David Linthicum is an internationally recognized authority on cloud complexity and security. He regularly and accurately reports on trends and challenges faced by the enterprise as it attempts to tap into the economic and performance benefits of moving workloads to the cloud.
Recently he wrote in InfoWorld about how the rapid emergence of the remote workforce fueling cloud adoption being challenged by two cloud architectural problems – edge devices and multicloud security – that are still unresolved.
Earlier in the year he wrote in Forbes about complexity and related security challenges reducing the expected returns on the cloud computing investments that many organizations have projected.
Cloud security challenges are being driven by numerous factors but, according to Linthicum, complexity is at core. According to Linthicum and Deloitte research, as the number of systems in the cloud rises, the amount of complexity grows at about 1.75 times the growth of systems, both on-premise and in the cloud. Eventually, the enterprise may reach a point where the cost of managing cloud and its associated risks outweigh its potential benefits
Recently, the industry has been zeroing in on Zero Trust as a new paradigm and strategy for securing critical applications and data particularly those in the cloud.
The value proposition of Zero Trust is based on a simple premise – trust no one – deny all access until you have authenticated the identity of the user and device. Security architects believe that a Zero Trust model should include separation of the control plane from the data plane. The control plane is where the validation of users and devices occur – where the controls are verified. The data plane is that part of the network where the data transfer occurs – the obvious enforcement point. This is echoed in NIST documentation suggesting the separation of the policy decision point from the policy enforcement point. Do we think that an effective Software Defined Perimeter (SDP) is essential to Zero Trust and should we expect the SDP to, in essence, separate its functions between the control plane and data plane? There are many products out there labeled as SDP. How will you know if one of these will effectively enable your Zero Trust model?
The RESILIANT SDP features automated, dynamic enforcement and adheres to the construct that the data plane is separate from the control plane. In this model the credentials required to authenticate the identity of a user and validate their device(s) decides which services they are authorized to access.
The SDP Client generates the SPA packet, or the users credentials as prescribed by the policy during the development of the service or application. The SDP provides a basic tenant of Zero Trust – authenticate a user and their device, prior to access and we go one step further.
The RESILIANT Gateway is designed to enforce the policies. The RESILIANT Controller informs the Gateway, which is unique to each service, about which users are authorized to gain access through the Gateway. The Gateway inspects the valid SPA packet and automatically opens only when the proper credentials are presented. In this way, the RESILIANT SDP dynamically enforces the policies used to define which users are authorized to access which services from what devices. The Gateway creates a trust zone for each service/application and opens for a user with a valid SPA packet with the proper credentials to enter the trust zone. The service remains invisible to the Internet because the Gateway, an Internet grade, dynamic deny all packet filter, remains closed until a user with the right credentials requests access.
In this way the RESILIANT SDP is the ultimate enforcer – designed to separate the control plane from the data plane; ensuring the target application/service is invisible to would be attackers and unauthorized users.
Isn’t this the promise of a Zero Trust model?
To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepapers HERE.
To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com.