CSA proposes Super Cloud security program "software definition boundary"

The Cloud Security Alliance (CSA) has recently proposed an innovative cryptographic security architecture for software-defined networks and cloud environments, some of which are inspired by the high-security networks used by the U.S. Department of Defense and intelligence agencies.

CSA proposed this "Software definition boundary" architecture using a similar approach to VPN authentication and encryption, the use of a security process can be strictly determined in the cloud environment services and application effectiveness. At the CSA conference held last week, some of the technical authors involved in the architecture described the architecture as a "software definition boundary" whose mission is to establish best practices and standards for cloud security.

We think that the software definition boundary may become the rule change person. The right thing to do is to give it to the open source community, so that cloud computing is no longer something you have to think about.

-bob Flores, former CTO of CIA

In their view, the rise of cloud services has accelerated business dissatisfaction with traditional network boundaries, and new approaches must be adopted to protect data shared between cloud data centers, corporate networks, and mobile devices.

"Part of this innovation structure is proposing an easy way to adjust the boundaries," said Bob Flores, the CIA's former CTO. He is also one of the compilers of the software definition boundaries architecture document. CSA proposed this concept may change the person, the application and the Data Flow authorization authentication way, will require authentication before accessing the network.

The technology used in "Software definition boundaries" includes so-called "mutual TLS" based on digital certificate Exchange and strong authentication encryption, Vidder's CTO Jamaid Islam explains. He is also one of the compilers of the software definition boundaries architecture document. Other compilers of the architecture document are Jeff Schweitzer, chief innovation architect of Coca-Cola's corporate architecture and emerging technology director Alan Boehme,verizon.

Vidder's Islam says the CSA concept is ideal for achieving strong cloud security. This approach, which comes directly from the U.S. Department of Defense's High-security network, can be embedded in a variety of SDN products currently available on the market. The advantage of CSA is that it can achieve a so-called "black box" network, that is, the Internet can not see the network, and therefore more difficult to attack.

"The DoD network is a black box," Flores said. "It is very difficult to attack it, because in fact people do not know it exists, and do not see its interface." ”

Vidder's Islam admits that the success of this concept depends on whether the key management structure is in place in time. This, he says, could be where cloud service providers can work, and more and more cloud providers will provide their customers with a variety of hardware security modules (HSM). But enterprise customers still maintain their own key management processes within the enterprise. Islam says his business has built this high safety net to serve private businesses.

Flores said that a large enterprise is currently using CSA's "Software definition boundaries" in its production environment, and that the RSA Conference next year will see more news on the concept of industry support. CSA plans to make "software definition boundary" software as open source software for public use.

"We think the software definition boundary may become a rule-changing person." The right thing to do is to give it to the open source community, so that cloud computing is no longer something you have to think about. ”