'Software-Defined' Comes to Cloud Security

Creating "dynamically provisioned perimeters" for clouds and datacenter infrastructures.

"Software-defined" is an industry buzzword that's applied to many aspects of datacenter operations. A few of the terms to which it's been appended include software-defined networking (SDN), software-defined storage (SDS) and software-defined datacenters (SDDS). Now it's been added to another concept: perimeter security.

The Cloud Security Alliance (CSA), a nonprofit organization promoting the use of cloud security best practices, has announced the formation of a new Software Defined Perimeter (SDP) for Infrastructure as a Service (IaaS) initiative.

The CSA made the announcement in San Francisco this week at the annual RSA Security Conference.

The enterprise move to the cloud is outpacing the ability of security teams to cope with the changes around security and compliance such a transition brings, explained Jason Garbis, vice president of products at Cryptzone, the company leading the initiative.

"Many of our customers are in the beginning or the middle of their transition to cloud-based solutions," Garbis said. "We have customers who tell us, 'We have 75 datacenters, we're going to get them down to three,' or, 'We want to have no physical datacenters in five years.' They are very strategically moving, either to public cloud providers, such as AWS or Azure, or to on-premises private clouds. They also really like the SDP architecture."

"We've learned a lot from those customers," Garbis added, "and we want to share that knowledge with the community through the CSA. But we certainly don't have all the answers, so we're also looking for input and participation from other enterprises, other providers of SDP technology and the cloud providers themselves. It's a way for us to give back to the community, advance the state of the art, and really come up with best practices, design standards, design principles and requirements to apply in this much more dynamic and cloud-centric world."

The SDP specification uses a framework of security controls designed to mitigate network-based attacks on Internet-accessible applications. It accomplishes this by cutting the connectivity to those apps until the devices and their users are authenticated and authorized, creating "dynamically provisioned perimeters" for clouds and datacenter infrastructures. The SDP was designed to be highly complementary to the Software Defined Networks (SDN) spec, which decouples routing and architectural decisions from the underlying equipment to create "virtually air-gapped networks."

"The SDP approach allows enterprises to embrace the dynamic nature of IaaS without compromising security or compliance," said Luciano "J.R." Santos, executive vice president of research for the CSA, in a statement. "By understanding and leveraging an SDP model, organizations can then enable hybrid or multi-platform clouds by abstracting provider-specific configurations, and leveraging consistent policies, identity stores and processes across their environments."

Cryptzone's flagship product, AppGate, is designed to allow organizations to adopt the SDP approach for granular security control. It effectively makes the application/security infrastructure "invisible," Garbis explained. Access is provided to authorized resources only.

The CSA is led by a coalition of industry practitioners, corporations, associations and other key stakeholders. Its mission is to promote the use of cloud security best practices. The group also promotes and provides education on these and related issues. The organization sponsors a number of initiatives and working groups, including the Big Data Working Group, an initiative for creating and identifying best practices for security and privacy in Big Data; the Cloud Governance Working Group, which seeks to understand the demands of governing and operating data in the cloud; and the Cloud Controls Matrix initiative, which developed a security controls framework for cloud providers and consumers.

The list of goals for the SDP for IaaS, Garbis said, includes documenting specific security, compliance and architecture challenges that arise from enterprise adoption of IaaS; exploring how an SDP solution can solve these problems; providing architectural and deployment guidelines and best practices for secure IaaS, including the impact of DevOps initiatives; and influencing the SDP specification to address IaaS-specific requirements.

The group also aims to deliver analysis and taxonomy of IaaS-specific security, network, identity and compliance challenges; an explanation of how an SDP architecture can address these challenges; and deployment scenarios and use cases that examine aspects such as network configuration, identity management, authentication and security groups.

The SDP for IaaS initiative is open to organizations and individuals. More information is available on the SDP working group Web site.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].


Subscribe on YouTube