It's a frequent debate: "The perimeter is dead" versus "The perimeter isn't dead yet." I guess it all depends on how you define "perimeter." I think most of us would agree that the traditional network perimeter is so porous that it could be declared terminally ill, if not dead. Bad guys slip inside easily through methods like spear phishing and stolen credentials.
But what if we redefined perimeter to be extremely narrow; a layer of protection around just the most important assets, such as a high value business application? The protection is so tight that, not only are the bad guys kept out, but the good guys are as well. That is, until the good guys are carefully authorized and authenticated in a way that effectively locks out the bad guys for good. It's called a Software Defined Perimeter and it's the next phase of security for high value assets.
The Cloud Security Alliance has a working group that is defining the specifications for Software Defined Perimeter. One of the leading contributors to the working group, and one of the first vendors to market with a viable solution, is Vidder. The company's PrecisionAccess solution shrinks the perimeter down to a single application, and then provides secure connectivity only to a select group of authorized users and their specific devices.
The solution helps to prevent attacks based on server exploitation, stolen credentials and connection hijacking. It incorporates elements of many security technologies, including PKI, NAC, identity management, firewalls and VPN to create a universal tool that provides connectivity independent of where the application is, who the user is, and what device he is working on. Moreover, it is largely transparent to end users, so it doesn't disrupt their way of work.
Vidder's PrecisionAccess is comprised of three software components (see figure).
The blue arc on the right side of the diagram represents a private security gateway that screens access to the protected application. The blue square with the red and green arrows is the controller that arbitrates connectivity between end users and the applications. The third solution component is a small piece of software that goes onto the devices of authorized users. There is an initialization process that puts unique cryptographic artifacts on each device when the software is installed.
An icon appears on the device when the software is installed. To initiate access to a secured application, the end user chooses the icon. It feels a bit like initiating a VPN client, but it's different from a VPN client in that each installation of the software is unique, sort of like DNA, with a unique cryptographic signature for each device. When the user clicks the icon, the client sends a connection request to the controller rather than to the application directly. The client doesn't even know how to connect directly to the protected application because there is no DNS entry for the application, or it is well hidden.
Sign up for CIO Asia eNewsletters.