You Need Adaptive, Identity-Based Network SecurityTraditional network security is no longer designed for today’s IT - The enterprise perimeter no longer exists
The network perimeter has dissolved. IT has become hybrid and diversified. Traditional network security solutions – firewalls, VPNs, VLANs, Network Access Controls (NAC) – are not equipped to support today’s IT reality.
Why we need a new approach to network access and security
20 years ago, applications sat on servers in one room. Access control was a perimeter set by a simple firewall existing between IP addresses and servers. Effective, if everything stayed in one place.
As cloud computing, mobile and unmanaged endpoints continue to explode and become the norm, it is a foregone conclusion that information security technical controls must become more virtual – that is to say, software-based. Rapidly disappearing are the days of physical perimeters and hardwired network architectures.
Today, applications reside in globally-distributed public clouds, on third-party managed hosting platforms, in corporate data centres as well as collocated data centres. Users are mobile and distributed.
The perimeter has dissolved. We need to re-establish the security perimeter back where it belongs, with the user.
Common network attacks
Cyber
Attack Server exploitation:
constant
attacks
Misconfigurations
Vulnerabilities
Injections
Denial
of Service
|
Credential
theft:
¾ of
Verizon
DBIR
Phishing
Keyloggers
Brute
force
|
Connection
hijacking: stealthiest
Man-in-the-Middle
Certificate
forgery
DNS
poisoning
|
The SDP gateway approach mitigates the above threats, makes organisations more secure without losing the agility cloud and mobility offer. SDP is inspired by the military’s classified, “need to know” network access model.
Solutions & Benefits
- Provide the business assurance security is being met before a connection is made.
- Address network / application access challenges for on-premise and hybrid environments.
- Protect high risk data.
- Reduce your attack surface by 98%
- prevent malware like Wannacry from spreading to other devices / systems.
- Traditional Firewalls & VPNs not longer suitable for today's business & IT practises
- Firewall rules are maxing out and cumbersome to maintain / keep up to date. Too much room for human error.
- Reduce firewall rule management sets by 90%.
- Restrict visibility of sensitive infrastructure at the network level i.e. PCI, R&D zones.
- Reduce port scan results from penetration tests.
- Simplify audits and compliance.
- Single solution for managing user access on premise, cloud and hybrid environments.
- Dynamic / intelligent / adaptive AI / granular access control.
- Live scanning / real time risk based authentication taking into consideration the context and posture of the user- role, time, location, device state of all users prior to network access.
- Protect your data in the cloud, where the service provide is no trusted.
- Reduce operational and network complexities and improve business process management when providing access to resources.
- Handle security in virtual server environment / cloud services - Prevent lateral movement (address PCI DSS compliance).
- Add value to existing technology / security investment (bolster current capabilities.
- Reduce costs by consolidating multiple point solutions and enhance value from existing technologies.
- Protect reputation.
Enable Business Agility
 |
 |
 |
 |
The Software-Defined Perimeter is a security architecture developed by members of the Cloud Security Alliance. By starting with zero trust, the ability to achieve application segmentation, eliminate a wide variety of intermediate attack vectors and achieve greater overall security is compelling.
- Secure your network
- Built-in authentication
- Least privilege access granted only
- Hide network resources from unauthorised or unauthenticated users
- All access is encrypted; end-to-end between user, networks, apps, files, data
- Dynamically creates one-to-one network connections between users and the resources they acces.
- Addresses the perimeter-less enterprise.
- Everything else is invisible including the system itself.
- Every access attempt is tracked, logged for audit reporting and suspicious behaviour alerting.
Overcomes the constraints of traditional tools by creating an individualised perimeter for each user. A protected segment / tunnel connection from the user to their allowed resources (no visibility of anything else they are not supposed to see or have the ability to infect / access anyone else) – access in and out is based on the user’s identity, device profile, location and authentication method.
In summary, users obtain the access needed to be productive, controlled by a simple set of polices, thereby reducing the workload on security and network teams.
As shown in the diagram above, the SDP dynamically creates individualised network segments for each user, based on attributes such as their identity, device profile, location, and authentication method. Users obtain all the access they need to be productive, while access is automatically controlled by a simple set of policies, reducing the workload on security and network teams.
 Designed around the user.Authorisation based on identity. |
 Built like cloud, for cloud.Distributed, scalable and resilient |
 Zero trust modelAuthentication before connection |
Authentication is key
Anyone attempting to access a resource must authenticate first. All unauthorised resources are invisible. This applies the principle of least privilege (or zero trust) to the network. This also completely reduces the attack surface.
 |
 Secure, encrypted
connection between user and resource |
 |
 |
 |
 |
The Software-Defined Perimeter (SDP) architecture is made up of three main components:
1. A Client – runs on each user’s device 2. A Controller – where users authenticate, policy is applied and users are evaluated. The controller issues tokens granting each user their individualised network entitlements 3. A Set of Gateway brokers handles access to protected resources Users and their devices are validated with multi-factor authentication. User and device context are included in the controller’s evaluation. Once a user obtains their entitlements from a controller, network traffic to the protected resources is encrypted and tunneled between the device and the corresponding SDP Gateway. Access to protected resources remain transparent to the user. However, access is logged for compliance and auditing purposes. Access policies determine which users can access which services on which servers. |
 |
Adaptive, Context-Aware Policy-Based Access
Grant access only based on identity. Dynamically manages access by considering the person, the environment and the infrastructure.
 |
Authenticates based on the
individual
User DeviceAnti-Virus Department Group Membership App Permissions Custom Attributes |
Dynamically manages access
based on individual user and environmental factors
LocationTime Security Posture Custom Attributes |
 |
 |
Also considers
infrastructure or organisational changes
Network AnalyticsSecurity Groups Tags Hostnames Custom Attributes |
Zero Trust Network Security
Treats network access on a zero trust or “need-to-know” basis. It makes the application / server infrastructure effectively “invisible.”
Eliminate Threats by Reducing the Attack Surface
Reduce the attack surface by hiding network resources from unauthorised users.
Contact SecureNet Consulting today for solutions advice, engineering, support, professional services and proof of concept resources for adaptive, identity-based network security solutions.
 +44(0)7714 209927 | ||
 info@securenetconsulting.co.uk |
 |  |  |  |
