The dynamic nature of today’s IT Operations has eroded the network perimeter in ways we have all been watching and even cheering on! This is a new world of mobility, cloud computing and rapid partnering for success.
But the erosion of the network perimeter is making traditional security a roadblock to efficiency. No one wants to allow holes to be poked in the security system but no one wants to shut down connectivity to partners either.
The Software Defined Perimeter uses software techniques to render the internal environment invisible to all outsiders, unless trust is granted. Secure connectivity is provided only to trusted users and devices. The SDP approach was pioneered by proven enterprise IT, cloud computing and security experts working collaboratively together under the Cloud Security Alliance (CSA).
SDP Combines:
- On-device authentication
- Identity-based access
- Dynamically provisioned connectivity
Key benefits of this approach include the following unique security properties:
1) Information Hiding
No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.
2) Pre-authentication
Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.
3) Pre-authorization
Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.
4) Application Layer Access
Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.
5) Extensibility
SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.
For more information on this approach contact us
