Download Enter Adaptive Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts

Relational model wikipedia , lookup

Database wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Protecting High-Value Applications:
A New Approach
John Westerman
MISSION
WE SECURE THE 80%
OF THE DATA CENTER
AND CLOUD THE
PERIMETER MISSES
PRODUCTS & CUSTOMERS
•
Pushed 14 versions in 22 months while in stealth
(January 2013–October 2014)
•
Stealth-mode engagement with 100 global
enterprises
•
Launch customers:
FUNDING
TEAM
$142.5M
Leadership team from:
from Andreessen Horowitz, General Catalyst
(Steve Herrod, former CTO of VMware),
Formation 8, BlackRock, Accel Partners,
DCVC, John Thompson, Marc Benioff,
Jerry Yang, and others
VMware, Cisco, Nicira, McAfee,
Juniper, Riverbed, and Ruckus
November 2014:
John Thompson
(Chairman of MSFT) joins Illumio
Board
Distributed & Dynamic
Today’s Security Challenges
Traditional Data Center
Firewall
Strictly Confidential
Problem # 1
Problem # 2
Problem # 3
Anywhere on
Anything
Speed, Agility
& DevOps
Surface Area
of Attack
Moving Toward Infinite Attack Surface
MAIN FRAME
1M Users
Strictly Confidential
PC
1B+ Users
MOBILE / CLOUD
200B+ Users
INTERNET OF THINGS
?
Billions have been spent on cyber security
over the last 10 years and yet…
Retail
Organized
Crime
Financial
Healthcare
Technology
Nation
States
Government
2005
2009
2013
…today’s leading security technologies are failing.
Strictly Confidential
The Reality
86%
of CIOs and execs don’t
believe they can keep
pace with attackers
over the next five years.
(Source: Wall Street Journal)
Strictly Confidential
Safeguard
high-value
applications
Strictly Confidential
Meet
compliance
requirements
Secure
big data
apps
7
Security Today
Strictly Confidential
8
Computing is beyond a human’s ability to manage
Illumination
Strictly Confidential
Insanity: doing the same thing over and
over again and expecting different results.
—Albert Einstein
Are we doing this with
our cyber security?
Strictly Confidential
10
Enter Adaptive Security
Strictly Confidential
11
Strictly Confidential
12
For security to be adaptive…
1.
Granular Discovery & Visualization
2.
Multi-Dimensional Policy Model
3.
Continuous Policy Computation & Enforcement
4.
API Driven
5.
Infrastructure Aware
6.
Operationally Sound
Strictly Confidential
13
Illumio Adaptive Security Platform (ASP)™
Security Delivered in Any Environment
WORKLOADS
Context &
Telemetry
Data
Center
Security
Policy
Strictly Confidential
Virtual Enforcement Node (VEN)
Policy Compute Engine (PCE)
Antenna installed or “baked in” to image
Linux & Windows
“Central Brain”
Consumed via cloud or on premises
Today’s Policy = Networks & IPs
Test
(Static Policy Driven by Manual Change)
App Tier




Segmentation
Enforcement
Security Policy
Access Controls
Strictly Confidential
Dev
Prod
Web Tier
Database Tier
Firewalls
Firewalls
Firewalls
Subnet / VLAN
Zone #1
Subnet / VLAN
Zone #2
Subnet / VLAN
Zone #3
15
Step 1: R-A-E-L Labels
App Tier




R = Role
A = Application
E = Environment
L = Location / Geo
3 Roles
Web Tier
Strictly Confidential
Database Tier
16
Step 1: R-A-E-L Labels
App Tier




ERP
R = Role
A = Application
E = Environment
L = Location / Geo
Application
Web Tier
Strictly Confidential
Database Tier
17
Step 1: R-A-E-L Labels
App Tier




ERP / Prod
R = Role
A = Application
E = Environment
L = Location / Geo
Environment
Web Tier
Strictly Confidential
Database Tier
18
Step 1: R-A-E-L Labels
App Tier




ERP / Prod / US
R = Role
A = Application
E = Environment
L = Location / Geo
Location
Web Tier
Strictly Confidential
Database Tier
19
Step 2: Relationships = Policy
(Only Two Policy Statements)
App Tier
ERP / Prod / US
 Web → App
 App
→ DB
 Whitelist Model
Strictly Confidential
Web Tier
Database Tier
20
Policy for Every Workload
App Tier
WORKLOADS
ERP / Prod / US
Data
Center
Computing
Security Policy
Web Tier
Strictly Confidential
Database Tier
21
Step 3: First Provision
App Tier
WORKLOADS
ERP / Prod / US
Data
Center
Security Policy
Provisioned to
Every Workload
Web Tier
Strictly Confidential
Database Tier
22
Step 4: Adapts to Change
(Automatic)
App Tier
WORKLOADS
ERP / Prod / US
Data
Center
Web Tier
Strictly Confidential
Database Tier
23
Abstracting Policy
 Decouple network dependencies
 Write policy in natural language
 Apply policy with a single click
Web
Strictly Confidential
Web
Web
Application
Application
Database
Database
24
Illumio ASP: Services
Enforcement
 Enforce policy anywhere: data center, private & public cloud
 Adapt to changes through continuous policy computation
 Write policies in natural language; labels & relationships
SecureConnect
 Encrypt data-in-motion between any workloads or entire applications
 Enable policy-driven encryption anywhere
 Create on-demand IPsec connections
Illumination
 Understand & visualize applications &
workload relationships
 Model & test security policies
 Identify & alert on threats behind the firewall
Enforcement, Encryption, and Full Visibility
Strictly Confidential
RINGFENCING HIGH-VALUE
APPLICATIONS
Back to the Top
Strictly Confidential
Ringfencing High-Value Applications (HVAs)
Mitigating Risk
for HVAs
Meeting Compliance
Requirements
Securing Big Data
Applications
!
Common Challenges of Ringfencing High-Value Applications:

Re-segmenting or changing the network (e.g., VLANs, zones) is difficult and takes time

Cost of ringfencing with firewalls and network is exorbitant

Cannot segment applications in the cloud; no control over the network
Strictly Confidential
27
Illumio Adaptive Security Platform
MITIGATING RISK FOR HVAS
Back to Ringfencing
Strictly Confidential
Step 1: Install VEN on Workloads
 Illumio ASP VEN learns all
processes, services and flows and
gives information to the PCE
 Illumio ASP PCE takes all VEN
information from all workloads and
automatically “visualizes” workload
interactions
 Illumio ASP draws a network map
in real time.
Strictly Confidential
29
Step 2: Label Application and Workloads
 Label the application and
the individual workloads
 Traffic lines turn red to
show that flows are not
currently governed by
policies
Production
Strictly Confidential
30
Step 3: Write Natural-Language Rules
Asset Management Production Policy
Scope
Application
Asset Management
Environment
Production
Location
EU
Rules
Providing Entities
Service
Consuming Entities
Web
All Services
Any
All Workloads
All Services
All Workloads
Strictly Confidential
31
The Application is now “Ringfenced”
Strictly Confidential
32
Thank You
[email protected]
www.illumio.com
Strictly Confidential
Related documents
PDF
PDF
Competitive Analysis - Green Technology Asia Pte Ltd
Competitive Analysis - Green Technology Asia Pte Ltd
The Development of Courseware for Smartphones
The Development of Courseware for Smartphones
Customer Spend Profile
Customer Spend Profile
User Defined Tag 1 - DA Document Manager
User Defined Tag 1 - DA Document Manager
What is the Patient Safety Communication System? It is a system
What is the Patient Safety Communication System? It is a system
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
2015–2016 MIT Bulletin
2015–2016 MIT Bulletin
Vocabulary Instruction Handout
Vocabulary Instruction Handout
GF-244: Cover Sheet for Confidential Records
GF-244: Cover Sheet for Confidential Records