The Software Defined Perimeter: How to secure remote devices and employees with Meta Networks | Truth in IT

since the network is identity-based, everything that goes into the system, every traffic that traverses the network, has, you can say, has the identity embedded and attached to it. So it doesn't really matter where you're located. Whether you are con...

meta, networks, software, defined, perimeter

The Software Defined Perimeter: How to secure remote devices and employees with Meta Networks

Who is Meta Networks & what is the software defined perimeter?

- Hi, I'm Mike Matchett with Small World Big Data, and today's topic is software-defined perimeters. What does that mean? We're talking about what happens to security. How do you enforce security? How do you ensure security when you're no longer just inside your data center? When you've got people using apps on the Internet, you've got people using SAS services and apps inside there, but even more so, when they're coming in from mobile devices. Devices you both manage, and devices you don't manage. It's becoming really hard to draw a hard line around a definitive perimeter, so we need some new solutions. Well, today I'm gonna introduce Meta Networks, and they've got a new way to provide security through kind of an overlay across the whole world wide Internet, that will ensure that your folks are only accessing the apps and data that they are whitelisted for. With that, let me introduce Meta Networks. Welcome, I've got the CTO here, can you introduce yourself?

- Hi Mike, nice to be here. I'm Shmulik Ladkani, CTO and co-founder of Meta Networks.

- Okay, how long has Meta Networks been around?

- So, we've been around for like one and a half years, something like that. By the end of 2016, we founded the company. The founder is Etay Bogner, the CEO. He is a four-time entrepreneur, and he's been in various network and security companies in his past. And this recent venture is focused around software-defined perimeter, and providing secure network for remote access.

- Remote access. So tell me what a software-defined perimeter looks like when I'm a company. It's not a firewall, it's not another VPN. It's not exactly micro-segmentation like VMware cluster. What is a overlay in a software-defined perimeter with the way you guys deliver it?

- So the idea behind software-defined perimeter is establishing a Zero-Trust model and having the perimeter defined according to identities and policies which correlate with these specific identities. So, basically all the traditional security solution were based on locations or IP addresses. And as we very well know, we have today, a lot of mobile users, which work from untrusted locations and untrusted networks. And of course, the corporate itself has many applications which are deployed worldwide in various locations in a lot of cloud VPCs and data centers, and SAS, and so forth and so on. So, it doesn't really make any sense to define the perimeter according to the location. Not of the asset being access, and not by the location of the person trying to access. So, software defined perimeter is basically saying, "Okay, I've got this user, it has a well-defined identity. "The user is authenticated, I know that this is, "for example, Shmulik's device, and the corporate "administrator can define specific whitelisted access rights "to which applications or resources or assets "that specific identity can access."

- All right, so, from one perspective, it's no longer, just get on the network through VPN, you have access to everything, it's, we're gonna lock it down in a conceptual way that every person only gets access to the application they want. But how do you do that on a worldwide basis? I mean, do you go in and lock down the device? Do you do some neural-network programming on the person so they only know one thing? What do you do, it's not biometrics, what do you do to keep that person only accessing the one application that they're supposed to have access to?

The Two Components of the Software Defined Perimeter

- So it's basically comprised of two different steps. The first step is that the device of the user has onboarded and it has some kind of authentication mechanism which is provided when he attempts to connect to the network So basically, it is like a certificate and some form of multi-factor authentication. And the second part is the overlay network that we've developed in Meta Networks. Basically, we've deployed a large scale, globally available, secure overlay network, which is basically located everywhere, we have numerous point of presence around the globe and these actually build our secure network. And both the user devices and the corporate assets, resources, cloud deployments, both of them connect to the network after authentication. And then, everything is basically isolated and each device or asset, has its own policy which is defined by the administrator of the organization. So, basically, instead of blacklisting stuff, the administrator can go and define in the management portal, which assets are accessible by which users, or group of users or group of devices. So that's the idea of a software-defined perimeter. The network is no longer location- or IP-based, but it is identity-based. And once you know the identity of the traffic that goes into the system, you can deploy whitelisting access rules which specify which apps or assets are accessible by which users.

Security Based on the Personalized Virtual Network

- So, you know, we use these terms a lot in different ways, we say network virtualization and virtualized networks and things, but you've really provided, if I'm sitting at a user space, I log into your, or authenticate to your system, through my device. Once I'm authenticated, I kinda get my own virtual network with access to just the things that I want, I think you called this a personalized virtual network, personalized private network, we can come up with a whole bunch of different terms. But essentially, by going into your network first and authenticating there, then I'm given a virtualized network experience to the things that I'm authenticated and approved for, and nothing else. And the same for everyone else that's coming in. So we each have our own kind of network view of the world right?

- Yeah, that's entirely true but basically everything from service discovery and the DNS names, and whatever network assets, everything is personalized and each device gets its own view of the network okay, according to these policies. So yes Mike, you can think of it of personal virtual network which is a logical set of all of the applications, assets, resources or cloud networks that you are allowed to access. So each user in their organization, has such a personalized logical network.

- I think you can some really great things with that, sort of makes the whole security paradigm much simpler to think about and get your hands around. Now on the back-end,flip to the other side, we were talking a little bit about the back-end of this, obviously by running this network, you're collecting a lot of data, you see a lot of things, you've got all the audit logs, you've got all the traces, you've got all the network traffic, that's in your control. And tell me what you can do with that, because it's a very powerful perspective of everything that's there.

- Absolutely, so since the network is identity-based, everything that goes into the system, every traffic that traverses the network, has, you can say, has the identity embedded and attached to it. So it doesn't really matter where you're located. Whether you are connected to the network from your home location or you are traveling to a different country, and connected to the network from that specific location. We know that the traffic belongs to Mike's device, and then everything gets aggregated, and you can see whatever attempts that your device has tried to access into the corporate network, according to your specific identity. So it could be like, DNS queries or successful sessions attempted to applications, or unsuccessful sessions attempted, and it is all reachable and accessible using a single management portal since our model is based as a Network-as-a-Service so as any other SaaS we have our own ReST APIs and UIs, a single management place where the administrator can log in and look at the traffic logs collected from the entire system in one place.

- And I think that's just great because what you're really saying is from my personal private network view, you can track all the traffic that I, or anything I'm running, or any virus I happen to have picked up, is doing on my own personal network and then assign that and attribute it back to me and get back to me very quickly if you're a security problem or I suppose this also has some value as performance and some other business value in terms of who's doing what where they are and so on down the road.

- Exactly, and also all of this data can be fed to whatever other tools and vendors that provide whatever analytics and you can detect whatever strange behaviors or other anomalies in your network by feeding that data to any kind of behavior analytic tool.

- Yeah, I can actually forecast a little bit saying there's gonna be a new kind of compliance requirement five years from now based on this technology that says, "Now you can't let people from different places access "the data that's in other places and it's not just "where the data is, but who has access to it regionally "'cause you can control that." Great, where can someone now find more information about this Meta Network-as-a-Service? Where can we find more stuff about it?

- So you can go to our website, and from there you can read the blogs and follow us up and see the exact details of our offering.

- All right, well thank you for being here today.

- Thank you for having me Mike

- And thank you guys, I'm sure we'll be back with some more coverage of Meta Networks and this evolving software-defined perimeter security idea. Thanks for coming, take care.

- Thanks

View the full video here: Software Defined Perimeter With Meta Networks