www.amazon.com/author/paulbabicki
====================================================
software-defined perimeter (SDP)
Posted by: Margaret
Rouse
Software-defined perimeter (SDP) is a security framework
developed by the Cloud Security Alliance (CSA)
that controls access to resources based on identity. The framework is based on
the U.S. Department of Defense's "need to know" model -- all
endpoints attempting to access a given infrastructure must be authenticated and
authorized prior to entrance. The SDP approach is sometimes said to create a
"black cloud" because it obscures systems within the perimeter so
that outsiders can't observe them.
The SDP uses an approach to cybersecurity that mitigates
network-based attacks, protecting all classification levels of legacy IT assets
and cloud services. The software-defined network works by hiding critical IT
assets within an opaque black cloud that can't be accessed by outsiders,
whether the assets are in the cloud, on premises, in a DMZ
(demilitarized zone, sometimes known as a perimeter network), on a server
in a data center or even in an application server.
An SDP functions as a broker between internal
applications and users and only provides access to services if the correct
criteria are met. This enables companies to determine which users have access to
which applications. Segmenting applications via SDP enables organizations to
secure sensitive information more easily.
The SDP creates an invisible screen to protect against
malware, cyberattacks and other threats. This framework was designed to let
enterprises provide secure access to network-based services, applications and
systems.
SDPs are used to lower the chances of successful
network-based attacks, including denial-of-service (DoS)
attacks, man-in-the-middle
attacks, server vulnerabilities and lateral movement attacks, such
as SQL injection
or cross-site scripting (XSS).
Uses of an SDP
SDPs are implemented for many different reasons,
including:
·
SDPs support a
variety of devices. The perimeter can authenticate laptops and PCs, as well as
mobile devices and internet of things (IoT) devices, and SDPs ensure that
connections can't be initiated from unauthorized or invalid devices.
·
SDPs restrict
broad network access. Individual entities aren't granted broad access to
network segments or subnets, so devices can only access the specific services
and hosts that are permitted by policy. This minimizes the network
attack surface, as well as prohibits port and vulnerability scanning
by malicious users or malicious software.
·
SDPs support a
broader risk-based policy. The SDP systems make access decisions based on
numerous risk criteria, including threat intelligence, malware outbreaks, new
software and more.
·
SDPs can be
used to connect anything. Software-defined perimeter technology enables
connectivity to only the IT resources required by employees without the
cumbersome management requirements or mounting hardware costs.
·
SDPs enable
control of services, applications and access. SDPs are capable of controlling
which applications and devices are allowed to access specified services. This
limits the attack surface and stops malicious users or malware from connecting
to resources.
SDP framework
Software-defined perimeter technology enables a secure
perimeter based on policies used to isolate services from unsecured networks.
The goal of the CSA's SDP framework is to provide an on-demand, dynamically
provisioned, air-gapped
network -- a segmentation of network resources that mirrors a physically
defined network perimeter but operates in software rather than via an appliance
-- by authenticating users and devices before authorizing the user/device
combination to securely connect to the isolated services. Unauthorized users
and devices can't connect to the protected resources.
The Cloud Security Alliance explains software-defined
perimeters.
When the authentication is completed, the trusted devices
are given a unique and temporary connection to the network infrastructure. The
SDP framework lets companies streamline operations when it comes to user
authentication and application security.
SDP deployment
models
SDP deployment models can be characterized by the way
they structure interactions among clients, servers and gateways. The primary
approaches to implementing software-defined perimeter technology include:
are the greatest challenges you've encountered Client-to-gateway deployment
positions the servers behind an Accepting Host, which acts as a gateway between
the protected servers and the clients -- Initiating Hosts in SDP terminology.
The client-to-gateway SDP can be deployed inside a network to reduce such
lateral movement attacks as operating system (OS) and application vulnerability
exploits, man-in-the-middle attacks and server scanning. It can also be
deployed directly on the internet in order to segregate protected servers from
unauthorized users, as well as to mitigate attacks.
·
Client-to-server
deployment is similar to the client-to-gateway deployment except that the
server being protected by the SDP is the system that runs the Accepting Host
software -- instead of the gateway. Deciding between the client-to-gateway and
the client-to-server deployment is usually based on a number of factors,
including analysis of load-balancing needs, the servers' elasticity -- how
adaptable the cloud server is to changes in workloads -- and the number of
servers an enterprise needs to protect behind the SDP.
·
Server-to-server
deployments use servers that offer any kind of application programming
interface (API) over the internet, can be protected from all unauthorized hosts
on the network -- including a Simple Object Access Protocol (SOAP) service, a
remote procedure call (RPC),
a representational state transfer (REST) service or similar -- and use it to
communicate between the Accepting Host and the Initiating Host.
·
Client-to-server-to-client
implementations depend on a peer-to-peer (P2P) relationship between the clients
that can be used for applications such as chat, video conferencing, IP telephony
and similar applications. In this deployment, the SDP obfuscates the IP
addresses of the connecting clients, with the server acting as the intermediary
for both clients.
This was last
updated in October 2018
Good Netiquette And A Green Internet To All! =====================================================================Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting.
We can be contacted at:
===============================================================In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
Additionally, I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
No comments:
Post a Comment