Zero Trust has entered the marketing lexicon. Companies are adding “zero trust” to their library of SEO terms giving you a sense that “everybody has one” – whatever that “one” might be. No one disputes the potential benefits of the zero trust message – deny-all, authenticate-first. But getting from intent to implementation of a strategy that changes the network, security and application infrastructure requires planning, process and product. Zero Trust is enabled by critical components – and software-defined perimeter (SDP) is fundamental to achieving a Zero Trust model.
There is an old writing metaphor that says “tell the reader how the sausage tastes but don’t tell them how it’s made.” I usually agree but in the case of the SDP, I am compelled to help readers cut through the confusion to better understand “how it is made.”
In my last blog, I talked about how Zero Trust adoption will continue to lag until “dynamic enforcement” is better understood. Nearly all enterprises rely on IAM, and network access controls (NAC) like VPNs and firewalls to control network access. Enterprise directories are increasingly difficult to maintain and manage, providing a static resource to track the identity of users and device IDs – the universal credentials recognized by enterprise security. These pillars have served us well, but many would reflect that they are rigid in an increasingly agile world. They are limiting when we consider the access requirements of increasingly remote populations of employees, partners and customers.
In fact, many self- proclaimed zero trust vendors are introducing new controls but little attention is paid to enforcement. Enforcing privilege, a basic expectation for Zero Trust, is challenging to provide. More and more applications sit on multiple clouds outside the traditional barriers of the enterprise perimeter. How does SDP serve enterprises adopting a zero trust strategy?
RESILIANT is an SDP featuring automated, dynamic enforcement that is based on the separation of the control plane from the data plane. By this I mean separating the controls of the requesting host (ie users and their devices) from the requirements of the accepting host (i.e. the application or services).
The control plane is very important – it is where enforcement begins. The control plane serves the needs of the “requesting host” or the user seeking access to an application or service. The action of authenticating a user and their device, prior to access, is a basic tenet of zero trust. Providing the requesting host with the credentials they require to access an application or service is accomplished at the control plane.
The data plane, or the enforcement point as defined by NIST, is often ignored by solutions making claims about zero trust. Today the accepting host or application/service is typically visible to every external attacker and even unauthorized users.
The design of the SDP is critical to achieving a Zero Trust model. The RESILIANT SDP features a Controller with API-based capabilities. First, the Client dynamically creates a unique SPA (single packet authorization) packet by using information in the enterprise systems of record for user and device id. Second, and unique to RESILIANT, the Controller dynamically provisions the SDP Gateway. The Gateway is integrated into the accepting application/service at run time. By implementing the RESILIANT SDP applications/services are completely invisible to would be attackers and unauthorized users.
In this way, SDP is the enforcer. The RESILIANT SDP separates policy decision and policy enforcement – separating the control plane and data plane to ensure that the software defined perimeter functions as required to make the application invisible to the internet and would be attackers and accessible to only authorized clients.
RESILIANT is the industry’s first SDP to enable dynamic enforcement of a true deny-all, authenticate and authorize first access to critical applications and infrastructure. It leverages a proprietary SDP Controller resulting from years of collaboration with organizations such as the DoD, NIST and the Cloud Security Alliance (CSA).
What also needs to be understood is that SDP is not intended to replace IAM or VPN’s. Rather, SDP can be an overlay to legacy in most cases – but is essential for protecting critical applications and infrastructure in an exceedingly cloud based world.
The SPA Packet Holds the Keys
In the last blog, I used an analogy to describe the SPA packet being like an international “passport.”
When you travel internationally, security is dictated by the same “deny all, authenticate first” concept of the passport. When you travel to any other country, everyone is going to be denied access unless they have authentication and identity that allows them to enter. Your passport allows you to do (or access) important activities such as travel to other countries, allowing you to vote, pick up certified mail, etc. The passport definitively authenticates you and your identity anywhere, globally. Like a traveler going from the US to Germany. Customs is similar to the RESILIANT gateway – allowing access based on SPA packet /passport and the country’s policy on authorizing your visit for work, education or short term leisure travel.
It is widely acknowledged that the Zero Trust model requires adoption of deny all, authenticate and authorize first strategy. Without SDP, successful implementation of a Zero Trust solution is difficult, if not impossible.
Our clients see other benefits of SDP including a reduction in resources needed for incident response, policy enforcement that reduces risk and improved compliance audits.
SDP is a proven, game-changing approach. Early adopters of the open source specification like Coca-Cola, Mazda, and Google are reporting positive results. It is proven effective and continues to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion+ attempts to date – all unsuccessful. With the advancements introduced by RESILIANT to the SDP Controller and Gateway, organizations like DHS will hit their Zero Trust milestones.
To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepaper HERE.
To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com.