Software-Defined Perimeter enables application-specific access control
Back in the early 1990s enterprises migrated away from proprietary protocols such as DECnet, SNA, and Novell IPX to common standards such as IP. The motivation was the open nature of IP and access to all of the investment and innovation in and around IP. But, enterprises still wanted complete control over their network. To achieve that, the concept of IP Firewalls was introduced so that enterprises could create a unique IP network—such as internal addressing, internal routing, and internal DNS—connected to the Internet only via a firewall under their control. For the past 25 years, the term “behind the firewall” has been used as synonym for enterprise network or Intranet.
In those days, almost all of the enterprise’s applications were run internally and almost all users were employees operating off of PCs under tight control of corporate IT. While there were all kinds of attackers and malware running on the Internet, they were operating outside of the firewall perimeter, which hid the internal applications and servers from such “bad actors.” Selected “good guys” operating outside of the perimeter were provided secure access back inside the perimeter via VPN technology, which gave them the same experience and access as if they were connected on the corporate LAN.
Over the years, this pristine approach to network security became more complicated and slowly less effective. The biggest issue was how to allow internal users’ connectivity to the Internet, as interacting with Internet sites became more critical to worker efficiency. Controls such as forward proxies, URL filters, intrusion prevention, e-mail security and anti-spam, network-based anti-virus, and application white-listing were created and enhanced to attempt to address this more complicated model of internal network and user interaction with Internet resources. As you might expect, security started to erode due to the complexity and broadening of the range of attack surfaces and vectors. This erosion is sometimes referred to as the perimeter becoming “porous.”
But about four or five years ago, patient, clever, well financed attackers began to launch successful attacks that became more impactful to enterprises. Using spear-phishing and other social engineering techniques, remote attackers have increasingly been able to find weak spots in enterprise networks onto which they can inject malicious code, and then from that advantaged position search for and launch attacks on more critical internal systems. The traditional perimeter has gone from “porous” to becoming a “sieve.”
What can be done about this? There is something to be learned from the fixed enterprise-wide perimeters of the early 1990s. They might not meet the needs of today and beyond, but in their day they were very effective at protecting their resources. The perimeter concepts of hiding critical infrastructure and providing users secure access to that infrastructure aren’t flawed. But they need to be re-architected in a manner consistent with the needs of the next 20 years. The Software Defined Perimeter (SDP) concept is an approach that does just that.
SDP shrinks the perimeter down to the servers that deliver critical applications to end users. By doing that, as shown in the diagram to the left, the “bad actors” are again on the outside of the perimeter and the servers are hidden to them. This creates a very strong security model.
However, by shrinking the perimeter, the “good guys” are now outside the perimeter as well! To complete the solution, a process is needed for identifying the “good guys” and proving them secure access to their authorized applications. To achieve that, Software Defined Perimeter separates the control channel from the packet path. The control path is used to assess user trust, authenticity, and authorization; and then to establish packet path connectivity for users or systems that are deemed trustworthy.
SDP can be viewed as an Access Control system that has many beneficial characteristics:
Trust-before-connect: pre-authentication eliminates visibility and access to protected servers from all other users, devices, and systems other than those trusted and authorized. This greatly reduces the attack surface related to exploiting application, operating system, or server vulnerabilities.
Ubiquitous multi-factor authentication: SDP software executes multifactor authentication for every user, every connection, all the time. There are no exceptions. The software does it and users don’t need to do a thing. This eliminates credentials theft as a threat.
Granular, application-specific access control: authorized users are allowed access to only the specific, authorized application services on the servers, and no more (unlike a network-based VPN which provides access to the entire resources of a LAN).
Secure connectivity made simple: reinforce defense-in-depth control without impacting existing infrastructure and controls.
Perhaps the greatest attribute of SDP, however, is future proofing.
SDP provides a server perimeter that can be deployed anywhere there is a server. SDP represents a common access control model that an enterprise can use to control access to any of their applications, independent of location—internal data center, internet data center, cloud service provider, hybrids, and so on.
SDP puts all legitimate users of applications outside the shrunken perimeter, at the same time provides a robust method for identifying trusted authorized users to enable very granular access to just the application servers and servers they need to access. This model can be applied to provide restricted connectivity—therefore even more securely—for all types of users and devices, including less trusted users (e.g., contractors, external subject matter experts, business partners) and less trusted devices (e.g., employee mobile devices, non-managed laptops). Connectivity is productivity—so anything that promotes it without sacrificing security is of huge value.
SDP represents a unified solution not only for restoring security to the traditional enterprise architecture, but also for providing an ideal solution for all the new IT trends of BYOD, cloud migration, and complex business ecosystems.