Cities around the world participated in blackout drills during World War II. Street lights were turned off, automobile headlights were dimmed, and windows were covered with heavy curtains, blankets or blinds. The idea was that enemy bombers would not be able to accurately target what they couldn’t see.
This simple logic is at the heart of the software-defined perimeter (SDP), a security approach in which network segments are cryptographically “blacked out” from the rest of the infrastructure. Sensitive information cannot be detected by unauthorized users, which dramatically diminishes the opportunities for network attacks.
Time-honored defenses such as VPNs, firewalls and intrusion prevention systems have focused on creating a defensive barrier between the network and the open Internet. The problem is that the continued decentralization of the network through cloud and mobile technologies has created too many gaps to plug.
Gartner has noted that VPNs “were designed for networks of the 1990s” and have become essentially obsolete because they provide only narrow protection for remote users. In a November 2017 report, the analyst firm predicted that by 2021, 60 percent of enterprises will phase out network VPNs in favor of software-defined perimeters.
One particular shortcoming with VPNs is that they provide all-or-nothing network access. Once someone is verified at the perimeter and allowed access to a network segment — whether legitimately or through a malicious attack — they gain the ability to see and potentially access everything within the network.
However, an SDP creates a virtual “air-gapped” network in which unauthorized segments are simply not visible on the network at all. If they can’t be seen, they can’t be compromised.
This invisible infrastructure is created by strictly controlling network access not just with user authorization, but also with session-specific controls based on contextual variables. These variables can include the user’s identity, the user’s location, the time of day, the type of device being used, whether the device is running security software, and many more.
SDP solutions go even further, providing additional security controls at the content level within a secured network segment. Even after a user is authenticated, classification and encryption tools ensure that only those with proper access can see and access sensitive data. Content-level controls can also dictate what actions a user can and cannot take with data — for example, whether data can be downloaded or attached to an email. Logging mechanisms allow tracking, alerting and analysis of any anomalies.
These functions also provide significant compliance capabilities. For instance, an SDP addresses Payment Card Industry Data Security Standards (PCI DSS) guidelines with network segmentation that isolates cardholder data from the rest of the network. It also supports PCI DSS Requirement 7 for restricting access to cardholder data on a “need to know” basis, and Requirement 8 for properly authenticating users and incorporating multifactor authentication for remote access.
SageNet offers a comprehensive suite of security solutions and services to not only help organizations comply with PCI mandates but achieve an enterprise-wide culture of information security. Our SDP managed service enables secure authentication to enforce “zero trust” network- and application-level access controls. Let us show you how “blacking out” segments of the network can protect cardholder data and other sensitive assets by preventing attackers from seeing their targets.