Software-Defined Perimeter provides integrated security controls for ATO


As the proliferation of cloud computing, mobile device use, and the Internet of Things continues to dissolve traditional network boundaries, conventional network perimeters are no longer effective for providing enterprise security in a world of increasingly sophisticated threats.

These challenges are further compounded when you consider the dynamic nature of todays’ modern applications, software-defined networking and the real-time nature of DevSecOps.

For the Federal Government, it poses huge challenges to established practices such as Authorizations to Operate (ATOs) that need to be exponentially faster due to the adoption of on-demand cloud native services.

The majority of software system that runs in a government IT environment requires an ATO authorization — an arduous process that can stall deployment of even small-scale systems.

To address this, two years ago, the developers at 18F—an internal digital advisory group based out of the General Services Administration—took this challenge head-on, developing an agile ATO process for agencies that puts the security work up front, rather than at the tail end of a project. The goal was to follow Zero Trust principles, a new strategy for architecting an information technology environment that reduced an organization’s risk exposure in a “perimeter-less” world.

While the intentions were good, agencies found out the hard way that for the new Agile ATO process to meet the build and ship timelines, it meant integrating additional security controls that went far beyond the conventional vulnerability scanning and configuration management requirements they had become accustomed to.

They learned that achieving a true Zero Trust solution requires integrating a complex layer of additional security controls encompassing:

  • User authentication
  • Device validation
  • Firewall setup
  • Authorization of user devices to access services and apps
  • Dynamic authorization and  verification of users in real time
  • The ability to vet users and devices on the fly so that every connection is secured during operations

Fast forward two years and Agile ATO is in the news again. NIST recognized that all of those key controls are inherent and delivered holistically as part of the deny-all, authenticate-first Software Defined Perimeter (SDP) solution architected by the Cloud Security Alliance.  In fact, NIST is currently preparing to demonstrate how SDP can be integrated to support a truly Agile ATO process. NIST goes one step further working with the ATARC cloud working group and using OSCAL to generate system security plans for Agile ATO to be successful.

So while the original Agile ATO showed promise, Agencies need to know that the opportunity now exists to holistically integrate the key controls required to not only speed up the Agile ATO process but also truly secure new AND legacy systems during operations.

The industry is starting to recognize and embrace SDP technologies that address all layers of network stacks in their security solution. Waverley Labs’ API-based approach to modularize its SDP offering to implement ALL the deployment models in the enterprise is first of its kind. Using single packet authorization (SPA) techniques combined with a deny-all gateway to hide the infrastructure within the perimeter, providing a separate control and data channel to secure end-to-end connections and an internet-scale packet-filter to drop all unauthorized connections separates Waverley’s approach from existing SDP and zero-trust implementations.

Waverley Labs worked closely with the Cloud Security Alliance (CSA) to develop the first commercial SDP specification and recently co-authored the CSA’s new white paper – Software Defined Perimeter and Zero Trust.