As we head into RSA next month, chances are high that software defined perimeter (SDP) will jockey for position there in the infosec alphabet-soup lexicon. A new piece out this week in the Wall Street Journal shows that a lot of very large enterprises have high hopes for this NIST-backed protocol as security teams struggle in the cloud era to balance management of risk with maintenance of their relevance to the business.
These early experimenters believe SDP can help solve one of the toughest unanswered questions lingering around cloud and virtualization today. Namely, how to establish network airgaps even when enterprises are blending on-premises infrastructure with public cloud infrastructure and services.
As the WSJ explained, through the Cloud Security Alliance, SDP has some heavy-hitters backing it in the enterprise, including Coca-Cola, Verizon Communications and Mazda Motor Corp. Per the WSJ, Coke's chief enterprise architect, Alan Boehme said the company has been looking for years for a way to "change the game" in security to better account for the business-driven movement to the cloud and the resultant death of the traditional corporate perimeter.
“If you look at what the challenges are in corporations today; it’s agility, speed to market. We’re moving more and more things into the cloud, every corporation is.”
Alan Boehme | Coca-Cola
As the CSA explains it, SDP is meant to simplify the confusion of layered policies and tangle of architectures from legacy network perimeter defense infrastructure like firewalls and IDS/IPS by establishing 'need-to-know' connectivity to Internet-accessible applications until devices and users are authenticated and authorized. It essentially creates "dynamically provisioned perimeters anywhere in the world—including in a cloud, on the DMZ and in the data center."
As Ed Moyle, director of emerging business and technology for ISACA, explained in a recent piece:
"Much like a traditional perimeter, access to and information about the network resources is provided only to those requesters that are trusted. However, unlike a traditional perimeter where the distinction of trusted or untrusted is made on the basis of location on the network, the distinction is instead enforced via the protocol itself. This in turn means that devices can be 'inside' the perimeter from anywhere, including on a mobile phone over a cellular network, on an internal network, at an IaaS provider or at a business partner's facility."
The goal is make it easier to defend applications, whether they're business portals, collaboration tools, IaaS or SaaS services, from sophisticated attacks and DDoS barrages. And in the process, the authentication and authorization components also make it easier to offer fine-grained control over who accesses critical business applications and on what device.
As the WSJ detailed a few day ago:
The new scheme first authenticates an employee’s device and then confirms his or her identity. After determining which corporate software or cloud services that employee has permission to access, the system sets up a one-time use virtual private network for those specific apps or cloud services. This structure prevents the theft of passwords and tokens, and helps protect against distributed denial of service attacks or complex hacks in which cybercriminals move laterally through corporate networks to breach systems that harbor intellectual property or credit card numbers, project participants say.
Most importantly, the SDP protocol has been developed as an open standard that is meant to work with legacy identity management and public key infrastructure, along with open standards like SAML and the HMAC-based One-Time Password (OTP). EMA's David Monahan explains that the strength of SDP is in the layering of these pieces.
"Yes, a key can be extracted from a certificate, and yes, some OTPs can be guessed, but the odds on being able to do both to render a guess of a 64-bit OTP and work out the certificate issues and falsify the SAML assertion are just too great a combination on a per-attack basis," he wrote.
CSA has already facilitated SDP being put through its paces through numerous hackathons, including one that barraged SDP with billions of packets to no avail last fall. It's standing up the technology again at RSA, where it will host another hackathon where it will invite participants to hack a protected file server, the WSJ reported. The event will likely generate more buzz as RSA attendees feel out SDP for its viability.