At the risk of stating the obvious, the FireEye/Solar Winds attack personifies the increasing security vulnerability and risk posed by our continued reliance on aging, perimeter-centric network infrastructure. This attack, considered extremely serious, enabled access and data exfiltration from deep inside sensitive government systems. But it is just one of many high-profile breaches exploiting network-centric security architecture that are increasing in frequency, scale and impact.
This has to change and Zero Trust represents the beginning of this change.
To achieve zero trust or “never trust, always verify” organizations must adopt processes and technology to make their “trust but verify” network security architectures more resilient. It also mandates a software defined perimeter (SDP) to provide an overlay to the in-place network security architecture. In essence, a true Zero Trust model, powered by the right SDP, creates a “trust zone,” capable of protecting services in the zone from attacks.
I refer to the “right” SDP since there are different approaches to SDP architecture creating confusion as to how it works and the role it plays in the Zero Trust model.
Since 2015, we have been leading the reimagining of the network perimeter as a primary defensive posture for securing the enterprise. Where network perimeters, oblivious to applications and services, grant network access without authorizing access to a specific application or service, NIST advocates the Zero Trust model as a more effective and efficient security strategy.
Following NIST’s guidance, we began developing and contributing innovation to the open-source project for Software Defined Perimeter (SDP) initiated by the Cloud Security Alliance.
Building on that work, we have developed RESILIANT, an SDP featuring a deny all gateway – an internet scale, deny all packet filter- which dynamically enforces policies controlling which authenticated users using a validated device, located anywhere, may access a service. The RESILIANT SDP controller, informs the gateway of policy decisions that control which users on which devices are authorized and validated to access services. The RESILIANT Gateway dynamically enforces the policy and admits only credentialed users into the trust zone.
Unlike other solutions, the RESILIANT architecture enables the separation of the control plane from the data plane or policy decision from enforcement. Policies that cannot be enforced cannot protect services. Protected services in the RESILIANT SDP trust zones are effectively hidden from the internet, leaving attackers and unauthorized users abandoned outside the Gateway.
Leveraging this model, IT security can pivot away from VPNs and aging network centric infrastructure to an API based architecture implemented at the application layer. Government organizations using the RESILIANT SDP have effectively reduced the number of successful attacks and trust the Gateway to admit only credentialed users using validated devices into the trust zone even while attacks are ongoing.
RESILIANT has been proven effective in several successful implementations with high profile federal agencies and commercial SaaS and service providers and is currently preparing to launch its commercial SDP as the preferred method of securing applications and services in a perimeter-less environment.
To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepapers HERE.
To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com .