Secure Access: The world of

Bram De Blander | SE North Region | Pulse Secure

Old World: PC and Datacenter

New World: Hybrid IT

VS

Secure Access

“Off-premise” “Anywhere”

Remote Access

Evolved…

BYOD is here for 85% Cloud is an option for 55% IOT is coming for 40%

Dialing Up IT Transformation

IDG Research Services Gartner Gartner

Customers

Partners

Internet Café

Tablets & Smart Phones

Remote Users

WiFi Users

Office UsersConference Rooms

Visitors

Unmanaged Devices

Managed Devices

Corporate Data

The need for Secure AccessOff-premise

On-premise

Climate ControlIoT

Connected TrucksIoT

SaaS

Corporate Data

?I N S I D E T H E N E T W O R K

TrustedO U T S I D E T H E N E T W O R K

Untrusted

! ! ! !Trust

Hybrid IT: Challenges Our Customers See

Visibility

• Can’t verify what’s on the corporate network

• Endpoint compliance gaps enable malware, IoT, breach risks

Compliance

• BYOD smartphones cause data leakage

• Can’t consistently apply access protection by role, device, app

User Experience

• Multiple security clients frustrate users (and IT)

• Multiple logins & access points slow down user productivity

Scalability & Reliability

• Load balancing complexity hinders scale

• Unable to dynamically shift access to IT services in emergency

Inside

Outside

”Outside-Out”

User/Devices/Things“Inside-In”

Resources

“Inside-Out”

Resources

User/Devices/Things”Outside-In”

Outside-In = Remote AccessInside-In = Network SecurityInside-Out = Firewall? Outside-Out = Cloud Security?

VisibilityEnforcementUnified PoliciesEco system

- Fortinet- Palo Alto Networks- Checkpoint- Juniper

Silos!User Experience! Trust

Secure Access Reality in customer networks

A: AuthenticationC: CompliancyR: Role Based Access

Zero Trust Protection Mechanisms§ User Verification

– MFA, Single sign-on via SAML, TOTP (Google Auth)

– Streamline logins & user experience (Office 365)

§ Endpoint Assessments (before & during connection)– Prevent rooted, jailbroken devices connecting– Quarantine, grant, deny access via device policy

§ Access Control & Data protection– Always-on, on-demand secure connection– Policy-based split tunneling for corp data– Provision, configure, wipe mobile devices

PolicyEnforcement

Avoid unmanaged, insecure endpoints introducing malware and data leakage

Identify and segregate IoT devices on commercial network and factory floor

Extend data center policies and extend SSO with Cloud Secure

Isolate compliance-related infrastructure, e.g., PCI DSS, HIPAA Enforce NAC-based micro-segmentation

Use SaaS for basic IT services with SSO and uniform access policy

Provide visibility and control with network profiler, RADIUS and network access control

Switch VPN access and policies from data center with cloud-hosted appliances

Move application development and analytics to private and public cloud

Mitigate endpoint exposures, ransomware risks with “comply to connect” and always-on VPN

Zero Trust Use Cases

Off premise:Employees, Contractors,and Partners

User Endpoints Pulse Connect Secure

PSA

Unified Client

• Unified client for VPN and NAC• Unified policy and enforcement• Endpoint compliance

BYOD Ready

• Onboarding• Guest Management• On-premise & Off-premise

Turnkey

• Profiler• Firewall Integration• MDM/IAM Integration• Cloud Secure

Pulse Secure Ecosystem(MDM, SIEM, IPS, etc.)

User Endpoints Unmanaged Endpoints (Phones, Printers, etc.)

Pulse Policy Secure

On premise:Employees and Guests

PSA

Switches and WLAN

Firewall (optional L4-L7)

ProtectedResources

Federation Services

Pulse Oneand

Pulse Workspace

Pulse Traffic Manager

Secure Access Architecture

Secure Access Portfolio

Pulse Connect Secure

VPN, EndpointCompliance

Pulse One

Centralized Management

Pulse Policy Secure

Visibility, NAC

Pulse Workspace

Mobile Device Access & Compliance

Pulse vADC

Application Delivery Control

User/Devices/Things Resources

User/Devices/Things

”Outside-Out”

“Inside-In”

“Inside-Out”

”Outside-In”

• Evolution – Not Revolution!

• Pulse Secure Solution offers a smooth migration path.

• Existing services can be migrated over time in the pace that suits customers.

Secure Access When ‘Inside’ becomes ‘outside’

Authenticate everything before access

Zero Trust Model

No “inside” or “outside” distinction

Trust established closest to resource

Policy based access (identity & device configuration)

SDP Architecture - Benefits

Simplified User Experience

Centralized Orchestration

Dark/Black Network

1

2

3

SDP ArchitectureSoftware Defined Perimeter (SDP), also called a "Black Cloud", is an approach to computer security which evolved

from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG)

Black Core Network initiative around 2007.

Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and

identity are verified before access to application infrastructure is granted.

Application infrastructure is effectively “black” (a DoD term meaning the infrastructure cannot be detected),

without visible DNS information or IP addresses.

How SDP Augments Zero Trust

§ Rapid deployment, easy to use§ Significantly reduced threat surface

– Many APTs, malware, DDoS attacks mitigated or eliminated

§ Applications & resources rendered “dark”– Can’t attack what you can’t see– Reduced malware spread if gets inside

§ Centralized policy deployment§ Scale secure access on-demand across apps & resources

– Regardless of location

Comparing Zero Trust & SDP

§ No “inside” or “outside” distinction§ Authenticate everything before

access§ Trust established closest to

resource§ Policy-based access

– Identity & device configuration– Other attributes

§ Centralized authentication– User, device, apps

§ Centralized policy enforcement– “Control” vs “data” plane

§ Granular segmentation– Per-application, per-user,

per-device connectivity

§ Significantly reduced threat surface– APTs, Malware, DDoS– Resources “dark”

Zero Trust Model SDP Architecture

Pulse Secure Zero Trust

Wireless Network

SaaS

Wired Network

Protected Resources

DMZ

Pulse OneManager

Pulse Connect Secure

Pulse Policy SecureUniversal Pulse

Client

Guests

Authentication & PKI

PublicPrivateCloudApps and

Resources

Employees

IOTPolicy

Assets, States

Internal Network

Pulse Connect Secure

Pulse Connect Secure

Pulse Secure SDP Evolution

Wireless Network

SaaS

Wired Network

Protected Resources

DMZ

Pulse OneManager

SDP ControllerPulse Policy Secure

SDP Proxy GatewayUniversal Pulse

Client

SDP Client

Guests

Authentication & PKI

PublicPrivateCloudApps and

Resources

Employees

IOTPolicy

Assets, States

Internal Network

Pulse Connect Secure

SDP Gateway

Pulse Connect Secure

SDP Gateway

Pulse Connect Secure

SDP Gateway

How Pulse Secure’s SDP Helps

§ SDP requires authenticate first, connect second– Establishes trust before the connection is made– Central authority (“Controller”)

§ Bakes access policy into connection– Granular access levels (“micro-segmentation”)– Applies device compliance checks same time

§ Offers per-application connectivity options– By user, device, reputation, privileged access…

SDP Client

Universal Pulse Client

SDP Controller

Pulse One

Control Plane

Data Plane

SDP Proxy Gateway

Pulse Policy Secure

Local / Branch Network

Public Cloud & SaaS

SDP Gateway

Pulse Connect SecurePulse vADC

Private Cloud/Data Center

SDP Gateway

Pulse Connect Secure

Pulse Secure SDP Evolution

Pulse Suites: Essentials Edition

User

App

PulseConnect Secure

REMOTE ACCESS

Pulse Suites: Advanced Edition

User

Pulse Workspace

App

PulseConnect Secure

REMOTE ACCESS

CLOUD ACCESS

MOBILE ACCESS

Pulse Suites: Enterprise Edition

User

Pulse Workspace

App

PulseConnect Secure

REMOTE ACCESS

CLOUD ACCESS

PulsePolicy Secure

NETWORK ACCESS

MOBILE ACCESS

User

Consumer

App

Pulse Suites: Secure Access Platform

MOBILE ACCESS

APP ACCESS

REMOTE ACCESS

CLOUD ACCESS

NETWORK ACCESS

Pulse Workspace

Pulse vADC

PulseConnect Secure

PulsePolicy Secure

-

SDP Gateway

SDP Gateway

SDP Gateway

SDP GatewaySDP Client

3/22/19

Why Pulse Secure?

§ Best of both worlds• Offer comprehensive Zero Trust today• SDP when you’re ready

§ Leading Secure Access vendor• Unified client for secure, streamlined access• Extensive authentication and device compliance• Centralized, unified policy enforcement &

management

§ Built for Hybrid IT: mobile, data center, cloud