Zero Trust At The Edge 김현철 Akamai Korea www.cloudsec.com
클라우드전환 (Cloud Migration) 애플리케이션, 데이터, 인프라등, 비즈니스영속을위한 IT 자산을클라우드환경으로이동하는과정.. 하이브리드클라우드구현 멀티클라우드보안구현 피크트래픽스케일링지원 기업의애플리케이션글로벌확산
전통적인보안모델 Corporate Network
전통적인보안모델 Corporate Network Not Trusted 전통적인트러스트모델 Trusted 경계네트웍 내부네트웍 443 웹서버 (Domain Bound Servers) Internet 53 and 443 HWLB Active Directory 내부사용자 SQL 서버 외부사용자 외부방화벽 방화벽 방화벽 Index, Query, lication, Central Administration Servers Front End Index, Query, lication, Central Administration Servers 외부외부 DMZ DMZ 내부내부 DMZ DMZ Intranet
변화하는환경 Not Trusted 전통적인트러스트모델 Trusted SaaS 경계네트웍 내부네트웍 IaaS 443 웹서버 (Domain Bound Servers) Internet 53 and 443 HWLB Active Directory 내부사용자 SQL 서버 외부사용자 외부사용자 내부사용자 외부방화벽 Index, Query, lication, Central Administration Servers 방화벽 Front End 방화벽 Index, Query, lication, Central Administration Servers 외부외부 DMZ DMZ 내부내부 DMZ DMZ Intranet
변화하는환경 #3 #1 #2 #5 #4 IaaS Data Center SaaS IaaS 지속적인클라우드도입확대 일관적인보안정책적용
Edge Cloud 보안으로이동 전통적인보안 Edge Cloud 보안
Zero Trust 모델로이동 Not Trusted 제로트러스트모델 Not Trusted SaaS 경계네트웍 내부네트웍 IaaS 443 웹서버 (Domain Bound Servers) Internet 53 and 443 HWLB Active Directory 내부사용자 SQL 서버 외부사용자 외부사용자 내부사용자 외부방화벽 Index, Query, lication, Central Administration Servers 방화벽 Front End 방화벽 Index, Query, lication, Central Administration Servers 외부외부 DMZ DMZ 내부내부 DMZ DMZ Intranet
Zero Trust is the new approach Key principles: The network is always assumed to be hostile. External and internal threats exist on the network at all times. Network locality is not sufficient for deciding trust in a network. Every device, user, and network flow is authenticated and authorized. Policies must be dynamic and calculated from as many sources of data as possible.
Zero Trust 출발점 사용자 lication 사용자 1 내부사용자그룹 1 2 3 아웃소싱사용자 2 4 파트너사용자 3 5 고객 사용자와어플리케이션이여러네트워크에혼재 기본적으로신뢰하지않고항상인증하여어플리케이션접속 어플리케이션기준접근 6
Zero Trust 모델적용사례 https://www.usenix.org/conference/enigma2018/presentation/ hildebrandt
Zero Trust 모델적용방안 Option #1 Network Segmentation Option #2 Software Defined Perimeters Option #3 Edge-based Identity Aware Proxies
Akamai Zero Trust Offering Akamai Intelligent Platform to secure all enterprise apps & users. 사용자확인및어플리케이션접근제어 (AuthN/AuthZ) 멀티팩터 (MFA) 인증을통한 Single Sign On Threats AUP 어플리케이션의성능및보안향상 멀웨어와데이터탈취에대한선제적대응 SIEM 연동 어플리케이션에대한 DDoS 방어 C&C
Akamai Enterprise lication Access 회사내부 임직원접속 EAA 특장점 필요한사람에게필요한어플리케이션만접근허용제로트러스트클라우드의경계선 SaaS (SFDC, 오피스 365 등..) 아카마이인텔리전트플랫폼 -E A A E d g e - IaaS (AWS, Azure 등..) 클라우드 집으로이동 원격접속 - SSO - 다단계인증 - 통합 ID 기반 2 방화벽외부에서내부로의접근이필요하지않음 데이터센터 E A A C o n n e c t o r 사내웹어플리케이션 (Sharepoint 등..) 협력사, 파트너사 외부관계자접속 W e b A P P s Windows / Linux 서버 (RDP / SSH) 1 HTML5 를사용하여클라이언트필요없이브라우저로어플리케이션액세스 (HTTP/S, RDP, SSH, VNC 호환 ) 차세대원격액세스솔루션 3 사내디렉토리서비스연동 (Active Directory / LDAP)
사용자접속화면 - 다단계인증 - 통합 ID 기반 사속
Akamai & EAA 300+ lications 6500+ Users
여전히존재하는위협 2018 년랜섬웨어공격은줄었지만지능화된공격증가 source : Trend Micro 2018 Midyear Security Roundup 51% 의데이터유출사고에 malware 가연관 source: Verizon 2017 Data Breach Investigation Report 데이터유출에따른평균손실액은 40 억 source: Ponemon Institute - 2016 Cost of Cybercrime) 68% 기업이 Cyber Attack 에대한재정적영향에대해고려해보지않음 source: MMC 2016 Cyber Handbook 2016 Q3 에만 1,800 만개개의새로운 malware 가감지 source: Padasecurity 2017 cyber security statistics 매일 39만개신규 malware가감지 source: AVTEST malware staticstics Malware도 C&C 서버통신에 DNS 사용 Malware는 DNS를통해데이터를유출하는기법을사용하기도함. 대부분기업은내부망으로부터의 Outbound 트래픽보다는주로외부에서들어오는 Inbound 공격트래픽에대한보안 / 관제에더집중
시그니처기반의방어 정형화된시그니처기반의방식을통해악성코드 / malware/ 악의적행위등을방어 신종악성코드탐지 / 차단불가 파일기반악성코드탐지불가 허용된 IP 주소, 프로토콜애플리케이션을통한악성코드유입차단불가 A V Device A V Device SWG IPS/ IDS 인터넷 Internet Threats C&C 허용된사이트를통해유입되는악성코드차단불가
사용자접속 DNS 화면lookup Time to first byte malware.com 70 ms 60 ms 60 ms 140 ms Initial connection Content download 91.3% 알려진 bad malware 는 DNS 사용
도메인접속단계 Root DNS 2 Command & Control Infrastructure 사내 DNS Mobile s WWW Advanced Threats HD Video 1 www.akamai.com 3 Unacceptable Content Internet Cloud SaaS s
Edge Cloud 를통한차단 1 사내 DNS Root DNS 3 2 확인먼저!! Akamai ETP Edge Cloud SECURITY INTELLIGENCE Mobile s WWW Advanced Threats Command & Control Infrastructure HD Video 4 www.akamai.com Internet Cloud Unacceptable Content SaaS s
실제적용 1 단계 : DNS 설정변경 2 단계 : 정책설정 3 단계 : 모니터링시작
실시간모니터링
다층방어 기대효과 Inbound 방어 Outbound 방어 표적형메일 Watering hole 공격 C&C 통신 (HTTP/HTTPS) C&C 통신 (HTTP/HTTPS 외 ) 랜섬웨어 파일공유 / 채팅 CASB 도메인단위의쿼리분석으로탐지 FW 통신포트기반차단 IPS 시그니처기반취약점차단 URL 필터안티스파이웨어 악성사이트로의통신차단 알려진 IP 차단 Email 보안 부정메일의차단첨부파일의차단 APT 솔루션 AKAMAI ETP DNS 보안 첨부파일차단알려지지않은말웨어차단 말웨어를전달하는사이트통신을블록 ETP Proxy 에서파일페이로드인스펙션을실시 말웨어전달차단 ETP Proxy 에서파일페이로드인스펙션을실시 알려진악성도메인차단 알려진악성도메인차단 암호화인프라에대한통신차단 백신 알려진말웨어차단 알려진말웨어차단 EDR 말웨어감염후의부정한행위탐지 말웨어감염후의부정한행위탐지
ETP 적용사례 뉴질랜드의모든학교에적용 Provide protection to all staff and students Protects against Malware, Phishing & CnC traffic Enforces Acceptable Use Policy (AUP) Blocks Anonymisers Enforces SafeSearch https://www.n4l.co.nz/how-does-n4l-help-protect-schools-against-ransomware/
Akamai Edge Cloud Platform IT 운영환경의변화 A GLOBAL Cloud PLATFORM 240,000 servers 1,700 networks 3,900 locations 137 countries ACCELERATING DAILY TRAFFIC OF 40 million hits per second 2+ trillion deliveries per day 50+ terabits per second TRUSTED BY THE WORLD S LEADING BRANDS 전세계인터넷의 25 40% 처리 4 of the top 5 most valuable companies in Asia 7 of the top 10 Asian airlines 9 of the top 10 global auto manufacturers 9 of the top 10 global computer hardware manufacturers All top 50 global carriers Over 400 banks worldwide
아카마이소개
Zero Trust At Akamai - WHY? We believe a network-centric approach to security and segregation is no longer sufficient to protect our company s assets o Firewalls and VPNs are great if you don t have any users We don t trust what we don t know We require more fine-grained access control NAC was great on paper, but was too difficult and expensive to implement We want to give our employees the same seamless and secure experience across any device from any location
The Internet As The Corporate Network Akamai has always believed that the Internet is THE network NO VPN
Akamai s Path to Zero Trust 2000 s 2011 2016 2017 2018+ Network and lication Controls Client Certificates for all Network dot1x - 2FA Federated Auth - SAML No internal wireless Bastion mgmt hosts Default no outbound internet Akamai on Akamai Launches lications externally available via Akamai on Akamai (AoA) internal IT hack (inbound proxy) Global Traffic Mgmt Site Shield No Passwords 2FA moves to cert+push MFA Passwords are largely eliminated from the environment 3rd party access (Soha) Akamai Enterprise Security Products Enterprise lication Access (EAA) replaces AoA IT hack Enterprise Threat Protector (DNS based threat intel) Akamai s 100 in 100 Challenge Zero Trust EAA (zero trust) client deployed successfully to hundreds of internal users Kona Site Defender (WAF) Bot Manager
What is this? Answers: A. le Watch B. Expensive! C. My Password D. All of the above
Akamai Workflow User Experience https://oracle-ebs.akamai.com/oa_html/oa.jsp?oafunc=oahomepage#
Akamai Workflow Data exchange https://oracle-ebs.akamai.com/oa_html/oa.jsp?oafunc=oahomepage# Refer to SSO Login - EAA Challenge for client certificate Confirm user identity from certificate and user has authorization to access the app Check for valid EAA IDP Cookie If not present challenge user for MFA to confirm access request If IDP cookie already present and valid
Akamai & EAA 300+ lications 6500+ Users
Our Vision One edge platform to secure all enterprise apps & users Threat Protection Malware, phishing & DNS-based data exfiltration protection with inline payload analysis #1 #2 #3 #n DC #1 #2 IaaS SaaS The Web lication Access Identity, single sign-on & multi-factor authentication Inline app access, app performance & app security Office Cafe
Zero Trust Is A Journey Are you ready to start?
THANK YOU 김현철 Akamai Korea www.cloudsec.com