This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It's a frequent debate: "The perimeter is dead" versus "The perimeter isn't dead yet." I guess it all depends on how you define "perimeter." I think most of us would agree that the traditional network perimeter is so porous that it could be declared terminally ill, if not dead. Bad guys slip inside easily through methods like spear phishing and stolen credentials.
But what if we redefined perimeter to be extremely narrow; a layer of protection around just the most important assets, such as a high value business application? The protection is so tight that, not only are the bad guys kept out, but the good guys are as well. That is, until the good guys are carefully authorized and authenticated in a way that effectively locks out the bad guys for good. It's called a Software Defined Perimeter and it's the next phase of security for high value assets.
The Cloud Security Alliance has a working group that is defining the specifications for Software Defined Perimeter. One of the leading contributors to the working group, and one of the first vendors to market with a viable solution, is Vidder. The company's PrecisionAccess solution shrinks the perimeter down to a single application, and then provides secure connectivity only to a select group of authorized users and their specific devices.
The solution helps to prevent attacks based on server exploitation, stolen credentials and connection hijacking. It incorporates elements of many security technologies, including PKI, NAC, identity management, firewalls and VPN to create a universal tool that provides connectivity independent of where the application is, who the user is, and what device he is working on. Moreover, it is largely transparent to end users, so it doesn't disrupt their way of work.
Vidder's PrecisionAccess is comprised of three software components (see figure).
The architecture of the Vidder PrecisionAccess Software Defined Perimeter solution
The blue arc on the right side of the diagram represents a private security gateway that screens access to the protected application. The blue square with the red and green arrows is the controller that arbitrates connectivity between end users and the applications. The third solution component is a small piece of software that goes onto the devices of authorized users. There is an initialization process that puts unique cryptographic artifacts on each device when the software is installed.
An icon appears on the device when the software is installed. To initiate access to a secured application, the end user chooses the icon. It feels a bit like initiating a VPN client, but it's different from a VPN client in that each installation of the software is unique, sort of like DNA, with a unique cryptographic signature for each device. When the user clicks the icon, the client sends a connection request to the controller rather than to the application directly. The client doesn't even know how to connect directly to the protected application because there is no DNS entry for the application, or it is well hidden.
The client applies for connectivity to the controller by presenting its unique cryptographic signature to the controller. The controller has a finite list of users who are trusted and authorized and devices that are registered. The controller looks up the client making the request for connection against its white list. If that device isn't on the list, the controller just drops the packet and no connection is made. If the device is on the list and the controller sees its single packet authorization (SPA), then a mutual TLS connection is established and a handshake allows the device and the controller to exchange certificates.
Next the user is authenticated, typically through SAML, leveraging the identity provider (IdP) and the backend identity management system of the enterprise. The controller does a redirect to the client, tells it to go to a particular IdP, the IdP connects to an IAM like Active Directory and goes through the authentication process. If that's successful, it provides a SAML assertion that the client presents to the controller. The controller now knows it's dealing with a properly authorized user, then determines if the authorized device is associated with the authorized user. Once that's done, the controller enables a direct connection between the user and the desired service.
Despite all those steps, the user still can't penetrate the application's perimeter until the gateway is told to anticipate the user's connection and then confirms that connection through unique signatures. There is a further handshake to create a mutual TLS connection, PrecisionAccess checks a few more parameters in the background, and then the application flow can begin. It sounds like very detailed and complex but it takes only a few seconds and the user is completely unaware of all the mechanisms used to authenticate him and his device.
The end result is that a bad guy cannot circumvent this whole process by simply stealing someone's credentials or device, or hijacking a connection by placing a man in the middle of the connection. A typical use for Software Defined Perimeter is preventing unauthorized access to applications through phishing, a top security concern in most organizations. To access a Software Defined Perimeter-protected application, the bad guy needs not only a user's password but also his authorized device.
Another use case is to share an application with people in an ecosystem—employees, contractors, consultants, supply chain partners, etc. Rather than providing outsiders access to the broader network, a company can limit access to just a specific application. They would have no visibility to anything else within the greater infrastructure.
Yet another use case is to enable BYOD. A company can provide access to certain applications – and nothing else – via workers' personally owned devices. This way the company doesn't have to manage the entire device. It simply installs a small piece of software on the worker's device and the rest is all done in software.
Vidder offers this entire solution as a single tenant service via the cloud, as well as on-premise. Vidder deploys the controller and the application gateways, helps a company deploy the device-based software, and assists in setting up the application interface to the gateway and the interface to the identity management system and/or single sign-on system. Vidder manages the solution to minimize the need for support resources.
Today's networks are too porous to be a secure perimeter. By reducing the surface that needs to be protected to a single application, it's easier to apply very tight controls through Software Defined Perimeter techniques.