At a time when applications are moving to the cloud and workers are increasingly mobile, organisations are finding that their traditional perimeter defence techniques like VPNs and firewalls simply don’t give them the security they need. If finding a new approach to network security is on your IT agenda, then you’ve probably heard ‘Software Defined Perimeter (SDP)’ being thrown around a fair bit. If you are wondering what is SDP and what all the fuss is about, then please read on.
What is SDP?
Identified by Gartner as a top technology for security in 2017, Software Defined Perimeter (SDP) is an architecture and protocol guide, the original 1.0 specification was released in 2014 and its goal was to highlight the benefits of an ‘authenticate first’ and ‘connect later’ approach to connecting users to their data. Originally developed for IT infrastructure in the defence sector it was developed on the premise that connections are restricted on a need to know basis, it wasn’t just out of bounds to people without permission, it wasn’t visible to them, this is where the term ‘Black Cloud’ came in. It is now spreading wider into enterprise use where it promises to help mitigate a broad set of security vulnerabilities that affect IT infrastructure protected by more conventional perimeter security.
Currently the accepted method to connect to environments is with TCP/IP via Virtual Private Networks (VPN) or Network Access Controls (NAC), the issue here essentially being that these rely on a connect and authenticate method. A malicious data packet getting as far as authentication is already at your gates and from here may be able to innumerate your assets, if someone were to get within your walls with malicious intent they may be able to move laterally around your system and uncover all manner of goodies that you thought were off limits.
SDP works on a zero-trust model, which means that before someone can even approach the data layer they have to go through the Gateway, this will assess who you are via a Single Packet Authorisation (SPA) and will also go through a number of other parameters such as the device being used, location, time of day and number of other checks. It will then look at the policy laid out by your organisation and define the perimeter of what you have access to. Once in, you are strictly restricted to the perimeter your policy has set you, no ifs, no buts, no peeking over the wall, that is all you can see. As a default SDP trusts no-one and admits users on a case by case basis.
Why do I need it?
In short, IT has moved on and is continuing to move at quite a pace. Twenty years ago, apps sat on servers in one room and access control was set by a simple firewall existing between IP addresses and servers and now we are in the age of cloud computing and virtualisation
If you’re reading this, then it probably has not escaped your notice that malware attacks and data leaks are on the news frequently and this could be attributed to the fact that organisations aren’t keeping their infrastructure security up to date with their infrastructure or their working model. More people are working from home, on flexible hours, on varying devices from all over the world and this creates a plethora of problems.
The rise of cloud has also created a problem for the world of security, your information is now distributed in a variety of places, apps are located in globally distributed public clouds, hosted on 3rd party platforms, as well as on corporate and co-located datacentres. It’s no longer nestled in the warm cosy safety of your building. Users are also now no longer based at a single premise and are mobile and distributed. Here lies the problem, people coming in from everywhere trying to get to information hosted all over the place, it’s hard to build a wall around everything (and we know, Trump’s tried). Effectively the traditional perimeter has blurred – SDP re-establishes the perimeter and puts it back with the user. It overcomes the constraints of traditional tools by creating an individual perimeter for each user.
Traditional perimeter-based approach to network security has failed to adequately protect organisations and a new approach is needed. SDP is user centric and based around a set of policies laid out by the owner, implemented and looked after by the IT team. No more adjusting firewall permissions because Ben from accounting is on location and working from home more often, the gateway sees where he’s coming from and adjusts the perimeter accordingly, no more access to the competitor account data while he’s sat in Evil Corps headquarters.
OK, so it’s safer?
So, that’s the measure of it – SDP redefines the perimeter and associates it back with the user to create a zero-trust security model, but it can also allow you to manage resources more effectively. Due to its policy-based approach the requirement to adjust firewalls and user permissions is reduced so saving time now and is scalable for future savings. With everything going through the single point of access, you can change everything at once at the network layer and make policies a lot more granular to cover a vast array of scenarios.
Because SDP is about creating dynamic and secure network segments between a source and destination systems, it provides a better security solution for how today’s IT works. The source can be any type of device in any location and the destination can be any type of application or service in any location accommodation for mobility, BYOD and cloud computing.
Most impressively, because all traffic is encrypted, and all the policies are applied top to bottom, you can easily transition to an IaaS cloud environment and keep the same level of security on and off premises. All of this and it offers you reporting to save your IT team even more time.
Where did it come from and what’s next?
Let’s not beat around the bush, this is not new. Google have had an internal means of having employees connect securely from untrusted networks without the use of a VPN for years, called BeyondCorp it has essentially achieved many of the goals set out by the CSA’s SDP specification. Before them a collective called the Jericho Forum out lined the problem of de-perimeterisation in 2003 and set the goals to; define the problem, define the solution, work on fully utilising the cloud via collaborative methods securely and write the Identity, Entitlement and Access Management Commandments. They also debated ‘smart data’ before the forum was declared a success and disbanded in 2013, so Software Defined Perimeter already had a solid base to stand on and has been proven in both a defence and corporate environment courtesy of Google.
The future then is looking good for SDP, as the method is adopted more widely, and more companies are creating SDP solutions the offering can only get stronger. These zero trust network concepts are adopted by many security or network gear vendors such as VMware NSX, Cisco ACI and Cyxteras AppGate to name but a few. There are also several opensource SDP products out there such as SDP Waverly Labs, so it’s very much out there for you to get your hands on.
The advantages to a company with workloads on-premises and in the cloud seem endless, for ease of the user, ease of the IT admin and deterring Cyber Criminals. If security is a major part of your IT plans in the coming years, then an SDP solution could well be the answer.
If IT security is on your organisation’s agenda, then we can help. We help businesses transition from the world of securing devices and zones to protecting entire agile cloud infrastructures and ecosystems, tackling breaches before they occur, and providing practical steps for safeguarding your people and organisation from cybercrime. If you want to find out more, visit networking and security or click here to contact us.