Extending the Zero Trust Security Model for Containerized

Overview What is this presentation about? © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS

Overview What is the Zero Trust Security Model? § Never implicitly trust any public

Overview The move towards unified networking and IT § Unifying Islands of connectivity though

The Journey How did we get to this point? © 2019 NOKIA. ALL RIGHTS

The journey Data Center Connecting & Serving Disparate Locations (Private Cloud) (SD-WAN) 1 Kubernetes

The journey (continued) SDN Policy Engine Kubernetes Branch 4 3 MPLS Branch 1 App

The Unified Secure Multi-Cloud © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A

The Dream Why Orchestration © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A

Why Orchestration? m Branch SDN / Nuage types LAN Nuage VCS Thick. CPE Slim.

Why Orchestration? Single-click deployment Service Updates Maintainable Service Hypervisor Hypervisor Public Cloud © 2019

Challenges Identifying the obstacles that are standing in our way. © 2019 NOKIA. ALL

Challenges What is missing to be able to realize the dream … § How

The Solution Putting it all together © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS

The Solution Orchestration SDN Policy Engine WAN SDN Controller Branch 4 3 Bootstrap Proxy

Demo We actually got it to work!!! mostly … © 2019 NOKIA. ALL RIGHTS

Branch User Lab Topology DNSNTP MGMT Kubernetes Master VNO VSD WAN Cloud SSL Proxy

Demo And so it begins © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS

Questions Don’t be shy! Contact Info sherif. awad@nokia. com jason. sones@nokia. com © 2019

Slides: 20

Download presentation

Extending the Zero Trust Security Model for Containerized Applications to Public Clouds Jason Sones VNO North America – Nuage Networks from Nokia Sherif Awad SDN Solution Architect Lead - Nuage Networks from Nokia April 30 th, 2019 © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. VN O

Agenda Extending the Zero Trust Security Model for Containerized Applications to Public Clouds or Blah! [title is too long !!!] § § § § Overview The Journey The Dream Challenges The Solution Demo Questions © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

Overview What is the Zero Trust Security Model? § Never implicitly trust any public infrastructure. § Start with the assumption that every potential shared resource can be compromised. § Implement policies to enable services based on minimal required access privileges. § Always use micro-segmentation, authentication, authorization and encryption § Between application and/or user endpoints. § Constantly monitor access requests (analytics) and intrusion attempts and adjust policy to maintain the ZTM § Prevent/Detect and Respond Automate this if you can! © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

Overview The move towards unified networking and IT § Unifying Islands of connectivity though central policy and control. § Impact of the move to public cloud § The emergence of hosting sensitive enterprise IT applications as containers work-loads in public clouds. § Challenge is applying enterprise grade security policy to public cloud applications. § Simplifying service provisioning and management across branch, private and public clouds. § How to ease the end-user provisioning, consumption and management of these new unified services. © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

The journey Data Center Connecting & Serving Disparate Locations (Private Cloud) (SD-WAN) 1 Kubernetes vm 2 VPN Site A vm Site B Site C Trusted Infrastrucutre = Vx. LAN only Public Transport Vx. LAN over IPSEC © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

The journey (continued) SDN Policy Engine Kubernetes Branch 4 3 MPLS Branch 1 App 1 WAN SDN Controller Branch 3 DC SDN Controller MPLS PE Internet Any DC underlay VNF 2 SDN GW Data Center WAN End-to-End Service Overlay Public Transport Vx. LAN over IPSEC Trusted Infrastrucutre = Vx. LAN only © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

Why Orchestration? m Branch SDN / Nuage types LAN Nuage VCS Thick. CPE Slim. CPE Thin. CPE Firewall SD-WAN overlay NSG-BR Internet Underlay Access Control Mailscanner WAN optimizatio n NAT GRE IP/MPLS Underlay Legacy IP/MPL S VPN r p VNF types q versions Vx n Enterprises Legac y Nuage VNS SR/v. SR a underlays configurations Anti-DDo. S Loadbalancing Other VAS Telco Cloud Local Cloud 3 rd party Cloud b datacenter environments c VPC stacks Open. Stack NSP © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. AWS Azure GCP

Challenges What is missing to be able to realize the dream … § How to ensure only authorized hosts can run containers workloads? § How to secure traffic between containers on different hosts? § How to provide end-to-end service provisioning, security, monitoring and visibility from branch to private DC to public cloud? § Can I rely on public cloud for data that I am responsible to keep secure? © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

The Solution Orchestration SDN Policy Engine WAN SDN Controller Branch 4 3 Bootstrap Proxy Kubernetes MPLS App 1 Branch 3 Branch 1 DC SDN Controller MPLS PE Internet Public Cloud Network App-22 Public Cloud GW Public Cloud Network WAN End-to-End Service Overlay ZTM Vx. LAN over IPSEC © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.

Branch User Lab Topology DNSNTP MGMT Kubernetes Master VNO VSD WAN Cloud SSL Proxy Node 01 Branch Open. Shift Cluster Nuage SDN Cluster DATA/CP © 2019 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. Node 02