By Brian Robinson
May 20, 2015
The Internet has a fundamental problem with security that’s a part of its very DNA. And if things stay as they are, that problem — and Internet security — can only get worse. The Cloud Security Alliance (CSA) and its industry partners intend to change that.
If things go as planned, within two years the partners will produce the first “Black Cloud” — an open source, software-defined perimeter (SDP) solution that will stop distributed denial of service attacks dead in their tracks and enable highly secure cloud-based applications.
“We think this a pretty big idea,” said Jim Reavis, the CSA’s co-founder and CEO. “We’ve already defined a very specific framework for how you could implement this so that organizations can build the software themselves, and several government agencies are now doing that.”
The current project, which the CSA is developing with Waverley Labs, will develop open source code for one specific use case to start. The intent is to create standards, Reavis said, and to start seeding the market with open source software that will then be embedded in the solutions provided by information security and network providers.
“We’ve been working for a while with the [CSA] SDP working group, and have already had several proprietary versions that have gone into different security control layers,” said Juanita Koilpillai, the CEO of Waverley Labs. “So we thought, why not make this an open source project, which we’ll develop versions for multiple layers over time, the first being single-packet authentication that will allow [network] devices to deny all connections from anything other than the application they want to talk to.”
Similarly for applications, the goal is to deny all connections except for the device that’s been authorized to talk with them, which provides the ability to hide applications from all eyes except those that have a specific right to see them.
This essentially turns the original concept of the Internet, as an open communications medium, on its head. The fabric of the Internet is now like Swiss cheese, with so many holes that it’s all but impossible to completely defend against modern threats such as man-in-the-middle or SQL injection attacks. If you use the Internet, you are vulnerable.
The CSA’s SDP approach instead makes total security the starting point for the Internet and allows only those connections it can authenticate. It can’t be done for the whole of the Internet all at once, but with the Internet of Things looming, where millions of embedded computers and sensors are connected over the Internet, “fundamentally we are now at the point where we are going to have to shift from this default open approach to layer on default closed, to darken parts of the Internet,” Reavis said.
One place where this could be immediately useful is in spurring the move of organizations to the cloud. Despite various mandates and directives, this has been a slow process for government because of security concerns, which has prompted the rise of the hybrid cloud model, where some applications and services reside in the public cloud while keeping more sensitive information behind the agency firewall in private clouds. That solution can still be costly for agencies, however, because the cost savings associated with the public cloud are blunted by having to maintain on-premise, private cloud infrastructure.
In the CSA model, however, everything could be moved to the public cloud because SDP allows the creation of dark clouds inside the public cloud infrastructure. Those dark clouds would be owned by the government agency and would be invisible to everyone except for those designated and authenticated. There’d be no possibility for anyone else in the public cloud to share the organization’s data or be able to get a look at it, the main fear of agencies in moving sensitive applications and their data to the public cloud.
“Virtual private cloud is going to be such a commonplace term once this gets implemented, and that’s going to be the default way that people operate,” Reavis said. “It’s going to be a big shift for IT and will deliver big cost savings to agencies over time.”
None of the technology the CSA and its partners are using for the project is new. It’s based on protocols developed by the Defense Department and National Security Agency, and it uses standard security tools such as public key infrastructure, layered security, IPsec and Security Assertion Markup Language (SAML), along with well understood concepts such as geolocation and federation to enable connections.
Up to now, however, most SDP implementations have been highly customized solutions, available only to the organizations (like Coca-Cola) that developed them. The goal of the CSA project is to move the SDP model to a more general audience. The open source version now being developed by Waverley Labs is aimed at bringing people together to talk about how to implement SDP generally, what standard protocols could be used, what sequence of events needs to be followed, how to write JSON files to allow interaction with applications and so on.
“Our goal is to create a community that is really struggling to protect their applications and help them either hide them or move them to the cloud,” Koilpillai said. “None of the problems we are trying to tackle with this are simple; otherwise, they would have been solved by now.”
Waverley will do a phased release of the SDP for different security layers over the next 18 to 24 months. The open source project will help federal agencies see how an actual implementation works, she said, which is vital for this kind of thing because “you actually have to take that and prove it, otherwise people won’t believe you.”
Brian Robinson is a freelance technology writer for GCN.