Home > Support > Blog

Creating the ‘Invisible Infrastructure’ with a Software-Defined Perimeter

Author: Luis R. Colon, CISSP, Information Security Manager/Friday, September 16, 2016/Categories: Security Services


Numerous surveys reflect a growing reliance on cloud services, with organizations moving a broad range of applications and workloads to the cloud. No surprise there — after all, the cloud model has demonstrated a fantastic ability to facilitate simple, powerful and affordable solutions that resolve significant business challenges and deliver peace of mind.

However, the open, multitenant architectures of the cloud also come with unique security risks. Traditional network defenses such as firewalls and intrusion prevention systems (IPS) frequently leave cloud applications exposed to attacks such as SQL injections and cross-site scripting.

In a June 2016 report, cloud security firm Netskope noted that the number of enterprises finding malware in their sanctioned cloud apps nearly tripled from 4.1 percent to 11.0 percent between Q4 2015 to Q1 2016. The majority of the malware detected involved JavaScript exploits and droppers (code that is designed to evade antivirus and IPS), which are increasingly used to deliver ransomware.

The increased targeting of web applications and multitenant cloud environments has led to the development of a new network security approach focused on software rather than traditional physical security measures. The software-defined perimeter (SDP) essentially creates a virtual “air-gapped” network that restricts access to sensitive environments to all but authenticated and authorized users.

The SDP approach has evolved from work done at the U.S. Defense Information Systems Agency, and has been formalized as a specification published by the Cloud Security Alliance (CSA). It has recently been popularized by companies such as Google, with their BeyondCorp initiative, as well as several other enterprises active in CSA working groups.

In traditional security models, users are verified at the perimeter and given access to a network segment. However, all other restricted segments are still present and visible — which essentially makes them identifiable targets. In an SDP model, connectivity is provided on a need-to-know basis, dynamically creating an individualized network “segment of one” for each user. Applications and resources are abstracted from the underlying physical infrastructure, which means that unauthorized services are simply not visible on the network at all. If they can’t be seen, they can’t be compromised.

SDP solutions not only provide advanced security, they also inherently simplify the entire security process by eliminating the complexity involved in deploying and configuring traditional physical controls. At SageNet, we recently deployed Cryptzone’s AppGate SDP solution to lock down access to multitenant customer networks. By combining device authentication, identity-based access, fixed perimeter and dynamically provisioned connectivity controls, AppGate allows us to strengthen our security without increasing management complexity.

AppGate supports extensive integration with identity management systems, including LDAP, Active Directory, RADIUS, SAML and ADFS. Additionally, it offers deployment flexibility — you can choose to deploy it as a hardware appliance, application or virtual network service. You can deploy it incrementally to small sets of users or services, and have it ready for production in a matter of a few days.

Cloud and multitenant computing models deliver significant business benefits, but there are risks involved with exposing applications and services across the Internet. By essentially creating an “invisible infrastructure,” the software-defined perimeter is an elegantly simple approach to protecting key resources. Hackers can’t target what they can’t see.


Number of views (1723)/Comments (0)