It makes more sense when you understand the role of “Dynamic Enforcement”

 Last week I came across another article educating readers on the advent of Zero Trust architecture (ZTA) and how it represents a new paradigm for securing critical applications and data – particularly those in the cloud.

Titled Zero Trust Cybersecurity: ‘Never Trust, Always Verify’, the article provides a historical backdrop including how the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) released the general guidance document NIST SP 800-207, Zero Trust Architecture, for adoption of ZTAs in the federal government. This document provides conceptual-level insight for zero trust and zero trust architectures, including deployment models, use case scenarios and discovered gaps in technologies. And it recognizes the role of the Software-Defined Perimeter (SDP) as a fundamental requirement for achieving true zero trust solutions.

But…like virtually every article that attempts to describe and differentiate Zero Trust from conventional network security architecture, it neglects to mention a key point. The secret sauce of ZTA lies in the SDP and, if properly designed, its ability to separate the control plane from the data plane, providing “dynamic policy-based enforcement”. Dynamic policy enforcement is fundamental to an effective ZTA.

RESILIANT is an SDP featuring a new enforcement paradigm, associating client/device identity-based access with application/service authorization.  Only the RESILIANT SDP offers a Gateway or dynamic Internet scale packet filter having a deny all rule set. This effectively hides critical applications and services from attackers and unauthorized users. The RESILIANT SDP separates the control plane, the policy decision point, from the data plane where policies are enforced. This separation is key to enforcing policies and controlling connections in a highly adaptive environment with multiple services residing on multiple clouds.

This image has an empty alt attribute; its file name is enforce-300x240-1.jpg

The RESILIANT SDP features new API based capabilities for the RESILIANT Controller. By leveraging information in the enterprise systems of record for users, devices and services, the Controller dynamically informs the RESILIANT SDP Gateway of all authorizations. The Gateway, residing near each application/service, dynamically verifies the SPA (single packet authorization) packet generated by the Client for each user. By separating policy decisions from policy enforcement organizations  significantly limit unauthorized access. 

The RESILIANT SDP is a dynamically instantiated service mesh/enclave enabling access and authorization policies to be built into the application or service at run time. RESILIANT provides a single control/decision point. This also enables the SDP to scale dynamically. The Gateway, informed by the SDP Controller, automatically opens only when the proper credentials (the SPA packet) are presented. In this way, the RESILIANT SDP dynamically enforces the policies that decide which users are authorized to access which services from a validated device. The service remains invisible to the Internet because the Gateway, an Internet grade, dynamic deny all packet filter, remains closed until a user with the right credentials requests access.

The RESILIANT SDP is the ultimate enforcer – designed to separate the control plane from the data plane; ensuring the target application/service is invisible to would be attackers and unauthorized users.

Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.

To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepapers HERE.

To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com.

###