Software Defined Perimeter architecture advances Zero Trust from a network-centric strategy to a truly secure solution for mission critical applications

Gartner recently published a new Market Guide for Zero Trust Network Access (ZTNA) authored by Analysts Steve Riley, Neil MacDonald and Lawrence Orans.

According to Gartner, ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate. Security and risk management leaders should pilot ZTNA projects as part of a SASE strategy or to rapidly expand remote access.

Gartner named Waverley Labs as one of 12 representative vendors of stand-alone ZTNA solutions. Gartner recognized Waverley Labs for their groundbreaking open source SDP architecture that, when applied to a Zero Trust strategy, enables the deployment of a truly secure authenticate first, deny-all solution for a myriad of networking and development environments.

There has been much talk about the Zero Trust strategy. According to the Cloud Security Alliance, the industry needs to better understand Zero Trust’s relationship with SDP for Zero Trust to become a truly secure solution.

Waverley Labs believes that, theoretically, Zero Trust makes sense and is admirable but there is one fundamental flaw – it is based on today’s current networking architectures.

In the ZTNA strategy as outlined by Gartner and others, firewall, VPN and other vulnerabilities still exist that bad actors can and will exploit. Unauthorized users who clone the VPN client and steal the keys can also access the mail server and then guess other user names and passwords and perform malicious acts such as DDoS, credential theft, and more. A VPN may allow you to log into the network and not allow you use other services (e.g. SharePoint) that are not on the mail server network segment. But, because unauthorized users are already in the network, they can get to a SharePoint server by using hacking techniques. By allowing users to access a network and then access to services, and then letting the service to determine whether the user can access the service, is an issue. Access before authentication allows users (good and bad) to have access to all the services – not just login, but access.

The Zero Trust concept is right but the implementation is cobbled together at best and is akin to trying to put a square peg into a round hole.

What is missing is the “deny all, authenticate first” security architecture that is the signature of the Software Defined Perimeter (SDP). SDPs dynamically create one-to-one connections between every authorized device, user and the data they access. Anyone attempting to access a resource must “authenticate first.” This applies the principle of least privilege to the network and completely reduces the attack surface. By default, users are not allowed to connect to anything – the opposite of traditional corporate networks, where once a user is given an IP address, they typically have access to everything on the network. Instead, SDPs ensure that once proper access criteria are met, a dynamic one-to-one connection is generated from the user’s machine to the specific resource needed. Everything else is completely invisible.

Waverley Labs worked closely with the Cloud Security Alliance (CSA) to develop the first commercial SDP specification and recently co-authored the CSA’s new white paper – Software Defined Perimeter and Zero Trust.  Also, check out this BrightTalk webinar where the CSA presents SDP as the most advanced solution implementation of the Zero Trust strategy.