The bring-your-own device (BYOD) phenomenon and the rise of software-as-a-service has led to an anywhere, anytime workplace in which traditional network demarcations have become irrelevant. Gone are the days when employees came to a physical location and worked at only one wireless workstation, leaving the job inside those four walls at the end of the day. The SDP Initiative is a new CSA project aimed at developing an architecture for securing the new reality of a mobile, virtualized workforce.
“The premise of the traditional enterprise network architecture is to create an internal network separated from the outside world by a fixed perimeter that consists of a series of firewall functions that block external users from coming in, but allow internal users to get out,” explained CSA, in the whitepaper. “Traditional fixed perimeters allowed internal services to remain secure from external threats for a number of years due to the powerful but simple characteristics of blocking visibility and accessibility from outside the perimeter to internal applications and infrastructure. But the traditional fixed perimeter model is rapidly becoming obsolete.”
The newly proposed SDP framework is “pretty disruptive in its approach", said Jim Reavis, executive director of the CSA, when speaking to the audience at last week's CSA Congress in Orlando.
By incorporating security standards from organizations such as NIST as well as security concepts from organizations such as the US Department of Defense, the group is working to mitigate network-based attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorized.
“Software defined perimeters address these issues by giving application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to ‘outsiders,’ but can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations,” CSA added.
“This paper is the first step in providing enterprises with a high-level approach to understanding how to best protect their application infrastructure from network-based attacks,” said Junaid Islam, founder and CTO of Vidder Technology, in a statement. He is one of the SDP Initiative’s leaders, along with Bob Flores, former CTO of the CIA and President & CEO at Applicology “The growth of devices moving inside the perimeter along with the migration of application resources to outside the perimeter has stretched the traditional security model. A new approach is needed that enables application owners to protect infrastructure wherever it may be.”
“This is the first time a need-to-know security framework has been published", Islam told Infosecurity during the event. "In the past is has been part of proprietary systems from the government and the military. Now we are taking these concepts public.”
Islam, a former DoD network architect said that “secure networks are actually pretty simple”. He explained that what sets apart the SDP model is that, in the defense world, you must prove who you are before a connection is established – “first authenticate, then access”. He continued, “now, on the internet, you connect first, then in a corporate environment you are allowed access based on your role”. What the SDP framework proposes is a “shift that dramatically changes the attack surface", and, as Islam concluded, a "solution that mitigates a whole slew of internet-based attacks."
The white paper includes details on the SDP architecture, its implementation and applications, and its relationship to certain industry standards and protocols. The report also addresses the working group’s scope, purpose and deliverables. Deliverables will be governed by CSA’s intellectual property rights policy and were defined at last week's CSA Congress. As Flores told Infosecurity, the SDP initiative is a "work in progress" awaiting wider input. He said more annoucements on the groups work will be released during the February 2014 RSA Conference in San Francisco.
“It is the intention of the Software Defined Perimeter Working Group to: build upon existing standards, research and other related work; be inclusive by seeking input and communicating effectively with all stakeholders; and provide robust guidance by utilizing sound scientific research,” the group noted in the paper. “We believe in one of the founding beliefs of the internet as embodied in an early quote from David Clark: ‘We reject kings, presidents and voting. We believe in rough consensus and running code'."