Volume 1, Issue 2 October 28, 2020
Being “on the same wavelength” suggests that miracle moment when two people are saying or thinking the same thing – sometimes without even speaking! Dynamic understanding.
Wavelength by Juanita Koilpillai
The value proposition of Zero Trust is based on a simple premise – trust no one – deny all access until you have authenticated the identity of the user and device. Security architects believe that a Zero Trust model should include separation of the control plane from the data plane. The control plane is where the validation of users and devices occur – where the controls are applied. The data plane is that part of the network where the data transfer occurs – the obvious enforcement point. This is echoed in the NIST documentation suggesting the separation of the policy definition point from the policy enforcement point. Do we think that an effective software defined perimeter (SDP) is essential to Zero Trust and should we expect the SDP to, in essence, separate its functions between the control plane and data plane? There are many products out there labeled as SDP. How will you know if one of these will effectively enable your Zero Trust model?
Waverley Labs implements SDP with automated, dynamic enforcement and adheres to the construct that the data plane is separate from the control plane. In this model, the policy defines the credentials required to authenticate the identity of a user and validate their device(s) and further defines which services they are authorized to access. The role of our SDP Controller is to authenticate and authorize users dynamically to a service. Authorizing the user to a specific service is dependent on the user’s credentials and the validation of their device(s).
The Controller integrates data from enterprise systems of record enabling the SDP Client to generate the SPA packet, which serves as the credentials prescribed by the policy. In this way, we provide a basic tenant of Zero Trust – authenticate a user and their device, prior to access. We go one step further.
Waverley designed the Controller to enforce policy. The Waverley Controller informs the SDP Gateway, unique to each service, about which users are authorized to gain access through the Gateway. The Gateway automatically opens only when the proper credentials (the SPA packet) are presented. In this way, the Waverley SDP dynamically enforces the policies that define which users are able to access which services. The Gateway opens for a user with a policy-based SPA packet and with authorization provided to the Gateway by the Controller. Since no ports in the Waverley Gateway are open until the valid SPA is presented and the credentials matched to the service, the service remains invisible to the Internet.
In this way, the Waverley SDP is the ultimate enforcer – and designed to separate the control plane from the data plane; ensuring the target application/service is invisible to would-be attackers and unauthorized users. The Waverley SDP ensures that only users presenting policy-based credentials, the SPA packet, pass through the Gateway. The Waverley SDP provides true deny all controls to critical applications and services. Isn’t this the promise of a Zero Trust model?
Wave to Wave
Join the dialogue! Here’s a post from our weekly blog. It’s a quick read then share your point of view!
ZeroTrust Adoption Will Continue to Lag Until “Dynamic Enforcement” is Better Understood
Interested in Zero Trust? Get on the same wavelength with “Dynamic Enforcement” and its critical interdependence with ZeroTrust in this new blog! https://bit.ly/2HprzlZ
Lambda is the symbol representing wavelength in scientific equations. It’s a monthly feature of the newsletter where we examine an attack vector that has the propensity to introduce risk. In this issue, we examine advanced persistent threat (APT).
Advanced Persistent Threat (APT) is a prolonged and targeted cyberattack. Intruders gain access to a network and remain undetected for an extended period of time. APT attacks are designed to steal data rather than damage an organization’s network. Advanced attack methods are used including advanced exploits of zero-day vulnerabilities, spear-phishing and other social engineering techniques. APT is difficult to detect and is most often discovered by using exfiltrating data as a clue.
APT groups gain access through the internet via phishing emails or application vulnerabilities. Once they gain access to the target, attackers continue reconnaissance and begin exploiting the malware they’ve installed to create a network of backdoors and tunnels. Once they gain control they centralize, encrypt ad compress the data so they can exfiltrate it.
What’s the future? Zero Trust models and SDP (software defined perimeter) will make APT attacks more difficult. Waverley believes that SDP will make an APT more difficult to sustain because it makes applications and services invisible and enforces policy to limit unauthorized access to data in the cloud.
Waverley Labs is a sponsor of the Digital Risk Management Institute. Listen to this BrightTalk session featuring a new take on defending DDOS Cyber Attacks.
On October 30, Juanita Koilpillai, Founder/CEO of Waverley Labs provides an overview of SDP as a strategic pillar of implementing a Zero Trust Security Model. Waverley delivered the first open-source reference implementation of SDP in cooperation with the Department of Homeland Security and the Cloud Security Alliance (CSA). Multiple IEEE papers showing various implementations (ie. SDN, IaaS, IoT, NFV etc.) for SDP have been published.
Join us on October 30, Halloween Eve, for a cyber treat. SDP – Trick or Treat” will examine the intrinsic relationship between SDP and Zero Trust.