David Linthicum is an internationally recognized authority on cloud complexity and security. He regularly and accurately reports on trends and challenges faced by the enterprise as it attempts to tap into the economic and performance benefits of moving workloads to the cloud.
Recently he wrote in InfoWorld about how the rapid emergence of the remote workforce fueling cloud adoption being challenged by two cloud architectural problems – edge devices and multicloud security – that are still unresolved.
Earlier in the year he wrote in Forbes about complexity and related security challenges reducing the expected returns on the cloud computing investments that many organizations have projected.
Cloud security challenges are being driven by numerous factors but, according to Linthicum, complexity is at core. According to Linthicum and Deloitte research, as the number of systems in the cloud rises, the amount of complexity grows at about 1.75 times the growth of systems, both on-premise and in the cloud. Eventually, the enterprise may reach a point where the cost of managing cloud and its associated risks outweigh its potential benefits
Recently, the industry has been zeroing in on Zero Trust as a new paradigm and strategy for securing critical applications and data particularly those in the cloud.
The value proposition of Zero Trust is based on a simple premise – trust no one – deny all access until you have authenticated the identity of the user and device. Security architects believe that a Zero Trust model should include separation of the control plane from the data plane. The control plane is where the validation of users and devices occur – where the controls are verified. The data plane is that part of the network where the data transfer occurs – the obvious enforcement point. This is echoed in NIST documentation suggesting the separation of the policy definition point from the policy enforcement point. Do we think that an effective Software Defined Perimeter (SDP) is essential to Zero Trust and should we expect the SDP to, in essence, separate its functions between the control plane and data plane? There are many products out there labeled as SDP. How will you know if one of these will effectively enable your Zero Trust model?
Waverley Labs implements SDP with automated, dynamic enforcement and adheres to the construct that the data plane is separate from the control plane. In this model the policy defines the credentials required to authenticate the identity of a user and validate their device(s) and further defines which services they are authorized to access.
The SDP Client generates the SPA packet, or the users credentials as prescribed by the policy during the development of the service or application. The SDP provides a basic tenant of Zero Trust – authenticate a user and their device, prior to access and we go one step further.
Waverley designed the Gateway to enforce policy. The Waverley Controller informs the SDP Gateway, unique to each service, about which users are authorized to gain access through the Gateway by inspecting the valid SPA packet. The Gateway automatically opens only when the proper credentials (the SPA packet) are presented. In this way, the Waverley SDP dynamically enforces the policies that define which users are authorized to access which services from what devices. The Gateway opens for a user with a valid SPA packet with the proper credentials to access a service. The service remains invisible to the Internet because the Gateway, an Internet grade, dynamic deny all packet filter, remains closed until a user with the right credentials requests access. .
In this way the Waverley SDP is the ultimate enforcer – designed to separate the control plane from the data plane; ensuring the target application/service is invisible to would be attackers and unauthorized users.
Isn’t this the promise of a Zero Trust model?
For more info, Waverley Lab’s deployment of SDP to support a Zero Trust strategy is documented in new CSA research that I co-authored. Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.
We hope Mr. Linthicum sees this blog. We would love to discuss in more detail to get his thoughts on this as a legitimate and possibly game changing approach for achieving secured cloud applications and environments.