Zero Trust has entered the marketing lexicon. Companies are adding “zero trust” to their library of SEO terms giving you a sense that “everybody has one” – whatever that “one” might be. No one disputes the potential benefits of the zero trust message – deny-all, authenticate-first. But getting from intent to implement the strategy to realization of the strategy that changes the network, security and application infrastructure requires planning, process and product. Zero Trust is enabled by critical components like a software-defined perimeter (SDP).
There is an old writing metaphor that says “tell the reader how the sausage tastes but don’t tell them how it’s made.” I usually agree but in the case of the SDP, I am compelled to help readers cut through the confusion to better understand “how it is made.”
In my last blog, I talked about how Zero Trust adoption will continue to lag until “dynamic enforcement” is better understood. Nearly all enterprises rely on IAM, and network access controls (NAC) like VPNs and firewalls to control network access. Enterprise directories are increasingly difficult to maintain and manage, providing a static resource to track the identity of users and device IDs – the universal credentials recognized by enterprise security. These pillars have served us well, but many would reflect that they are rigid in an increasingly agile world. They are limiting when we consider the access requirements of increasingly remote populations of employees, partners and customers.
In fact, many self- proclaimed zero trust vendors are introducing new controls but little attention is paid to enforcement. Enforcing privilege, a basic expectation for Zero Trust, is challenging to provide. More and more applications sit on multiple clouds outside the traditional barriers of the enterprise perimeter. How does SDP serve enterprises adopting a zero trust strategy?
Waverley Labs implements SDP with automated, dynamic enforcement that is based on the separation of the control plane from the data plane. By this I mean separating the controls of the requesting host (ie users and their devices) from the requirements of the accepting host (i.e. the application or services).
The control plane is very important – it is where enforcement begins. The control plane serves the needs of the “requesting host” or the user seeking access to an application or service. The action of authenticating a user and their device, prior to access, is a basic tenet of zero trust. Providing the requesting host with the credentials they require to access an application or service is accomplished at the control plane.
The data plane, or the enforcement point as defined by NIST, is often ignored by solutions making claims about zero trust. Today the accepting host or application/service is typically visible to every external attacker and even unauthorized users.
The design of the SDP is critical to achieving a Zero Trust model. The Waverley SDP features a Controller with API-based capabilities. First, the Client dynamically creates a unique SPA (single packet authorization) packet by using information in the enterprise systems of record for user and device id. Second, and unique to Waverley, the Controller dynamically provisions the SDP Gateway. The Gateway is integrated into the accepting application/service at run time. By implementing the Waverley SDP applications/services are completely invisible to would be attackers and unauthorized users.
In this way, SDP is the enforcer. The Waverley SDP separates policy definition and policy enforcement – separating the control plane and data plane to ensure that the software defined perimeter functions as required to make the application invisible to the internet and would be attackers and accessible to only authorized clients.
Waverley Labs pioneered the industry’s first open source SDP to enable dynamic enforcement of a true deny-all, authenticate and authorize first access to critical applications and infrastructure. It leverages a proprietary SDP Controller resulting from years of collaboration with organizations such as the DoD, NIST and the Cloud Security Alliance (CSA).
What also needs to be understood is that SDP is not replacing IAM or VPN’s. Rather, SDP is additive and is essential for protecting critical applications and infrastructure in an exceedingly cloud based world.
The SPA Packet Holds the Keys
In the last blog, I used an analogy to describe the SPA packet being like an international “passport.”
When you travel internationally, security is dictated by the same “deny all, authenticate first” concept of the passport. When you travel to any other country, everyone is going to be denied access unless they have authentication and identity that allows them to enter. Your passport allows you to do (or access) important activities such as travel to other countries, allowing you to vote, use certified mail, etc. The passport definitively authenticates you and your identity anywhere, globally. Like a traveler going from the US to Germany. Customs is similar to the Waverley gateway – allowing access based on SPA packet /passport and the country’s policy on authorizing your visit for work, education or short term leisure travel.
It is widely acknowledged that the Zero Trust model requires adoption of deny all, authenticate and authorize first strategy. Without SDP, successful implementation of a Zero Trust solution is difficult, if not impossible.
Our clients see other benefits of SDP including a reduction in resources needed for incident response, policy enforcement that reduces risk and improved compliance audits.
SDP is a proven, game-changing approach. Early adopters of the open source specification like Coca-Cola, Mazda, and Google are reporting positive results. It is proven effective and continues to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion+ attempts to date – all unsuccessful. With the advancements introduced by Waverley to the SDP Controller, organizations like DHS will hit their Zero Trust milestones.
For more information on SDP and Zero Trust, check out this upcoming BrightTalk webinar that looks at the important relationship between SDP and Zero Trust. You can register for the webinar here.
Waverley Labs worked closely with the CSA and DHS to develop the first open source SDP based on the specification and recently co-authored the CSA’s new white paper – Software Defined Perimeter and Zero Trust.