Buzzword or security standard: Zero Trust, Software Defined Perimeter & BeyondCorp

CISOs the world over are constantly worried about protecting their organization from cyber attacks. With Zero Trust being the most talked about network security term, it’s easy to get lost in the hype and buzzwords being bandied about. Which ones are just passing fads? Which ones are trendy today, but will fizzle out tomorrow?

IT networks can be vulnerable in so many ways and any change in setup and policies can directly impact organizational productivity. So we took it upon ourselves to explain some of the main buzzwords floating around these days to help out when making decisions about which solutions to implement.

Software Defined Perimeter (SDP)

The SDP architecture was developed by the Cloud Security Alliance to prevent network attacks against application infrastructure. When SDP principles are implemented on a certain IT infrastructure network, the network is “invisible,” all resources inside the network are cloaked, and only recognized devices and users are granted ephemeral access to the specific resources.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Any user or device that attempts to gain access to an organization’s IT infrastructure must first be authenticated and authorized. This authorization is in the form of Single Packet Authorization (SPA), allowing a point-to-point network connection in which every packet is cryptographically signed. Only once the signature is validated, the packets are permitted to pass. When the user logs off or the session expires, the connection also expires and must be re-established per future access request. Furthermore, access is only granted to a certain application, not on the network level, which prevents lateral movements and further improves the organization’s network security.

This system has proven to be very effective. According to the Cloud Security Alliance’s paper on SDP:

“…the SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat (APT).”

Because attackers have no visibility into the applications that your organization is running, they don’t have an entry point into your network. The granularity of the segments a network would have under the SDP is subject to the decision of the IT and security team, i.e. for extreme security measures and controls, an organization can decide to have a segment per application.

Zero Trust

Zero Trust is a security concept according to which automatic trust is not given to anything inside or outside an organization’s perimeters. Instead, every single connection attempt is verified before being granted access. It’s as if the system says, “We know that we might have seen you many times before, but we still need to make sure that you are who you say you are before we consider giving you any sort of access.” While that might be an oversimplification of what’s actually going on in a Zero Trust environment, it’s an accurate description of the concept – ‘never trust, always verify.’

Former principal analyst at Forrester Research, John Kindervag, coined the concept of Zero Trust, and the advantages are great: gaining control of your IT network and all the resources in it, reducing the risk of a data breach, assisting with compliance procedures, and increasing business speed while alleviating business frictions. When implemented correctly, Zero Trust architecture can empower the business, making security decisions based on contextual and real-time data and supporting digital transformation, which leads to increased agility and speed to market.

When a Zero Trust architecture is in place, the following questions are being asked: who is the user? Can the user be authenticated with our existing authentication methods? What device is being used and what is its security state? Is it a known and protected device or is it a risky one that may be malware infected? And lastly, what application is the user trying to access? Does this request comply with our security policies? These inquiries take place on every access attempt because no user or device are trusted.

But be aware that Zero Trust is not the kind of project that an organization can quickly create for itself and then set-and-forget. It takes planning and strategy and involves different security measures and techniques.

BeyondCorp

BeyondCorp is Google’s interpretation of Zero Trust. The BeyondCorp initiative was born from the understanding that “with the advent of a mobile workforce, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm [of perimeter security] to the point of redundancy.”

Google’s BeyondCorp is a perimeter-less network IT infrastructure that is based on user and device authentication and authorization and provides users with access permissions to specific applications on an ad-hoc basis. No more firewalls. No more VPNs. The permissions are granted based on individual devices and users’ identity and security posture. BeyondCorp enables security policies to be flexible, scalable, and manageable.

Brilliant as it is, regrettably, not every organization has the knowledge, expertise, resources and time to implement a BeyondCorp-like IT infrastructure. Organizations have to have big budget and manpower to develop, build and maintain their own BeyondCorp-like architecture that is suited to their specific situation. This can be a major challenge, especially for smaller businesses that don’t have those kinds of resources.

Not-So-Quickly Disappearing Buzzwords

SDP, Zero Trust, and BeyondCorp are assuredly the top network security buzzwords flying around the Infosec space today. But we believe they will not be fly-by-night security concepts that quickly disappear.

So when you are trying to come to grips with the plethora of network security solutions out there, take the time to further explore these three security concepts to ensure that whatever approach you end up going with is robust, scalable, agile, and most importantly – security-strong.