Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/9/2019
10:00 AM
Gilad Steinberg
Gilad Steinberg
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

How the Software-Defined Perimeter Is Redefining Access Control

In a world where traditional network boundaries no longer exist, VPNs are showing their age.

Virtual private networks (VPNs) have been around for over two decades, providing secure, encrypted tunnels for communications and data. While there are multiple types of VPNs — including SSL-VPNs and IPSec, to name two — the basic idea is the same regardless of the implementation. With a VPN, a secure IP transport tunnel is created that is intended to provide assurance that the data is safe because access is encrypted.

The concept of the software-defined perimeter (SDP) is somewhat newer, originally coming onto the scene in 2013, under the initial direction of the Cloud Security Alliance (CSA). With the SDP model, rather than just trusting an encrypted tunnel to be safe because it uses Transport Layer Security (TLS), there is no assumption of trust — hence the use of the term "zero trust" by many vendors in connection with SDP.

In a typical SDP architecture, there are multiple points where any and every connection is validated and inspected to help prove authenticity and limit risk. Typically, in the SDP model there is a controller that defines the policies by which clients can connect and get access to different resources. The gateway component helps to direct traffic to the right data center or cloud resources. Finally, devices and services make use of an SDP client which connects and requests access from the controller to resources. Some SDP implementations are agentless.

SDP vs. VPN
The basic premise under which VPNs were originally built and deployed is that there is an enterprise perimeter, protected ostensibly with perimeter security devices such as IDS/IPS and firewalls. A VPN enables a remote user or business partner to tunnel through the perimeter to get access to what's inside of an enterprise, providing local access privileges, even when remote.

The reality of the modern IT enterprise is that the perimeter no longer exists, with staff, contractors and partners working on campus locations, remotely and in the cloud and all over the world. That's the world that SDP was born into and is aimed to solve.

VPNs today are still widely used and remain useful for certain types of remote access and mobile worker needs, but they involve a certain amount of implicit or granted trust. The enterprise network trusts that someone that has the right VPN credentials should have those credentials and is allowed access. Now if that VPN user happens to turn out to be a malicious user or the credentials were stolen by an unauthorized person that now has access to a local network — that's kind of a problem, and a problem that VPNs by design don't really solve all that well, if at all.

An SDP or zero-trust model can be used within the modern perimeter-less enterprise to help secure remote, mobile, and cloud users as well as workloads. SDP isn't just about having a secure tunnel — it's about validation and authorization. Instead of just trusting that a tunnel is secure, there are checks to validate posture, robust policies that grant access, segmentation policies to restrict access and multiple control points.

The increasing adoption of zero-trust security technologies by organizations of all sizes is an evolving trend. As organizations look to reduce risk and minimize their potential attack surface, having more points of control is often a key goal. Security professionals also typically recommend that organizations minimize the number of privileged users and grant access based on the principle of least privilege. Rather than just simply giving a VPN user full local access, system admins should restrict access based on policy and device authorization, which is a core attribute of the zero-trust model.

A well-architected zero-trust solution can also offer the potential benefit of less overhead, without the need for physical appliance or client-side agents.

Use Cases
For business users, VPNs are a familiar concept for remote access and that is not something that is likely to change in the near term. For access to a local file share within a company, or even something as simple as accessing a corporate printer, a VPN will remain a reasonable option for the next two to three years. However, as more businesses move to SDP, even the simple access of a printer will be covered.

Within companies, internal threats in the perimeter-less enterprise are as likely as external ones, a zero-trust model is a useful model to limit insider risks.

For developers and those involved in DevOps, zero trust is a more elegant and controlled approach to granting access as well as providing access to on-premises, cloud, and remote resources. Development is distributed and simply tunneling into a network is not as powerful as what zero trust can enable.

VPNs are no longer the be-all and end-all solution for securing access that they were once promised to be.

The reality of the modern Internet is that threats come from anywhere, with the potential for any device or compromised user credential to be used as a pivot point to breach a network. A zero-trust approach can go beyond just relying on encryption and credential to minimize risk and improve security. SDP moves beyond just pretending that the fiction of a hard perimeter still exists.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

Gilad Steinberg is CTO and Co-Founder of Odo Security, a provider of remote access technology. He was previously the Security R&D Team Leader for the Israel Prime Minister's Office. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17330
PUBLISHED: 2019-11-12
The Web server component of TIBCO Software Inc.'s TIBCO EBX contains multiple vulnerabilities that theoretically allow authenticated users to perform stored cross-site scripting (XSS) attacks, and unauthenticated users to perform reflected cross-site scripting attacks. Affected releases are TIBCO So...
CVE-2019-17331
PUBLISHED: 2019-11-12
The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and includin...
CVE-2019-17332
PUBLISHED: 2019-11-12
The Digital Asset Manager Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and ...
CVE-2010-2488
PUBLISHED: 2019-11-12
NULL pointer dereference vulnerability in ZNC before 0.092 caused by traffic stats when there are unauthenticated connections.
CVE-2010-3438
PUBLISHED: 2019-11-12
libpoe-component-irc-perl before v6.32 does not remove carriage returns and line feeds. This can be used to execute arbitrary IRC commands by passing an argument such as "some text\rQUIT" to the 'privmsg' handler, which would cause the client to disconnect from the server.