It makes more sense when you understand the role of “Dynamic Enforcement”


Last week I came across another article educating readers on the advent of Zero Trust architecture (ZTA) and how it represents a new paradigm for securing critical applications and data – particularly those in the cloud.

Titled Zero Trust Cybersecurity: ‘Never Trust, Always Verify’, the article provides a historical backdrop including how the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) released the general guidance document NIST SP 800-207, Zero Trust Architecture, for adoption of ZTAs in the federal government. This document provides conceptual-level insight for zero trust and zero trust architectures, including deployment models, use case scenarios and discovered gaps in technologies. And it recognizes the role of the Software-Defined Perimeter (SDP) as a fundamental requirement for achieving true zero trust solutions.

But…like virtually every article that attempts to describe and differentiate Zero Trust from conventional network security architecture, it neglects to mention a key point. The secret sauce of ZTA lies in the SDP and, if properly designed, its ability to separate the control plane from the data plane, providing “dynamic policy-based enforcement”. Dynamic policy enforcement is fundamental to an effective ZTA.

Waverley introduces an SDP with a new enforcement paradigm, associating client/device identity-based access with application/service authorization.  Only the Waverley SDP offers a Gateway or dynamic Internet scale packet filter having a deny all rule set. This effectively hides critical applications and services from attackers and unauthorized users. The Waverley SDP separates the control plane where policies are defined from the data plane where policies are enforced. This separation is key to enforcing policies and controlling connections in a highly adaptive environment with multiple services residing on multiple clouds.

The Waverley SDP features new API based capabilities for the Controller. By leveraging information in the enterprise systems of record for users, devices and services, the Controller dynamically informs the SDP Gateway of all authorizations. The Gateway, residing near each application/service, dynamically verifies the SPA (single packet authorization) packet generated by the Client for each user. This dual process of defining and separately enforcing policy significantly limits unauthorized access.

The Waverley SDP is a dynamically instantiated service mesh/enclave enabling access and authorization policies to be built into the application or service at run time. The SDP provides a single control/decision point. This also enables the SDP to scale dynamically. The Gateway automatically opens only when the proper credentials (the SPA packet) are presented. In this way, the Waverley SDP dynamically enforces the policies that define which users are authorized to access which services from a validated device. The service remains invisible to the Internet because the Gateway, an Internet grade, dynamic deny all packet filter, remains closed until a user with the right credentials requests access.  

The  Waverley SDP is the ultimate enforcer – designed to separate the control plane from the data plane; ensuring the target application/service is invisible to would be attackers and unauthorized users.

Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.

Also, for more info, check out this white paper on Waverley Lab’s deployment of SDP to support a Zero Trust strategy is documented in new CSA research that I co-authored. Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.