Software-Defined Perimeter Offers Hope of Protecting the Whole Internet
The advent of the Internet of Things (IoT) is on the verge of “breaking” the Internet as we know it today, unless some serious changes and additions are made to the way it works.
That was the warning of Jim Reavis, CEO and co-founder of the Cloud Security Alliance (CSA) at the group’s inaugural federal summit, held at the Ronald Reagan Building May 5th.
“Think about some of the trends. Maybe in a few years we go from eight billion Internet-connected devices to a trillion,” Reavis said. Someone calculated that it will be 53 bytes of data for every grain of sand in the world, he said, “and the cloud is the basis for all of this.”
The mission of the alliance is to make the cloud more secure than traditional network computing. To achieve this goal, the organization is pursuing the establishment and adoption of a “software-defined perimeter” (SDP) that provides protection from an end-to-end perspective, from the endpoints all the way to the cloud.
“What we’re talking about is that a lot of devices on the Internet should be dark,” not visible to other devices unless specific permissions are granted. As an example, he cited the Nest thermostat in his house; there is no reason any devices other than his own should even be able to see it, let alone make changes in its settings.
Today the Internet works with data planes and control planes integrated together. The CSA approach created an SDP controller that provides a separate access control channel, so “servers are invisible unless the SDP controller has granted access,” he said. It’s a standardization of the “need-to-know” access model common in classified networks, but applied to the broader Internet.
The SDP controller incorporates five layers of control: single packet authorization, mutual transport layer security (mTLS), device validation, dynamic firewalls and application binding. In three hacking contests held at RSA conferences, with participants invited to try to penetrate, “no one’s got past [the first layer] yet,” he said.
CSA has developed one complete protocol specification, 1.0, to serve as the foundation for working with cloud-based apps. Another project under way is creating an anti-distributed denial of service tool.
“Our idea here is, let’s create an open-source research project [to] build anti-DDOS solutions. Because we need an acronym, it’s going to be SAD – SDP anti-DDOS,” he said.
While a lot of work remains to be done, Reavis said that federal support for the concept “is being announced soon.”