“Software-Defined Perimeter (SDP) ensures trusted device access to hybrid networks.”
A company salesman checking remotely into cloud and headquarter resources for the latest price list for his product and generating a quote for a customer; support workers on the field, accessing the company knowledge base for a solution to a tricky technical issue; or even an employee updating travel expenses from his hotel room.
These are just a few of many applications for which employees on the move will want to access their private cloud networks for information or to make a transaction, but each of these attempts could translate into a major security risk if we are not careful.
Mobile users challenge traditional security paradigms:
“Organizations need to be able to give their employees access on the fly to data they need, regardless of whether they are accessing from a smartphone, tablet or laptop, and from a variety of remote locations, including public hotspots.”
For a time, it was thought that virtual private networks, better known as VPNs, could provide the secure connectivity that is required between multiple people and devices over public networks like the internet. But using these encrypted tunnels on public networks have a number of limitations, including the use by VPNs of sometimes insecure encryption.
VPNs also provide all-or-none access to the network, which means that once a device has access to the corporate network, it can from then hop on to other parts of the network, potentially creating damage all along the way. Access requests on VPNs can also have high latency and get bandwidth intensive as they would require traffic to be backhauled in and out of the corporate network.
VPNs did a fine job by providing remote users with network access as if they were still on the corporate network, but it all worked well, using multi-factor authentication, as long as the network perimeter was well-defined and there were static user and server resources, according to the Cloud Security Alliance, a key backer of an alternative technology called the Software-Defined Perimeter.
Software-Defined Perimeter (SDP) addresses VPN limitations:
Key to SDP is its addition of a layer of pre-authentication and pre-authorization to devices before they can even send a single packet to a server over a network. Client software running on user devices, called initiating hosts, are authenticated on a gateway controller, which is a piece of software that can be quickly deployed and configured in the cloud to give the user appropriate network access based on set policies.
“Organizations need to make sure that the access is confined to that set of applications or part of applications that employees really need to access, and both the user and the device need to be first authenticated.”
Such an approach keeps cloud resources dark to users that are not authorized, thus considerably reducing the attack surface area available to a hacker, including for distributed denial-of-service attacks. Authentication and authorization are not based on IP addresses but on validation of the the user and the device, thus ensuring access to workers who are coming in from unknown IP addresses such as public hotspots.
Access requests are then sent after authentication through encrypted tunnels to distributed Gateways, each of which protects a set of application or system resources, according to CSA.
InstaSafe has found that these features of their SDP-compliant product are considered very critical by their customers as they cope with an avalanche of mobile workers trying to access their networks, which has been an opportunity to improve productivity but also brings abundant security risks.
Unlike VPNs, SDP does not provide broad access to a network, but instead gives the user access to only specific parts of the network related to their business function or role. This feature prevents a malicious insider from taking advantage of access to attack other parts of the network as other resources will remain hidden.
The SDP approach also gets around the issue of having to backhaul traffic in and out of the corporate network when using a VPN. In such a scenario, the user would first have to VPN to the corporate network and then access the cloud as if on a corporate local area network. In the SDP model, the user accesses the resource protected by a Gateway, whether resident on the corporate network or the cloud, after being authenticated by the controller.
SDP crystal gazing
The future for SDP looks promising. Identifying SDP as one of the top technologies for security in 2017, research firm Gartner has forecast that through the end of 2017, at least 10 percent of enterprise organizations will take advantage of this technology to isolate sensitive environments.
SDP has the advantage of the backing of a number of government organizations and private companies. The U.S. National Institutes of Standards and Technologies said in a note in August last year that the U.S. Department of Homeland Security is funding the development of an open source version of SDP for both public and private organizations to protect themselves from distributed denial of service attacks.
By: Sandip Kumar Panda, Founder and CEO, InstaSafe