August 17, 2020
Zero Trust Security in Software Defined Perimeters
In the era of work from home, cloud computing, mobile devices and IoT, the network security perimeter is gradually disintegrating, and internal and external threats are intensifying, leading to the failure of the traditional perimeter-based security architecture. Therefore, the need for a Software Defined Perimeter (SDP) is never greater. A user based Zero Trust Network (ZTN) security architecture is required to support this new security model.
Why Move to SDP and Zero Trust Networks
Why are current Hardware based security perimeters, along with the assumptions about threats being outside and the safe zone being inside, completely inadequate to secure companies today? Here are two big reasons:
- Almost everything has moved to the cloud. See list below.
- Security focused on devices or IP addresses instead of users won’t work in today’s environment where everyone works on multiple devices spending large amounts of time outside your network.
New Threats as We Move to the Cloud
Here is a list of what has changed in our corporate environments necessitating a change in our security. Virtually everything is moving to cloud, with users using multiple devices as they work. How can you visualize, control, and secure a distributed cloud based environment with a hardware security perimeter alone? It can’t be done.
- People work from Multiple Devices
- Work PC, Home PC, Laptops, Pads, Phones, Watches?
- Work from home
- High percent of employees now work from home
- Must access corporate assets securely
- Access cloud applications
- Use and may store company data on home system and in cloud
- High percent of employees now work from home
- Servers in Public Cloud Data Centers
- Need to control User access
- Corporate data stored in public data centers needs to be protected
- 3rd Party Cloud Applications
- Apps like Microsoft 365, Salesforce, marketing apps, engineering apps, box apps are the norm, not the exception.
- Need to control user access
- Need to control usage of corporate data stored in 3rd party clouds
- Mobile devices
- Operate inside and outside corporate networks. Email and other data reside on phones and on cloud servers
- IoT Devices
- Use non-standard operating systems. Operate on cellular, home and corporate networks usually on Wi-Fi. May not even be detected by traditional security.
- Work on the Road
- Same issues as home users plus working on “other’s networks”
Software Defined Perimeters for a Cloud Enabled World
The SDP zero trust security architecture establishes a dynamic user identity-based perimeter that is built to support the cloud, is scalable, and is utilizes a zero trust architecture.
The purpose is to extend security to provide a secure perimeter that includes decentralized IT assets that have moved outside the corporate infrastructure into the cloud.
A Software Defined Perimeter provides an on-demand, dynamically provisioned, air-gapped network with segmentation of network resources that mirrors a physically defined network perimeter but operates in software rather than via an appliance. Users and devices are authenticated before authorizing any user/device combination to securely connect to any isolated service.
Zero Trust Networks & Zero Trust Security
Zero Trust Networks are defined generally as networks where no person/device or application should be trusted by default. Networks are assumed to be hostile. Threats exist internally and externally and where you are in the network does not define whether you should be trusted.
Trust should be based upon the user and the privileges you are assigned and those privileges travel with you wherever you go.
Some basic tenets of zero trust are
- User based identities, not IP based
- All network participants (users, devices, applications) must be identified before being authorized.
A zero trust network is a very broad statement covering all network traffic, servers, users, applications and devices.
Companies like Unisys with their Stealth product line offer a broad solution to implement and manage the entire internal and external zero trust network.
Products like Stealth provide:
- Zero trust
- Micro segmentation
- Entire network visibility
- Secure communication
Many security vendors now use the term zero trust to refer to their specific corner of security as though it is sufficient to create a ZTN. The reality is that a Zero Trust Network as part of a Software Defined Perimeter is a complete system where all components participate in the overall ZTN. So, beware of firewall vendors or other security vendors who use the term zero trust… since their solution would only be part of the overall solution. While firewalls can implement a zero trust set of rules in their firewalls, those rules only applies to that specific network gateway and not to the entire company’s internal and external (cloud based) network.
Contact eSecurity Solutions to learn more about Software Defined Perimeters and Zero Trust Networks. We can help you assess you needs and the best combination of solutions to meet your security objectives.