Software-defined perimeter (SDP) is being heralded as the breakthrough technology for preventing large-scale breaches. And it could be the most effective architecture for adopting a zero-trust strategy.
This was revealed by a new research whitepaper paper, ‘Software Defined Perimeter (SDP) and Zero Trust’, released by the Cloud Security Alliance (CSA), and produced by CSA’s Software Defined Perimeter Working Group.
Aimed at CIOs, CISOs and other executives who are already embracing zero trust, the paper demonstrates how SDP can be used to implement zero-trust networks, how is applied to network connectivity, and what makes it the most advanced implementation of a zero-trust strategy.
Nya Alison Murray, senior ICT architect and co-lead author of the report, says the majority of existing zero-trust security measures are applied as authentication and sometimes authorisation, based on policy after the termination of transport layer security (TLS) certificates.
“Network segmentation and the establishment of micro-networks, which are so important for multi-cloud deployments, also benefit from adopting a software-defined perimeter zero-trust architecture,” she adds.
According to her, a zero-trust implementation using SDP enables businesses to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter-centric networking models.
“Implementing SDP improves the security posture of businesses facing the challenge of continuously adapting to expanding attack surfaces that are, in turn, increasingly more complex,” Murray adds.
The report also notes certain issues that have arisen that require a rapid change in the way network security is implemented. One of them is the changing perimeter – yesterday’s paradigm of a fixed network perimeter. with trusted internal network segments protected by network appliances such as load balancers and firewalls, has been superseded by virtualised networks, meaning that the network protocols of the past are not secure any longer.
The paper also notes the IP address challenge, commenting that IP addresses lack any type of user knowledge to validate the trust of the device. “With no way for an IP address to have user context, they simply provide connectivity information but do not get involved in validating the trust of the endpoint or the user,” the report says.
Finally, it cites the challenge of implementing integrated controls, because visibility and transparency of network connections are problematic in the way networks and cyber security tools are implemented. “Today, the integration of controls is performed by gathering data in a SIEM [security information and event management system] for analysis.”
Share