Zero Trust Security in the Modern Workplace -Everything you need to know
Webinar 27th Nov2019
Webinar Speakers
Sandip Kumar PandaCEO, Co-founder at InstaSafe
Rasool IrfanTrusted Cyber Security Adviser
3 key takeaways from today’s webinar
Gen Z and Modern Workplace1
Zero Trust in tomorrow’s business context2
InstaSafe Zero Trust Security Solutions3
Gen Z
• Gen Z or iGen or Centennials have birth years as being 1996 to the present• Gen Z are currently over 23 million in the United States. Within the next five years, they
will become the fastest-growing generation in both the workplace and the marketplace
• Gen Z are highly educated; wants to make a difference in the world and more diverse than Millennials
• Gen Z are not at all concerned or not concerned that companies will use their personal online data in a way that could harm them
• GenZ are mobile first, completely immersed and must be able to work anytime, anywhere, and via any device
Modern Workplace Ecosystem
Business Drivers Technology Services
Account Management
Consulting / StrategyApplication Development
End User Support
Service Integrations
Service Delivery
Implementation
ReportingTraining/ Awareness
Planning / Designing
Security Workplace Automation
IoT
Mobility Smart Spaces
UCC
Drive Innovation Improve Productivity
Improve Collaboration
Enable flexible workforce
www.instasafe.com
CHALLENGES WITH TODAY’S LEGACY SOLUTIONS / REMOTE ACCESS
Untrusted hosts are given access to the secure Intranet
Stolen passwords used to gain full access to Intranet
Fixed to some extent using 2FA
Client can become a bot in a DDoS attack
Cannot perform granular control of access – i.e. allow access only on ”need-to-know” basis
Need to back-haul traffic in a multi-DC or Hybrid setup (Private + Public Cloud)
Cannot add remote users to AD Domain or push Group Policies
LEGACY SOLUTIONS
Operative definition of ‘Zero Trust Architecture’
Zero Trust Architecture provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions
in information systems and services
Zero Trust Components
Resource (System, data or
Application)
untrusted trust
Zero trust in tomorrow’s business context
WORKPLACES
FACTORIES
Any Place Any Time
Wired Desktops
Corporate Laptops
Minimal Purchases
PCTablets
MacBook'siPads
Chromebooks
OT Systems
PlantsManufacturing
3rd Party owned DevicesLaptops
BYOD
Photocopier
Partner Network Wireless Access Critical Systems
Printers / Outsource Mgmt.
Smartphones
Access Points, Smart SystemsExtended Network ERP, SAP, etc.
SaaS
Email, Office AppsStorage/ Backup
Back office, IAM
IaaS, PaaS
Webservers, DevOpsB2C, APIs
Cloud Services
Internet of Things
5G
IPv6
Zero Trust Network Guiding Principles
Secure communication regardless of network location
Make application invisible to attackers
User authentication is dynamic and strictly enforced
Per user with per session limited to per app in micro
tunnel
All data sources and computing services are considered resources
Systems are maintained and monitored in more secure
state
Zero Trust Components
Control Plane
Data Plane
Policy EnginePolicy
Administrator
Policy Enforcement
Point
Resource
Continuous Diagnostics
and Mitigation
Systems
Compliance Systems
Threat Intelligence
Certificates & Identity
Management Systems
Data Access Policies
Security Logging, Audit & Correlation
Framework to adopt Zero Trust in Modern Workplace
Plan
Execute
Define vision and strategy
Design Zero Trust in Modern Workplace
Security service and technology selection Security management Continuous
improvement
Market Demand for Zero Trust Access
Market Pains:• Traditional application access solutions
(e.g. VPNs) do not meet the needs of modern enterprises:
• Cloud applications, mobile workforce, 3rd party access
• Attackers targeting access technology vulnerabilities to enter corporate networks
Software Defined Perimeter (SDP):• Allows secure and flexible access to cloud
and on-prem applications
• Leverages the principals of Zero Trust access
• Trust is continuously verified; access is limited
By 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA).
By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.
By 2023, 40% of enterprises will have adopted ZTNA for other use cases described in this research
InstaSafe Zero Trust Security Solutions
Gartner – Zero Trust Network Access
Zero trust network access replacestraditional technologies, which requirecompanies to extend excessive trust toemployees and partners to connect andcollaborate.Security and risk management leadersshould plan pilot ZTNA projects foremployee/partner-facing applications.
“… SDPs will become a mainstream approach of enterprises …….
InstaSafe named by Gartner as a Represented Vendor in Report –Market Guide for Zero Trust Network Access
INSTASAFE SECURE ACCESS
Venture backed | India & USA | 100+ customers, with global footprints |4 times CIO Choice awardee
“Restricting users only to the resources they need to perform their job” and continuously monitoring their activities.
The True “Zero Trust” Secure Access Solution
We are Trusted by
Existing Approaches—Securing Access to the Cloud
DMZ
VPN
Complex
• Increased timeto market
• Cumbersome and confusing user experience
• Maintain agents/ appliances
• Lateral movement around entire network
• Increased network attack surface
• Compliance readiness failure
Insecure
• High infrastructure and licensing costs
• Duplication required• High operational costs
Expensive
VPNs, firewalls, & DMZs—not up to the challenge
Our Approach—Securing Access to the Cloud
Zero Trust-based Secure application access
Personal Device
Customer
Partner
Contractor
PartnerPersonal Device
Partner
How It Works
Zero Trust-based application access
ISA Controller
EmployeeAffiliate
Chain PartnerContractorB2b Partner
B2c CustomerContextualPrevention Application
Servers
Deploy Connectors& Connect To Secure
Access Cloud
Point-to-pointAccess
ApplicationLayer
Monitor &Log Activities
Authenticate UserValidate Device Health
Point-to-pointAccess
Anyone to anywhere – simple and secure app access
Deploy in Minutes
Cloud Alternative to Traditional Access Methods
ISA SDP
Connectivity Direction Connectivity Direction
AWS/Azure/Google/On-Prem
Traditional DMZ—Connected via the Network
InstaSafe Secure Access—SDP-based Cloud Native Connectivity
Internet/MPLS
ProxySSLVPNBastion
Jump Host
Corporate DMZ
ApplicationsServices
Workloads
AWS/Azure/Google/On-Prem
Connectivity Direction Connectivity Direction
Internet/MPLSInternet/MPLS
ApplicationsServices
Workloads
Internet Internet
Superior Architecture Improves Security
HTTPSHTTPS
TLS Connectivity
• Indirect HTTPS connections established between users and applications using a reverse proxy
• Authenticated devices never gain direct access to the application server or network
• Eliminates OS or SSL/TLS vulnerabilities such as HeartBleed
• Policies can govern specific user actions and prevent data exfiltration
No direct connection to the application
Alternative Approach
• Uses a (VPN-like) endpoint client to connect users to applications through the cloud
• Authenticated users requesting access, gain direct layer 4 level access to the application server
• Approach exposes applications to network-based attacks such as OS or TLS vulnerabilities from malicious or infected users
Direct connectivity to the application server and network
Key Enterprise Use Cases
Applying Zero Trust access to secure corporate applications
Secure access for DevOps
Simple and secure access for dev environments
Secure access to corporate apps migrating to IaaS
Reduces complexity while improving security
Secure access for 3rd party users, M&A, & BYODAllows modern workforce to work from anywhere
22
Secure Access to applications hosted in AWS for Remote users
I need to:
Provide a secure, simple and easy way for my users and contractors to access corporate applications distributed across AWS cloud and OnPremises without switching agents.
provide application access for BYOD (unmanaged) devices without data leaks.
Mitigate credential sharing and Device switching between the users. Authenticate user and user devices before accessing the application. Integrate MFA to satisfy compliance and security needs. support all users devices and operating systems. Provide rule and role based access. Maintain all access logs which user accessed which application at what time? eliminate complexities in managing secure access.
Provide Zero-Trust access to cloud and on-premises applications while reducing complexity
DevOps
Multi Cloud Peering
IaaSOn-Premises
I need to: Provide a secure and economical access for workloads
distributed across AWS,Azure and GCP Make my applications invisible from Internet. Make this connections live quick. have proper monitoring for connections and HA in place. Mitigate risks of network based attacks.
Provide Zero-Trust while reducing complexity
Site to Cloud Peering
IaaSOn-Premises
I need to: Provide a secure and economical access between AWS
workloads and Onprem Isolate my ERP(SAP,Oracle..) API’s to Private network and
can be used only by web application hosted in AWS. Be independent of ISP and public network.
Provide Zero-Trust access to cloud and on-premises
Encrypted Peering
I need to:
Encrypt the application traffic between my two intra zone VPC’s and Inter cloud VPC’s according to the compliance.
Define granular policies and control over application traffic. Make my applications invisible from Internet without exposing
applications over public network.
Provide encryption for compliance & risk management
DevOps
Secure Access for 3rd Parties & BYOD
I need to:
• Support the needs of the modern workforce using BYODs while working from anywhere
• Let 3rd parties access corporate applications without exposing my network
• Account for identity, device posture and sensitivity of resources when providing application access
Securely let 3rd parties (e.g. suppliers and partners) and BYOD devices access corporate applications
Contractor BYOD
Secure Access for DevOps Managing Development and Production Environments
I need to:
• Allow DevOps resources to securely access multiple cloud environment from anywhere
• Dynamically provision and deprovision access to VMs, PaaS and IaaS environments
• Full audit trail over DevOps actions in cloud environments
Give DevOps teams with agile access to cloud environment without compromising security
DevOps
Solution: InstaSDP’s Simple, Elastic, Zero Trust based Software Defined Perimeter
Leading Retail conglomerate Digital Transformation Journey
What we did: InstaSafe Gateway InstaSafe Controller InstaSafe User Agent
Problem: Complexity X Increased Attack Surfaces X Hardware Boxes X
Scalability X Cost X Maintenance X
Result: SAAS Delivered
Simple Dashboard
Cost Reduced
Easily Scalable
Security Enhanced
Infrastructure Blackened
VPN InstaSafe
Zero Day Protection
DDoS Prevention
User Experience
Security
Visibility and Control
Scalability
IT Support
Network Monitoring
Proxy Server
Firewall
VPN InstaSafe SDP
VPN InstaSafeCo
st
Upto 70% Cost
Reduction in TCO
InstaSafe compared to Legacy VPN
Experience: Zero Trust @ InstaSafe
Proof of Value Projects:• DevOps access
– Development environment– RDP or SSH access
• Corporate application access– Migration Projects/Apps– Hybrid IaaS or on-premises
• BYOD & 3rd party access– Select users / vendors– Select applications– Select devices
One of the top pilots
enterprises should budget for in 2019
You will see: • Simple & Flexible solution• Ease of deployment/use; no
agent required• Zero-Trust Access to
corporate applications
*Zero Trust Is an Initial Step on the Roadmap to CARTA - 12/18
Try Now
End-to-end secure path to cloud migration
Q&A
Thank You
Top Related