CSA to open source software defined perimeter “sometime this year”
After a successful hackathon last week that saw its Software Defined Perimeter (SDP) network remain unbreached, the Cloud Security Alliance’s (CSA) executive director Jim Reavis revealed that the organisation is on track to release an open source version of the framework “sometime this year.”
Since November 2013 the CSA has been coordinating research into an architecture it’s calling the Software Defined Perimeter (SDP), an initiative led by Bob Flores, former chief technology officer of the CIA and president at Applicology Inc., and Junaid Islam, founder and chief technology officer of Vidder Technology, and includes participation from some big security vendors, enterprises and cloud service providers.
At the time it was initially announced Islam explained to Business Cloud News that the architecture essentially works by allowing datacentre operators to point their routers to the cloud, so all of the users coming off the public internet have to go through a cloud-based identity authentication and management application that only reveals addresses to application servers once identity is verified.
Once authorisation is completed the application could automatically set up a separate VPN that can only be used by that user. It’s a model commonly referred to in the public sector as “need to know” architecture.
“We’ve progressed this from an initial framework to some of the people in that working group creating a working prototype of the system, which basically takes that military-grade dark network and reworking it to create both commercial and open source implementations,” Reavis said, adding that none are willing to go on record quite yet.
“We expect more detailed specification and a release of an open source package sometime this year that will allow the industry and anyone really to create their own highly secure military style network that basically makes their network dark, and creates highly dynamic, ephemeral VPN connections when you need to access a resource,” he said.
Reavis continued: “There are still things we need to solve. We have to figure out how we can roll this out in an agile way, so applications on smart phones and new cloud services can take advantage of this. That’s a big reason why we’re trying to introduce this as an open source code, and so more of the burgeoning internet can implement it.”
The framework was sketched out in a whitepaper published in December last year, which said that the architecture was being designed to be highly complementary to software defined networking, using the decoupling of the network and hardware layers to its advantage.
“We think it’s a good model for when the world increases to the hundreds of billions of devices. The real question is how are we going to re-architect large portions of the internet to dark or invisible IPs? Especially when a lot of these connected devices will be very cheap and won’t have substantial embedded security controls,” he said.
“We have to plan for this and look at the model the bad guys are using as guidance: having resources visible, enumerating resources, and planning their attack. This idea of ‘you only have visibility to sources you have access to’ is a much more scalable model on protecting that growth,” he concluded.