Securing a Moving Target: The Network Perimeter
In today’s fast-paced business landscape, it’s no longer enough to set up a traditional network perimeter. Cloud services, employee mobility and increased inter-organization collaboration mean that the trusted perimeter is extremely fluid and virtually meaningless. Security practitioners and CISOs can no longer count on extra hours on the job resulting in a secure network.
Something new is required – something that eliminates the idea of a trusted network inside or outside the corporate perimeter. Enter the “software-defined perimeter.”
Network Security is Falling Behind
The enterprise has changed – it’s no longer static. It’s dynamic. It’s no longer on-premises. It’s hybrid.
Today’s workforce no longer sits across from one another at a conference table or strikes up a chat at the water cooler. They are collaborating from different time zones, sitting in coffee shops, airport lounges, and even on their sofas, often using devices so small (and yet so powerful) that it makes desktops PCs seem clunky and quaint by comparison. While this is a benefit to workers everywhere, for the security teams tasked with securing the data and applications on the network, it’s a nightmare. Now, data stored in physical servers has been replaced by virtual ones, housed in centers owned and controlled by third parties.
The entry point for nearly all attacks, whether a result of software or human error (think clicking on a malicious attachment), is often a vulnerability on a network end-point. Regardless of how the breach occurs, they can be very damaging. Savvy criminals use port scanning for externally facing resources to identify easily exploitable vulnerabilities that allow lateral movement across the network, or access to another infrastructure entirely.
Criminals have discovered that, when pushing hard enough on virtual doors, they’ll get in. And, once in, they are free to meander through the network, stealing data and monetizing it for their gain.
Traditional network security tools – firewalls, VPNs, NACs – simply can’t manage and secure these hybrid environments. Organizations need to implement a new model that dynamically creates one-to-one network connections between users and the data they access.
The Software-Defined Perimeter
Securing these numerous combinations requires an approach that goes beyond simple authentication and takes into account such factors as device integrity and real-time user context. Additional levels of control, including multi-factor authentication, need to be applied to certain business-critical applications.
That’s why the new security model gaining support is the software-defined perimeter (SDP). It operates on one simple principle: Trust no one. It is based on a least privilege model of threat prevention and, in tandem, provides operational efficiency to move at the speed of DevOps. The premise is simple – while you can’t secure what you can’t see, the converse is also true – you can’t hack what you can’t see.
SDP takes an “authenticate first, connect second” stance that ensures only authorized users can connect to network resources. All endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. All unauthorized network resources are made invisible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.
These session-based connections are both temporary and dynamic – they are provisioned when needed, and then torn down to prevent unauthorized access. SDP obscures communication over these connections with strong encryption inclusive of robust key management capabilities.
If an authorized endpoint device should become infected, SDP can help in two ways. First, because the SDP system hides all services that are unauthorized for each user, the attack surface from any given user’s device is minimized. Second, because the SDP platform runs atop the network, it can immediately detect any attempts by an infected device to scan, probe or traverse the network. And, it can respond by, for example, enforcing step-up authentication in real-time, to stymie an attacker.
SDP allows enterprises to apply least privilege access controls to individual user application connections, reducing the attack surface by making servers invisible to bad actors, and in doing so overcomes the constraints of traditional tools by effectively creating a dynamic, individualized perimeter for each user – a network segment of one.