At the risk of stating the obvious, the FireEye/Solar Winds attack personifies the increasing security vulnerability and risk posed by our continued reliance on aging, perimeter-centric network infrastructure. This attack, considered extremely serious, enabled access and data exfiltration from deep inside sensitive government systems. But it is just one of many high-profile breaches exploiting network-centric security architecture that are increasing in frequency, scale and impact.
This has to change and Zero Trust represents the beginning of this change.
To achieve zero trust or “never trust, always verify” organizations must adopt processes and technology to make their “trust but verify” network security architectures more resilient. It also mandates a software defined perimeter (SDP) to provide an overlay to the in-place network security architecture. In essence, a true Zero Trust model, powered by the right SDP, creates a “trusted zone,” capable of protecting services in the zone from attacks.
I refer to the “right” SDP since there are different approaches to SDP architecture creating confusion as to how it works and the role it plays in the Zero Trust model.
Since 2015, Waverley Labs has been leading the reimagining of the network perimeter as a primary defensive posture for securing the enterprise. Where network perimeters grant network access without authorizing application/service access, NIST advocates the Zero Trust model as a more effective and efficient security strategy.
Following NIST’s guidance, Waverley Labs began developing and contributing innovation to the open-source project for Software Defined Perimeter (SDP) initiated by the Cloud Security Alliance.
As a result, Waverley Labs developed an SDP featuring a service specific gateway – an internet scale, deny all packet filter- which dynamically enforces policies controlling which authenticated users using a validated device, located anywhere, may access a service. The Waverley SDP controller, is the policy definition point to authenticate and authorize users and their devices. The gateway dynamically enforces the policy and admits only credentialed users into the trusted zone.
Unlike other solutions, the Waverley architecture enables the separation of the control plane from the data plane or policy definition from enforcement. Policies that cannot be enforced cannot protect services. Protected services in the Waverley Labs SDP trusted zone are effectively hidden from the internet, leaving attackers and unauthorized users abandoned outside the gateway.
Leveraging this SDP, IT security can pivot away from VPNs and aging network centric infrastructure to an API based architecture implemented at the application layer. Government organizations using the Waverley SDP have effectively reduced the number of successful attacks and trust the gateway to admit only credentialed users using validated devices into the trusted zone even while attacks are ongoing.
Waverley Labs has proven and successful implementations with high profile federal agencies and commercial SaaS and service providers and is currently preparing to launch its commercial SDP as the preferred method of securing applications and services in a perimeter-less environment.
For more info, check out this white paper on Waverley Lab’s deployment of SDP to support a Zero Trust strategy is documented in new CSA research that I co-authored. Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.