Collaborative Security in an Encrypted Internet

Nancy Cam-WingetAugust 2020

The Visibility Tensor

Time

Firewalls

80% TCPInternet boundtraffic

Network SecurityControls

FirewallsWeb Proxies

90% HTTP“HTTP the new TCP”

???

90% HTTPs95% (TLS) EncryptedQUIC becomes the new TCP

General Use cases• Security and crypto compliance• Acceptable Use policies• Controls based on Application type• Regulatory Compliance• Intrusion Detection/Prevention• Malware Detection• Granular Application Controls• File inspection

When and How is Visibility required?

Metadata Inspection

Metadata Inspection,DPI,Stateful DPI

Improve Controls thru Collaboration

App

On-Prem & Private DC

Workloads

Public Clouds

Workloads

InternetSaaS

Guidance can be provided by: Asset Manufacturer Asset Manager End User Network/Cloud Security Admin

• Guidance set on configuration• Guidance conveyed in a secure

“TLS Authorization” token• IT configured how to use the

token contents• IT manages keys to secure token

Security Controls Configuration

End User

IT

Security Controls Configuration

Security Controls. +Policy Configuration

Use Mutual Trust to Guide Security controls:

Future Controls thru Collaborative Security

App

App Services (server)

Network Security Services (on-prem/cloud)

System Mgr

Security Controls

Attestation Services

1. Is Device + App Trusted?

2. Provision AuthZ keyingmaterial + Config

3. Use TLS AuthZ token

4. Data Packets control guided by AuthZ

Enables Trusted Parties to Collaborate:• Enterprise to signal Application of desired controls• Application to influence Security Control Outcomes• Security Controls can avoid further inspection

as guided by the Enterprise and Application

Comments?