collaborative security in an encrypted internet
TRANSCRIPT
Collaborative Security in an Encrypted Internet
Nancy Cam-WingetAugust 2020
The Visibility Tensor
Time
Firewalls
80% TCPInternet boundtraffic
Network SecurityControls
FirewallsWeb Proxies
90% HTTP“HTTP the new TCP”
???
90% HTTPs95% (TLS) EncryptedQUIC becomes the new TCP
General Use cases• Security and crypto compliance• Acceptable Use policies• Controls based on Application type• Regulatory Compliance• Intrusion Detection/Prevention• Malware Detection• Granular Application Controls• File inspection
When and How is Visibility required?
Metadata Inspection
Metadata Inspection,DPI,Stateful DPI
Improve Controls thru Collaboration
App
On-Prem & Private DC
Workloads
Public Clouds
Workloads
InternetSaaS
Guidance can be provided by: Asset Manufacturer Asset Manager End User Network/Cloud Security Admin
• Guidance set on configuration• Guidance conveyed in a secure
“TLS Authorization” token• IT configured how to use the
token contents• IT manages keys to secure token
Security Controls Configuration
End User
IT
Security Controls Configuration
Security Controls. +Policy Configuration
Use Mutual Trust to Guide Security controls:
Future Controls thru Collaborative Security
App
App Services (server)
Network Security Services (on-prem/cloud)
System Mgr
Security Controls
Attestation Services
1. Is Device + App Trusted?
2. Provision AuthZ keyingmaterial + Config
3. Use TLS AuthZ token
4. Data Packets control guided by AuthZ
Enables Trusted Parties to Collaborate:• Enterprise to signal Application of desired controls• Application to influence Security Control Outcomes• Security Controls can avoid further inspection
as guided by the Enterprise and Application
Comments?