FAQ

 

 1) What are some of the good use cases to try Resiliant (based on experience
so far with other agencies)?

This is a list of SDP use cases that we have cataloged based upon our conversations
with DHS, DoS, NIST, and the GSA FedRAMP office.

a. Security for High High-Value Asset Applications and ATO compliance – SDP
provides an efficient solution to achieve Zero Trust for HVAs and also supports compliance (or
ATO in the government).

SDP helps achieve at least 60% of the FISMA/FedRAMP controls
compliance requirements (results from an SAIC study)

b. Secure Application-level Tunnels – VPNs are typically used for internal
segmentation. This approach to segmentation along with whitelist, blacklist, network sensors, system sensors, etc. overloads client machines. SDP can help to reduce the management of VPNs for applications and the load it places on client machines and thus improve user
experience.

c. Security with NSX – For VMware implementations that use NSX to set up and
manage the VMware infrastructure, using SDP to allow external users to access these VMs will
provide a security solution for VMs.

d. Secure Admin Access to Laptops – In large organizations where multiple
applications and locations have dedicated admin workstations for system admins who use several tools that are centrally managed, SDP can help to secure admin access from these laptops to systems for which they provide administration.

e. Security with Service Mesh – Service Mesh such as Istio are is designed for a very
large scale of users (in Billion) and as such very heavy to implement selective controls using
proxies.

There are cases when one would like to pin users to devices and then Istio gets
unwieldy. If Service Mesh (like Istio, Edgewise, Kong) has already been implemented, then SDP
provides a way to manage the firewalls and darken the services the mesh provides access to.

f. Security with SDNs – SDP provides an overlay to ensure connections are secured
over the IP routing infrastructure that SDNs provide. SDP Controller and SDN Controllers
reside side-by- side with no change to the SDN infrastructure.

g. Security with NFVs – SDP provides a security framework to provide logical
perimeters around services, restricting network access and connections to the SDP-enabled
Virtual

Network Functions (VNFs) to trusted clients only. SDP can integrate with
Kubernetes, OpenShift, and the like.

h. Secure segmentation of region-specific apps – (e.g. WhatsApp in Asia) In a global
corporate network, region region-specific apps can be enabled using the SDP to deliver
specific capabilities to overseas employees.

i. Device Consolidation – Organizations that manage multiple sites (such as 250
sites globally), segmenting networks to ensure defense in depth is complicated. SDP will provide a way to Resiliant | www.resiliant.com

4 consolidate and manage devices globally while providing the an added level of
security and compliance.

j. Security for Edge Computing or Fog Computing – SDP is a security framework for
protecting the cloud from the edge by only authorizing authenticated users at the edge to
access services in the cloud.

k. Security for IoT devices – SDP is a light-weight option to ensure that a level of
encryption and authentication is provided for IoT devices that don’t have that option built-in
today.

2) Firewalls currently provide all the visibility. What is the added value of Resiliant?

Once an authorized user signs onto their machines using PIV cards, then firewalls in
front of services can provide visibility into which users, on which devices access which
services. Once these connections are made, it is not easy to drop them individually with
today’s firewall set up.

Resiliant SDP provides an “on-demand” firewall to accept policy changes by trusted
agents.

SDP can also “expire” Firewall accept policy rules.
SDP provides the same level of visibility
for third-party users who don’t have PIV- cards to log into CONFIDENTIAL CLIENT
machines and/or happen to use their own devices.

3) Where is Resiliant implemented-specifically the gateway?

In CONFIDENTIAL
CLIENT controlled infrastructure or in a public Cloud ?
The SDP Gateways can be installed on CONFIDENTIAL CLIENT CONFIDENTIAL
CLIENT-controlled infrastructure or in the CONFIDENTIAL CLIENT CONFIDENTIAL
CLIENT-
controlled cloud. For managed service offerings, Resiliant will provide FedRAMP for
Gateway as a PaaS offering and Controller as a SaaS offering.

4) How to transition from traditional authentication to mTLS (for Resiliant)?

As such no transition is necessary. SDP sets up an mTLS tunnel between the user
machine (end-point) and the SDP Gateway. The native client traffic to the SDP-protected
service is routed through this protected tunnel. Today’s traditional authentication allows
users to log into their machines on the CONFIDENTIAL CLIENT network. But those keys are then
perhaps not used to set up the TLS connection to the applications they access from their machine. If we have not interpreted your question correctly, we would like to discuss and clarify.

5) How does Agile ATO extend to security monitoring?

For NIST and GSA FedRAMP, we set up a pilot Agile ATO pilot to demonstrate the
use of Zero Trust architecture with open Software Software-Defined Perimeter (SDP) for
securing a DevSecOps environment Resiliant | www.resiliant.com

4 )

• We employed E3 Lab (an IaaS)
• We leveraged NIST SP 800-207: Zero Trust Architecture
• We implemented and deployed Waverley/Resiliant OpenSDP solution (for identity
management and access control enforcement)

• We configured a DevSecOps environment for developing and operating a sample
application (F-Force App)
The architecture for the a pilot is shown below.
Waverley Labs
F-Force App [System Owner]
ResiliantSDP PaaS [CSP]

2 Twelve E3 Lab IaaS [CSP]
F-Force App Consumer
SSP Responsibility Stack
Resiliant
SDP
Controller
(IDaaS)
High Level Architecture
In this pilot project, fine fine-grained policies are set up for users of the various
components

– IaaS, PaaS, SaaS, Network Admins, Applications users, Application Admins, etc.
The Red box indicates the Zero Trust environment specifically set up for the F-Force
App so
that it is hidden even while residing in an IaaS environment.

Security monitoring is greatly simplified by sending all the dropped packets – that
signal unauthorized access – to a SIEM or SOAR solution. In addition, the who, when, from
what device to what service connectivity information can also be sent to the SIEM as
previously this data is very hard to compile from multiple sources of data.

6) What would Resiliant solve in Zero Trust?

NIST SP-800-207 defines Zero trust as follows:

a. Resiliant provides this environment for services by creating the trusted zone
(completely hidden) as an overlay with very little network configuration. Resiliant
simplifies the implementation of an access control policy definition point (PDP, SDP
Controller) that is fine-grained and a policy enforcement point (PEP, SDP Gateway).
Enforcing policies at the time of connectivity requires the separation of the control
plane from the data plane.

b. Resiliant helps to gradually add scope because you can start by protecting some
services and not others and then increase the scope.

c. The underlying infrastructure can be simplified over time.
In other words, Resiliant provides dynamic access control ONLY to trusted users on
validated devices with access to ‘blackened’ service/application/network.