I read with interest a recent blog (reprinted with permission below) from Junaid Islam, President and CTO of Vidder. The blog titled, “Would an SDP have stopped the OPM breach? Absolutely!” is an interesting look at the emergence of software defined perimeters (SDPs) or so called Black Clouds, that are attracting interest for their ability to defend and protect against the type of high profile attacks that are on the rise.
Mr. Islam makes several key points in his article — the most important one being “Isolating servers and then using MFA based (Multi-Factor Authentication) access is the only solution to protecting large organizations against credential theft – which is what SDP does.” It essentially ‘blackens’ servers whether they are in the cloud or on premise. Using public infrastructure to create your own private enclave for your applications is a solution afforded to government agencies by using SDP.
The credentials that were stolen not only contained information about the individual that submitted the security clearance data, but also data about their families, references, and associates that could potentially be used against all of those people. Therefore, this data that was stolen or breached is of utmost value and should have been treated accordingly. Had OPM understood the magnitude of digital risks to the data it was entrusted, OPM might have taken an entirely different set of controls to prevent such a massive and damaging breach. Completely isolating its servers from public access only after an authentication process that is then used in all further communications and data access would have been one such control.
Furthermore, once the hackers gained the unauthorized access, they were able to move laterally within OPM’s systems as referenced in Mr. Islam’s comment “while SDP does limit lateral movement” because other security controls such as Application Binding prevention that is provided by the Software Defined Perimeter (SDP) were not in place by OPM and would have been another control.
Mr. Islam goes on to make excellent recommendations regarding how an SDP could be employed along with other controls to prevent the reconfiguration of supporting servers and the exfiltration of data. This is a “comprehensive” approach and one that protects the type of data that was stolen from the OPM servers in a manner according to its value. These security controls and provisions need to be required for any data repository or application providing access to critical, confidential, and proprietary data.
We’d love to hear your thoughts on this and if you are considering software defined perimeters to protect some, or all, of your IT environment. Waverley Labs works closely with the Cloud Security Alliance (CSA) to develop SDPs including the industry’s first open source SDP for distributed denial of service attacks supported by DHS.
