Security & Networking for cloud integration – SDP

It is increasingly necessary to integrate applications across multiple datacentres and cloud environments.  To further complicate matters BYOD and home access need to be provided as well.  This problem transcends integration, and a solution for integration can be extended to secure web apps and mobile device management.

PaaS, SaaS and IaaS provide different secure networking solutions.   They all work well in the simple case where you have one *aaS solution connected to your secure network.  But these days people need to have multiple solutions connected with any number of interconnections.

An example I have to work with has integration provided in an AWS VPC which has a VPN connection into 2 datacentres, peering with another AWS VPC, a VPN to another SaaS provider and a VPN to another VPC in Azure.  The IP addressing ran out in the VPC and it had to be moved to another (larger) IP range.  This meant duplicating all those VPNs.  Each VPN required engaging with a different network provider in turn and it took several months to finish the whole project.

Adding DR doubles the number of connections required for each Datacentre duplicated.  So in the above situation a full DR solution could require 25 VPNs.

Each connection into a component in a datacentre requires a firewall rule to open up the port, and routing can get complicated.  It can be improved by adding a gateway component in the datacentre.  The gateway component handles all the traffic internal to the datacentre and can do simple protocol conversion.  This simplifies routing and keeps all the connection rules in one place.  The gateway component can be just as secure as a firewall and is a lot more flexible.  The gateway component can refuse non-SSL traffic and then it removes the need for VPNs.

This gives a pointer to what a more comprehensive solution might look like.

There are a number of rules that apply to cloud networking

  1. TCP/IP is flexible and scales well but provides poor security.
  2. Any *aaS provided networking security option reduces flexibility to integrate with other providers.
  3. VPNs do NOT scale.
  4. Firewalls are very good at blocking agile delivery processes.
  5. Any security solution needs to provide/utilise Identity and Access Management.
  6. One layer of (state of the art) encryption is sufficient for most purposes (no need for SSL across VPNs).
  7. A solution that combines IAM with encryption and firewalls across the internet gives the security of VPNs & firewalls without many of the downsides.

The answer is provided by some sort of Software Defined Perimeter solution.  This is an emerging standard with some players providing good tools.  Access is managed by user or device, with all configuration in one place (e.g. LDAP).  There is no need to manage devices separately from applications.

SDP uses identity to control network access.  A controller provides a grant token to a specific user.  The network denies access to clients without a valid and applicable token.  An existing network can be brought into SDP with an SDP-aware gateway device.  Cloud providers (e.g. Azure) can offer SDP built into platform.

One advantage of SDP is you can have overlapping security zones and use standard internet protocols to provide infinite flexibility and scale.  An individual component can incorporate its own SDP controller or an SDP controller can control access to all nodes within a secure network segment.  An SDP controller can be part of several perimeters simultaneously.

Single Sign On (SSO) can be baked into the solution for no extra cost.  The access token identifies the user and the same claims that provide network access can also authorise individual services.  On the other hand legacy services with their own identity solutions will still work in an SDP without using SSO.

It may be some time before enough *aaS providers provide compatible solutions.  An SDP can be built from existing components, but an integrated solution is easier to manage.

I haven’t managed to implement this for any of my clients yet.  It is not just a question of putting in the infrastructure, but it is also a change of mindset.  The network providers have to let go of the idea that they can control security with firewalls and IP-based whitelists.  Identity management becomes central to security as it should be.

Some links about SDP

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter//#_overview

A provider of SDP solutions for reference

https://www.cyxtera.com/security-analytics/appgate-sdp

sdp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.