishes trust before the connection is made– Central authority (“Controller”)
§ Bakes access policy into connection– Granular access levels (“micro-segmentation”)– Applies device compliance checks same time
§ Offers per-application connectivity options– By user, device, reputation, privileged access…
SDP Client
Universal Pulse Client
SDP Controller
Pulse One
Control Plane
Data Plane
SDP Proxy Gateway
Pulse Policy Secure
Local / Branch Network
Public Cloud & SaaS
SDP Gateway
Pulse Connect SecurePulse vADC
Private Cloud/Data Center
SDP Gateway
Pulse Connect Secure
Pulse Secure SDP Evolution
Pulse Suites: Essentials Edition
User
App
PulseConnect Secure
REMOTE ACCESS
Pulse Suites: Advanced Edition
User
Pulse Workspace
App
PulseConnect Secure
REMOTE ACCESS
CLOUD ACCESS
MOBILE ACCESS
Pulse Suites: Enterprise Edition
User
Pulse Workspace
App
PulseConnect Secure
REMOTE ACCESS
CLOUD ACCESS
PulsePolicy Secure
NETWORK ACCESS
MOBILE ACCESS
User
Consumer
App
Pulse Suites: Secure Access Platform
MOBILE ACCESS
APP ACCESS
REMOTE ACCESS
CLOUD ACCESS
NETWORK ACCESS
Pulse Workspace
Pulse vADC
PulseConnect Secure
PulsePolicy Secure
-
SDP Gateway
SDP Gateway
SDP Gateway
SDP GatewaySDP Client
3/22/19
Why Pulse Secure?
§ Best of both worlds• Offer comprehensive Zero Trust today• SDP when you’re ready
§ Leading Secure Access vendor• Unified client for secure, streamlined access• Extensive authentication and device compliance• Centralized, unified policy enforcement &
management
§ Built for Hybrid IT: mobile, data center, cloud