SDP advantage
Disadvantages of existing technology
VPN technology
VPNs provide remote users with secure access to VLANs or network segments as if they actually exist on the corporate network. This technique, especially when combined with multi-factor authentication, works well for enterprises with traditional boundaries and static user and server resources. But as Gartner said, “DMZ and traditional VPNs were designed for networks in the 1990s and are outdated because they lack the agility needed to protect digital services.
VPNs have two disadvantages that make them unsuitable for today's needs. First, they provide very coarse-grained access control to the allocated network, or all of them can be accessed, then they cannot be accessed. It is unrealistic to try to configure a VPN to provide different levels of access for different users.
Second, even if the company is satisfied with the level of control VPN provides, VPN is an isolated solution that can only control remote users. They will not help protect internal users, which means that organizations need a completely different set of technologies and policies to control the access of internal users. This will more than double the effort required to coordinate and align the two solutions.
Gartner pointed out: "By 2021, 60% of enterprises will phase out VPNs and use software-defined boundaries (although SDP usage was less than 1% in 2016).
Jump Box
Jump Box is a server whose purpose is to enable users in insecure areas to access servers or services running in more secure areas.
Not a multi-user system, used for single user access to a protected server
Designed for occasional access, such as by system administrators, rather than for continuous access
For all servers on the network behind the springboard, either the authentication is passed and all services can be accessed, or the authentication is not passed and cannot be accessed.
If the jumper or the device of the jumped user is compromised, the entire network can be opened.
Difficult to track user visits for compliance checks
So springboard is not a suitable solution for
cloud system access control.
Summary of SDP advantages
The strategy is based on the user, not on the IP address
Because the SDP system is user-centric, it needs to verify users and devices before requiring any access, allowing companies to create access policies based on user attributes, implement the principle of least privilege, and have more fine-grained access control. By using directory group memberships, IAM assigned attributes, roles, etc., companies can define and control access to cloud resources in a meaningful way, which is meaningful for company business, security, and compliance. However, traditional network security is based only on IP addresses and does not consider users at all.
Identity management
SDP and IAM naturally complement each other in several ways.
First, SDP implementations are usually designed to use the deployed IAM system for authentication, thereby accelerating the introduction of SDP. This authentication can be done through an LDAP or AD server, or using a standard (such as SAML).
Second, SDP implementations usually use the user's IAM attributes—such as directory group membership, directory attributes, or roles—as elements of the SDP policy.
Finally, the SDP system can also be included in the identity life cycle managed by the IAM system. For example, when the IAM system creates a new account, the SDP system should also create the corresponding network rights.
SDP Controller trusts a third-party IAM system for user identity authentication and user identity lifecycle management. Therefore, when a third-party user deactivates at its IAM system, the user will automatically lose access to SDP-protected resources because they can no longer pass the federation authentication. This union solves the common problems of third-party access well.
Pre-authentication and pre-authorization
SDP relies on pre-authentication and pre-authorization as its two basic pillars. Before authentication and authorization, no data packets will reach the server, so that cloud resources can be completely invisible to unauthorized users. This completely eliminates many attack vectors, including brute force attacks, flood attacks, and attacks based on TLS vulnerabilities, such as Heartbleed and Poodle.
Operational efficiency
Compared with the manual work usually required to achieve a given level of security, the automated policy implementation performed by SDP provides significant operational benefits.
Simplify compliance
Because AH records logs and controls all IH network traffic, SDP can provide detailed visibility into each user's access, so SDP can automatically provide compliance reports based on this information.
cut costs
SDP can help organizations reduce costs in several ways. First, reduce the amount of manual labor required for IT tasks. This will directly reduce the cost of outsourcing IT models and reduce the need to hire additional staff. Second, streamlining compliance will reduce the time and effort required to prepare and perform audits. Both activities require third-party consultants, and every hour of time savings is a direct cost savings. Finally, SDP as an alternative to other technologies (such as NAC) can also help organizations save money.
SDP application scenarios in IaaS
Developers secure access to the IaaS environment
Developers need to access IaaS resources for development, testing and deployment. These users need to access a variety of ports and protocols, as well as access to the ever-changing set of IaaS resources.
Access control without SDP
Various developers need to access two private cloud network environments. These developers have different access requirements and are in many different locations. Cloud Firewall is the only control point for network traffic. It is essentially a simple table that allows connections, mapping the source IP address to the target server and port.
Use SDP for access control
SDP deployment is as follows. The Controller runs in a location accessible to all users. It may be running in a publicly accessible location in the cloud, or it may be running in the DMZ of the company's headquarters. Access to the Controller is protected by Single Packet Authorization (SPA), so exposing it does not increase the risk.
After the Controller correctly verifies the IH, the IH accesses the resources on the private cloud network through AH. AH is also protected by SPA, and all IH traffic is transmitted through an encrypted tunnel on the network. AH implements an access strategy on the basis of each user to achieve the principle of least authority. AH is located at the entry point of each private cloud network and controls all inbound traffic.
Comparison of the two methods
Requirements Grace, Lou and Frank work in the company headquarters and need to collaborate and access ports 22 (SSH), 443 (HTTPS), 3306 (MySQL) and 3389 (RDP) on multiple server instances.
Challenge All systems in the corporate headquarters (HQ) are NATed to a single IP address 216.58.219.228
Do not use SDP Use SDP
Method: The cloud firewall must be configured to allow traffic from 216.58.219.228 to all ports on all servers in the private cloud network. These servers must be assigned publicly accessible IP addresses. Method: Each user establishes a mutual authentication tunnel connection from his device (IH) to AH, and then connects to the target resource in the cloud through AH.
Cloud Firewall configuration will become simpler:
●AH is open to all traffic from the entire Internet. Because it only allows SPA-certified IHs to establish connections, it can mitigate DDoS attacks or other Web-based attacks to a certain extent.
●The protected resource is located on the private IP address behind AH and cannot be accessed from the Internet. Their cloud firewall is configured to only accept access connections from AH IP addresses.
Impact: All users and systems on the company's network can fully access the private cloud network, violating the principle of least privilege and increasing the attack surface. This cloud network can be scanned, and attackers can use vulnerabilities to attack.
Server access is only protected by authentication, not controlled at the network level.
Key management can become a burden for developers.
Compliance checks are more difficult because all users can access all systems.
influences:
Because each user's connection to AH is established separately and is strongly authenticated, AH can fine-grained access to cloud resources on a per-user basis. Companies can define policies associated with users, devices, and roles.
Requirements David is a developer who works remotely and must regularly access multiple servers in the cloud system from an insecure network (such as a coffee shop). He also needs to access development resources on the HQ network. These services use multiple protocols and ports (22, 443, 3389)
Challenge Coffee shop network NAT to a single IP address, 54.144.131.11
Do not use SDP Use SDP
Method: It is not acceptable to configure the cloud firewall to allow the entire Internet connection, or configure it to allow all traffic from 54.144.131.11 to have a great security risk, so David first VPN to the company network, and then access the cloud network. Method: David's device authenticates to the Controller, and only after the authentication is passed can it have access to the resources protected by AH. David no longer needs a VPN to the company network, thereby improving network performance and reducing network bandwidth usage costs.
Impact: David needs a VPN connection to the HQ network (he already needs to access local resources)
All traffic must be transmitted back to the company network and then out of the company network, increasing latency and bandwidth costs
The solution must at least meet the requirements in the table above, which is to allow all users and devices on the company network to have full access to the cloud network.
Impact: Because the traffic is encrypted and transmitted from David's device to AH, there is not much risk even if he uses public wireless networks or public Internet. The cloud firewall configuration does not need to be changed. AH is open to the Internet (but protected by SPA), so David can work efficiently no matter where he is.
Requirements Freddy is a developer working in a home office and needs to access a private cloud network separate from the rest of the team. This environment contains sensitive information, so he set up a VPN to access it. He also needs to access development resources on the HQ network.
Challenge Freddy's location will not change, but he needs continuous access to the cloud and HQ resources. For security purposes, a secure network connection is required. But he cannot run two VPNs on the same machine at the same time.
Do not use SDP Use SDP
Method: Freddy accesses these resources through different environments on his development machine. ——He enters the cloud through the VPN in the VM, and accesses the HQ network through the VPN running in his host operating system. Method: Freddy establishes a secure connection with AH to access protected cloud resources.
Significance: This method will cause Freddy's productivity problems, because some of his tools and development tasks require access to both environments from the same system.
Because Freddy is currently the only person visiting this environment, compliance and audit reports are not an issue. But he knows that in a few weeks, as other team members join the project, he will face the problem of tracking and reporting these visits, and he will also need to manage team member visits. Should he make the cloud firewall accessible to everyone in the office? What about remote developers? Should he manage everyone's VPN access?
Significance: He can use his VPN to connect to the office network at the same time, and there is no conflict with accessing cloud resources, because the SDP connection looks like a regular network connection, not a VPN. So Freddy became more productive.
Freddy can easily control and report access to these resources through a set of policies he designed. Providing access to a new user is a simple matter of editing his policy or editing user attributes, and allows him to control access in a fine-grained manner.
