Behold … the Trust Zone!
Zero Trust is the new buzzword – but is every Zero Trust strategy supported by an effective and efficient model to deliver on the promise? There are many factors to consider and one is the role of a software-defined perimeter (SDP). If your strategy is rooted in network-centric thinking, you might miss the value SDP brings to businesses and agencies adopting Zero Trust.
A recent article in TechTarget, Weighing the future of firewalls in a zero-trust world, examined the future of firewalls. Organizations are asking: “Are firewalls and zero trust mutually exclusive?” The article is based on an interview with John Burke, an analyst who leads research on the hybrid cloud, the modern software-defined WAN, automation, and DevOps at Nemertes Research.
Burke clearly described how firewalls can be used in a tiered approach for utilizing the network in a Zero Trust network access (ZTNA) model. At the same time he cautions against too much emphasis on firewalls. WHY? Because if the goal is to secure access to applications and services in the cloud, a network-centric firewall approach will not work.
These are the three inherent limitations of firewalls in a Zero Trust model:
- Firewalls have no knowledge of the applications and services they are protecting.
- Firewalls have no ability to deny users based on a combination of device authentication AND authorized user designation for a specific applications and services.
- Firewalls may keep you from accessing the network segment that accesses the cloud, but once in the cloud the CSPs do not protect your apps and data.
As a company that pioneered the first open source software-defined perimeter for the Cloud Security Alliance, we believe the true value of the SDP in a Zero Trust model is first, its ability to make applications and services invisible to the Internet and second, its ability to deny all access to users without credentials – a cyber passport of sorts to applications and services in the cloud. There are many vendors emerging to ride the Zero Trust wave. Because not all SDPs are the same, enterprises evaluating SDP vendors should consider two key capabilities:
- Most SDP solutions, based on the Cloud Security Alliance open source specification, include a gateway. But, not all gateways provide automated enforcement of policy decisions. The Waverley Labs SDP separates the control plan from the data plane. By this we mean separating the controls of the requesting host (i.e. users and their devices) from the requirements of the accepting host (i.e. the application or services). Does the SDP perform granular inspection of credentials to enforce policy and deny unauthorized users and/or unauthenticated devices?
- Is the SDP service specific and can it perform at internet scale?
Waverley Labs SDP features a service specific gateway – an internet scale, deny all packet filter – which dynamically enforces policies controlling which users on authenticated devices are authorized to access a specific service – located anywhere. The Waverley Labs SDP includes a Controller – the policy decision point – to authenticate and authorize users and their devices. The Waverley Gateway dynamically enforces the policy and admits only credentialed users.
The Gateway casts a Trust Zone, that protects services, making them invisible to the Internet leaving attackers and unauthorized users abandoned outside the Gateway. The Waverley Trust Zone is unique.
As a result:
- If someone is using a device authenticated by the controller, but they are not an approved user of that service, they will be denied access.
- If someone is an authorized user, but on a device not authenticated by the controller, they will be denied access.
What does this mean? During a hypothetical DDoS attack, the Waverley Labs Gateway admits credentialed users through to the application, denying other traffic.
Another advantage to the Waverley Labs SDP is that it can be integrated into the CI/CD, offered through OpenShift as an example, ensuring that access and authorization policies are built into the application/service. Did you know that SDP, with an efficient design scales and reduces or eliminates operational overhead and automatically drops connections in real time if unauthorized users, compromised devices or rogue services are detected.
For more info, read this white paper on Waverley Lab’s deployment of SDP describing how the SDP supports a Zero Trust model.
Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using the Waverley SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.
Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.