Software Defined Network - security

Cybersecurity is an area constantly evolving and we are now seeing some radical change, profoundly modifying its approach. Indeed, the growing use of the Cloud (whether public or private) to host resources and applications, as well as the growing number of mobile employees (i.e. remote working) are challenging the notion of an IT infrastructure’s internal perimeter. In fact, it is becoming less and less "on-prem" and more and more distributed, outside the walls of the enterprise and, above all, outside the direct control of IT teams. As a result, the attack surface footprint is becoming much larger and more difficult to manage.

The traditional tools used to this day (i.e. Firewall, IDS, Proxy) no longer respond to these new decentralized environments and the increase in attacks via internal threats (see here and there) proves that we can no longer trust everything on the internal network by default.

A new philosophy must now be adopted to guarantee data security and confidentiality.

This is the context in which the concept of "Zero Trust" (first defined by Forrester in 2010) has emerged, and is now booming. Zero Trust's philosophy can be summed up in four words: "Never Trust, Always Verify".

“ Zero Trust" therefore goes against the "Trust but Verify" philosophy that has long been in force in cyber security, but ended up being a generator of alerts (not always relevant) often resulting in teams being overwhelmed and drowning real alerts in the mass of false positives.

With the “Zero Trust” approach, we are constantly verifying who is accessing what and in what context. This verification can be done in several places on the infrastructure:

- Upon accessing physical networks, with NAC solutions, so to have only authenticated and authorized people/devices on the network.

- Upon accessing the applications themselves: this is called Zero Trust Access (ZTA). Based on the Software Defined Perimeter framework developed by the Cloud Security Alliance, ZTA complements and lightens a traditional VPN solution by controlling access to the resources and apps (whether on-prem or in the cloud) and by making visible only the resources an employee is entitled to (the principle of the Dark Cloud). Authentication and authorization are done resource by resource, instead of giving access to everything past the initial authentication, as it’s often the case with a classic VPN solution.

- It is also possible to couple NAC and ZTA with an MFA (Multi-Factor Auth) solution in order to have a double verification of the person's identity.

We can also take the Zero Trust concept even further, by implementing the following solutions:

- Secure Web Gateway: users are protected against threats related to web traffic (4 of the top 5 threats are web-related in 2019/2020) by analyzing and filtering both DNS queries and actual web traffic, which can be particularly interesting when employees are at home and not connected to the VPN for example.

- Endpoint Detection and Remediation: an agent is installed on the employee’s workstation; it will analyze its behavior and alert in case of suspicious behavior (i.e. document hiding malware).

- Use of services (i.e. Collaboration) guaranteeing data security and confidentiality (i.e. ISO27001 certified solutions).

As described in this article, Zero Trust is above all a change of mindset on how to approach security and access resources. SPIE, as a major IT integrator, is at the forefront of these changes and we can help you to make this important transition. Do not hesitate to contact us!