The Cloud Security Alliance (CSA) today announced the formation of a new working group aimed at securing the proliferation...
of mobile devices and other nontraditional computers currently flooding enterprise networks.
The software-defined perimeter (SDP) initiative, which the CSA announced at the Amazon Web Services (AWS) re:Invent 2013 conference in Las Vegas, is meant to secure bring your own device and the "Internet of Things" by creating an architecture that provides end-to-end network protection for cloud providers and enterprise consumers. The SDP working group, led by Bob Flores, former chief technology officer of the Central Intelligence Agency, and Junaid Islam, founder and CTO of cloud security vendor Vidder, is now open for participation.
From a high-level perspective, Islam said that the goal of an SDP, meant to be analogous to software-defined networking, is to utilize the cloud in place of the traditional network perimeter for the purposes of authentication and authorization. He noted that the CSA does not intend to create any new security protocols. Instead, the working group plans to publish a broad framework that shows cloud providers and enterprises how to utilize existing standards, such as National Institute of Standards and Technology (NIST)'s TLS protocol and SAML, through the cloud.
"If you can get the best ideas in security now running, why use it just for services in the cloud?" Islam asked. "[Instead], actually use the cloud as a perimeter to your company, because you can point your company's perimeter to the cloud, and all of the traffic coming into your office can go through the cloud service."
The SDP initiative will also rely on the U.S. military's "need to know" networking model, which, according to Islam, basically entails having the device and user identified before a secure connection to application infrastructure can be established.
As an example of why the software-defined perimeter is needed, he pointed to the current "one-click experience" of mobile apps, where users expect an instantaneous response from an app. This method of connection obviously provides benefits in terms of usability, Islam said, but it also makes the application infrastructure relatively easy to attack. Instead, the CSA wants to create a need-to-know network based on the best ideas in cryptography and processes to secure the app infrastructure, while maintaining the performance that users demand.
"So now, when you hit that button, from a user perspective, nothing is different. But when the phone connects in, it identifies itself to the perimeter because it's easy to do that on a phone. We can look at a serial number, the GPS location and the identity which might be cached in the mobile app," Islam said. "The perimeter verifies that and then redirects the phone to the perimeter from where it can access the application infrastructure."
With such an architecture in place, the configuration for a VPN would only be provided after both the user and device have been identified, he said, which helps mitigate the three broad types of attacks that the working group is focused on eliminating: denial-of-service (DoS) attacks, Man in the Middle attacks and the Open Web Application Security Project (OWASP) Top 10 Web application vulnerabilities. DoS attacks, for example, are restricted by such a model because each device is given access one at a time.
Islam emphasized that one of the benefits of the need-to-know network model is that the user is never given the actual location of the identity system. Instead, the identity is sent to a relay node, which then moves the identity to the real system and receives the subsequent approval. The big difference between the authentication processes in place at most enterprises and SDP, Islam explained, is the "logical flow."
"The logic is super simple," he said, noting, "It's just hard for hackers to know exactly what's going on because everything is blacked out."
Islam was quick to admit that the proposed SDP methodology would not eliminate all attacks, such as those based on rooted devices of authorized users. Instead, the working group is focused on the three aforementioned groups of attacks, which he said make up the bulk of those currently targeting application infrastructures.
"What [the software-defined perimeter] will do is really reduce the attack surface with a high confidence. It won't zero it out," Islam said. "It will really help shrink that footprint quite considerably."
In fact, the CSA plans to hold a "hack-a-thon" at the 2014 RSA Conference in San Francisco, where a number of assets will be placed in the cloud and secured via SDP. Then, attendees will have the opportunity to crash the cloud or steal the data using standard attack tools.
"We kind of want to prove it to people," Islam said of the SDP initiative.