CSA says Software Defined Perimeter will use cloud against hackers
The Cloud Security Alliance (CSA), a not-for profit organisation creating and promoting best practice for security in cloud computing, has unveiled a new initiative called the Software Defined Perimeter, a project focusing on developing end-to-end network security for cloud-based applications. The CSA told Business Cloud News that the initiative will test novel security methods that, while making use of tried and tested techniques, have never been implemented.
According to the CSA the Software Defined Perimeter (SDP) is a collaboration between end users of cloud technologies, largely made up of members of the CSA’s Enterprise User Council, and a handful of large security vendors.
The goal of the project is to develop a framework of security controls that “mitigates network-based attacks on internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorised.”
“It is critical to the future of cloud technology that it is demonstrably more secure than legacy IT systems,” said Bob Flores, former chief technology officer of the CIA and chief executive officer of Applicology Incorporated. “SDP is an important component to allow both cloud providers and customers to secure applications all the way from the back end to the consumer device, and we look forward to working with some of the world’s largest enterprises on its development.”
Junaid Islam, founder and chief technology officer of Vidder, one of the coordinators of the new initiative said that the goal of the initiative was to use the cloud as the first line of defence against hackers – an interesting approach given recent high-profile debates about data privacy and security in the cloud.
“What if we could use the cloud as a perimeter to protect your application in the cloud – and not just protect your application, but protect your datacentre as well?”, Islam said.
Islam explained that datacentre operators can point their datacentre routers to the cloud, so all of the users coming in off the public internet have to go through the cloud – where an identity authentication and management application would reside, only releasesing addresses to application servers once identity is verified. Once authorisation is completed the application could automatically set up a separate VPN that can only be used by that user, a model commonly referred to in the public sector as “need to know” architecture. This isn’t how cloud-based applications are typically accessed today – DNS addresses are broadcast to legitimate and nefarious users alike, which exposes application infrastructure to cyber-attacks.
The essential idea with the SDP initiative is to take a set of ideas, processes and procedures, and pull them together in a standard reference architecture or model for cloud service providers to implement. It will involve the use of the best in new standards, which can often be a big barrier for enterprises that need to come to grips with them in order to stay ahead of hackers, and the models developed through SDP will be made freely available.
“Think about NIST, they’re recommending the use of mutual authentication of TLS (Transport Layer Security). But one of the things it requires is certificates, both on the server and the device side, which implies the requirement of a public key infrastructure, which many enterprises either don’t have or aren’t familiar with,” Islam explains. “We want to make sure we have a model and a common framework for implementing these things that have proven security benefits, one that enterprises and cloud service providers can follow to the benefit of both parties.”
“If you think about the nature of this stuff, it’s not that we don’t know how to mitigate these attacks – it’s just really hard. If you think about everything that enterprises have to do in terms of cryptography, identity systems, verifying device adaptation, geolocation – it’s hard even for big companies with lots of IT staff,” Islam said.
“But if we implement all of the best ideas as a cloud service, we have the ability to really change the dynamics between enterprises and cyber-attackers,” he concluded.