Concern about the security of cloud environments has impacted the adoption of cloud services since their inception. But an initiative recently launched by the Cloud Security Alliance (CSA) may help protect cloud infrastructure by developing more secure networks.
Dubbed the Software-Defined Perimeter (SDP), the initiative is a collaborative effort between security vendors and members of the CSA's Enterprise User Council. The vision is to develop a framework of security controls that takes some of the pain out of network security.
According to the CSA, the Software-Defined Perimeter leverages known security concepts such as federation, Secure Assertion Markup Language (SAML), Transport Layer Security (TLS), and geo-location in a bid to control and manage connectivity from any device to the cloud infrastructure.
"It takes a lot of time and energy to set up a secure network," said Junaid Islam, founder and chief technology officer of security vendor Vidder, and one of the initiative's participants. The long list of steps -- including setting up a PKI infrastructure to do device certs, which are then needed for mutual TLS, a federated identity system, and Web application firewalls -- overwhelms people, he said.
In the Software-Defined Perimeter, connectivity is based on a "need-to-know model in which device posture and identity is verified" before a user is granted access to application infrastructure, according to the CSA. As a result, the application infrastructure has no visible DNS information or IP address, mitigating many common networks.
"If you think about secure networking, there's really three parts to it," Islam told Network Computing. "One is authenticating the device and the user -- for example, figuring out if you using the same iPad. The second part is verifying your identity and role, like who are you and what you are allowed to access. And then the third part is setting up a VPN in real-time to specifically the asset you are supposed to access and nothing else. This is very different than what you have today."
Today, a site on the Internet has a DNS name that is visible to everybody -- legitimate users as well as hackers. "In this kind of solution we're talking about, there's no visible DNS at all. There [are] no open ports.," he said. "You can't ping or traceroute the application servers. Everything is completely black."
The end result is basically a hidden server on the public Internet, he added.
[Read how to secure the many components of an SDN in "Securing The Software-Defined Network."]
According to the CSA, SDP will be designed to be complimentary to software-defined networks (SDN) and traverse numerous OSI layers to tie applications and users with trusted networks through security models. During the next few months, the CSA plans to release a whitepaper on the SDP, as well as offer a prototype demonstration and a case study.
"What we're trying to do here by establishing this framework it to make it easier for companies to take advantage of well-defined security standards that have been codified in software," said Bob Flores, CEO of the IT consultancy Applicology Incorporated, which also is working on the SDP initiative.
"This will be out in the public domain. So they [enterprises] can take advantage of this stuff to make sure their stuff is secure. Cloud providers can take advantage of this framework as well to create a more secure environment for their customers," he said.