The idea of making the internet or corporate network dark has gained momentum since the introduction of Software Defined Networking (SDN). This has enabled a new concept called Software Defined Perimeter (SDP) or what some are referring to as BlackCloud. This concept has the effect of making application’s invisible (dark) and only accessible by authorized devices and user’s. It creates an authorization network fabric where you can define what you trust and who is allowed to connect to each application, so think of this as a micro-segmented perimeter that is everywhere that fits nicely into the zero trust model. John Kindervag the founder of Zero Trust introduced me to this concept in 2011, the idea of making sure you have established trust between devices before allowing them to connect, now this idea has become reality. For more information on this, the Cloud Security Alliance (CSA) has some great resources.
This new perimeter security model makes more sense in a world where the legacy corporate perimeter is disappearing, and application’s and users are no longer on the corporate network. Enterprises need to embrace this new paradigm to ensure they can secure the new world where users are mobile and applications are in the cloud. I believe the corporate network will transform into internet cafes where users are only granted internet access and application access to cloud application is using SDP. This incredible network transformation we are experiencing is talked about in this new book Secure Cloud Transformation by Richard Stiennon, where there are some great examples of companies already on this transformational journey.
We have been building our networks for years with the moat and castle concept, firewalls protecting the internal network but this design is outdated and we need to design our networks inside out. This means we should not build large enterprise networks allowing east west traffic flows between what we believe are trusted devices. Clients should only communicate securely to applications on public and private clouds viaa north-south internet SDP Fabric. This architecture will reduce the attack surface and prevent worm propagating malware outbreaks like Wannacry and NotPetya.
The cloud security company Zscaler has gone even one-step further with this concept of application access, application policy access is based on name space (DNS) not network addressing. This completely changes the way we create and manage policy, this ensures policy is application centric not network centric, you can even define per application authentication timeout which improves user experience and protects high value assets. Most importantly, they introduce multiple layers of mutual TLS encryption and trust that ensures no one can intercept and snoop on the data.
By creating, a dynamic secure segment for each user to only specific applications enables a true zero trust model. This concept of creating your own BlackCloud (Darknet), where you can control and monitor application access will enable enterprises to create their own secure network fabric, regardless of the user’s or the application’s location.
You Can’t Attack What You Can’t See
In this day and age, enterprises must reduce the attack surface. We cannot continue to worry about the next SSL/ TLS vulnerability, and we need to make sure no parts of our ecosystems whether on premise or in the cloud are exposed, let alone seen to be vulnerable. This is especially important in a world in where malware propagating is taking down enterprises and hackers are keen to profit using ransomware, crypto-mining, supply-chain exploits, IoT botnets, and a range of other new and creative attacks they have been cooking up.
Written by Tony Fergusson – Cloud Security Blogger.