With the adoption of cloud services, employee mobility and increased inter-organization collaboration, the threat surface for network attacks against application infrastructure increases. In parallel, traditional perimeter defense techniques founded on a basis of trust are unable to cope with the security demands of the new disparate enterprise. This combination leaves the infrastructure unacceptably vulnerable.
A new network security model is needed that eliminates the idea of a trusted network inside, or outside, the corporate perimeter.
The Changing Perimeter
Historically, enterprises employed perimeter security solutions to protect themselves from external threats to their application infrastructure platforms. However, as enterprises have become more dynamic traditional perimeter tools – such as firewalls, VPNs and NACs, have struggled to manage and secure these hybrid environments.
Indeed, the growth of the number of devices moving both inside and outside the perimeter has stretched the traditional security model used by enterprises beyond recognition.
For example, data stored in physical servers has been replaced by virtual ones, housed in centers owned and controlled by third parties. The desktop PC still exists, yet it’s surrounded by tiny mobile devices capable of carrying terabytes of data. Teams in multiple time zones can collaborate as if sitting mere inches away from one another. Even the workforce is no longer confined to a desk within an office. Employees are free to connect from anywhere – home, coffee shops, or airport lounges.
Malicious individuals have discovered that, when pushing hard enough on virtual doors, many will yield leaving them free to ‘wander’ the network unchecked. Depending on their drivers, they’re free to steal data that can be monetized, tamper with systems or even move across to connected third party networks for further compromise as was the case with Target.
Organizations need to implement a new model that creates one to one network connections between users and the data they access.
Introducing the Software Defined Perimeter
The Software-Defined Perimeter (SDP) is a security architecture designed to provide on-demand, dynamically provisioned secure network segmentation for user access. This approach ensures all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. SDP takes an ‘authenticate first, connect second’ stance that ensures only authorized users can connect to network resources. All unauthorized network resources are made invisible and therefore inaccessible. Thus, the attack surface area is reduced by hiding network resources from unauthorized or unauthenticated users.
These session-based connections are both temporary and dynamic—they are provisioned when needed, and then torn down to prevent later abuse. To ensure the security of those connections, SDP employs strong encryption inclusive of robust key management capabilities.
If an authorized connected device should become infected, and a threat moves laterally to a server which the user is authorized to access, it will not be able to continue discovering additional workloads to infect as other resources (including ports and protocols) are invisible. This restriction to a single segment of connectivity prevents the ability of such threats to communicate with a remote command and control (C&C) server – locking them down and keeping the hackers out.
SDP enables organizations to provide feasible and fast access to networked systems, services and applications while effectively reducing the attack surface by making servers invisible to bad actors. Indeed, one of the biggest advantages of Software-Defined Perimeter is that it overcomes the constraints of traditional tools and effectively creates a dynamic, individualized perimeter for each user.
Trust is an old-fashioned model and has no place in today’s modern enterprise. Instead, validation that questions everything is what’s needed to ringfence the disparate infrastructure and shield vulnerable assets.