Software Defined Perimeter (SDP) Arrow to Content

by Paul J. Morse
December 2013

Security practitioners have been experiencing increasingly sophisticated and devastating attacks, plus a growing ecosystem of cybercrime tools that are readily available to even an interested layperson. The monetary damage due to a wide variety of breach types is well documented and the amount per breach is escalating. Further, corporate brand damage is so obvious and predictable from security breaches that some insurance companies offer insurance policies specifically to cover monetary loss from the brand damage a security breach and the resultant publicity may cause. The escalating game of “cat and mouse” between security enforcers and bad actors shows no signs of abating and is sure to continue unless new methods for protecting corporate assets are developed and implemented.

The Cloud Security Alliance recently announced a new approach to protecting corporate assets. It is named the “Software Defined Perimeter’ or SDP. SDP is a security framework that can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from a variety of organizations such as the National Institute of Standards and Technology (NIST), and the U.S. Department of Defense (DoD) into an integrated network security framework.

The security approach of traditional enterprise network security architecture is to create an internal network separated from the outside world by a fixed perimeter. External users attempt to access exposed network ports and are either allowed in or blocked from access by a wide range of defense technologies deployed at the perimeter. The theory is that traditional fixed perimeters allow internal services to remain secure from external threats through the mechanisms of blocking visibility and accessibility from outside the perimeter. However, the traditional fixed perimeter model is being challenged by cloud architectures, new types of client devices and increasing sophisticated attack vectors to the point it is quickly becoming obsolete.

According to CSA, “Software defined perimeters address these issues by giving application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to “outsiders,” but can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations.”

The basic mechanism for the SDP concept is to provide access to networks and applications only from authenticated users. This is fundamentally different from the current model of “connect, then authenticate” because the user connects first to an authenticating system ( the SDP Controller), then connects to the application environment as an already authenticated entity. The corporate network is “hidden” on the external network to bad actors and only available to those SDP authenticated/trusted entities. No DNS information or IP addresses can be seen unless the SDP system specifically provides them to an authenticated entity. The SDP architecture can be deployed on a small scale for individual applications or on a global scale for entire corporate environments. SDP is also designed to use existing security tools including PKI, TLS, IPsec, SAML and others so there is no need to implement new and esoteric security mechanisms to gain advantages from SDP.

There is certainly precedent for this type of security architecture because similar systems are already in use in the defense industry and some corporations. The need for new network security mechanisms and architectures is very clear. The Cloud Security Alliance is, once again, taking a leadership position relative to Cloud and general computing security by bringing the concept of the SDP to the computing public. SDP has significant promise and the potential to become a widely adopted standard for helping organizations further secure their valuable assets in an era of rapidly changing computing models and increased security threats.

Documentation on the Cloud Security Alliance Software Defined Perimeter can be found at http://www.cloudsecurityalliance.org.

About the Author:
Paul Morse is an independent writer, trainer and consultant across a wide range of technologies and business-value areas. His current focus is on the intersection of Cloud Computing, Big Data and Infrastructure Security.  More information about Paul Morse can be found on linkedin.

Page Dividing Line