Remote access to applications
Use Case: Secure Business User Access to Internal Corporate Application Services Business users need secure access to enterprise applications running in an iaaS environment. These business users require access to a wide range of applications such as FIRMS. Financials,
Procurement. Expenses, Suppy Chain, etc. These applications could be provided as packaged applications from vendors or they could be home-grown applications developed by the internal IT developers.
In these cases, Business Users typically do not require low level access to the network or machines (e.g. SSH or RDP). The applications may be either in Production or Test/DA.
Access Without a Software-Defined Perimeter There are three common ways of providing the secure remote access of Applications to the Business Users- I) Direct, 2) VPN, and 3) VDI. Direct: In case of Direct access. the application is typically a Web Application that is provisioned out to the public internet, without any consideration of access restrictions. In these cases, the application is exposed to the elements and is prone to all sorts of attack vectors including Brute Force, DDoS, %SS and any TLS vulnerabilities such as Heartbleed or Poodle.
Cloud Security/Migration/Setting changes
Use Case: Updating User Access When New Server Instances Are Created Cloud environments are by their very nature, dynamic, and its fair to say that most organizations leverage this aspect of laaS to increase their development velocity and agility.
In particular in laaS environments it’s quick and simple to create and destroy server instances so organizations do this on a frequent (if not continual) basic.
Access Without a Software-Defined Perimeter As depicted in the diagram below, a person using the laaS admin console (or a system making an API call) creates a new server instance.
Required network changes depends on their location, cloud connection type, and needs, and is discussed in the tables on the following pages.
Access with a Software-Defined Perimeter Cloud severs are all protected by the SCP system, .sch a Gateway acting as the sole newak entry poet alto the Pvate Cloud Netwotk.
Development in the Cloud
Developers need administrative access to laaS resources for development, testing, and deployment. These users require access to a wide range of ports and protocols, and access to a constantly changing set of IaaS resources.
Developers may be working with sensitive data, and in DevOps environments will be working with production systems. As a result, organizations have security and compliance needs that require visibility and control of access to systems.
Access Without a Software-Defined Perimeter Access with a Software-Defined Perimeter The SDP is deployed as follows. A Controller (depicted as bin the diagram on the following page), is running in a location where it’s accessible to all users (connections not shown in the diagram for clarity). This may be running in a publicly accessible location at the edge of the Cloud as shown, or perhaps running in a DMZ at corporate HQ.
Access to the Controller is protected by Single-Packet Authorization, so exposing it to the Internet does not materially increase risk. After users are properly authenticated by the controller, they access resources on the Private Cloud Network through the Gateways.
The Gateway is also protected by SPA, and all user traffic is transmitted through an encrypted tunnel across the Internet.
The Gateway enforces access policies on a per-user basis, achieving the principle of least privilege. The Gateways are situated at the entry point of each Private Cloud Network, and control all inbound traffic.
SDP IoT Front-end server: Preventing the complexity to install any software on each IoT
SDP controller: Authentication, access rights
SDP Gateway: enforces the rules, establishes access
Ransomware is on the rise
Ransomware demands soar by 518% in 2021
From $450,000 to $1.2 million. Record of $40M
Prevention : can’t attack what you can’t see
Once ransom paid with the insurance company
Considering implementing Resiliant solution
Access to (critical) applications via VPN / VDI
VPN: With VPN, the private network and all the resources are extended to the Business User’s device.
VDI: And with VDI, a virtual computer (usually Windows OS) is made available to the Business Users, that may in turn be used as a launch pad to the enterprise applications. The business applications are typically client/server applications that require a thick Windows client.