Virtualization, which substitutes software for hardware, has reduced costs and improved performance and flexibility in corporate computing, paving the way for modern data centers and certain kinds of cloud computing. Now Coca-Cola and other companies are betting that virtualization will help them make a comparable leap forward in security.
Coca-Cola refers to the technology, part of an internal experiment, as a software defined perimeter. The old notion of a network perimeter that can be defended by firewalls that are often hardware-based and security appliances is long out of date. A software defined perimeter addresses the fluid edge of the network in an era of mobile devices, the cloud and Internet-connected objects such as vending machines and cars.
The company has joined forces with Verizon Communications Inc., Mazda Motor Corp. and other members of the non-profit Cloud Security Alliance to develop specifications for SDP. The effort is driven by technology users, rather than by vendors, participants say. The research initiative began in December 2013 and it has yielded the first version of an SDP specification. Coca-Cola currently is trialing the new security model, said Alan Boehme, chief enterprise architect at the company, speaking March 17 at a conference in Silicon Valley. “If you look at what the challenges are in corporations today; it’s agility, speed to market. We’re moving more and more things into the cloud, every corporation is,” he said. Mr. Boehme said he wanted to securely enable business as Coke moves to software as a service and platform as a service. “The perimeter has been dead for years but nobody has really acknowledged it,” he said. Verizon is considering the use of the technology for both its employees and for its customers, Jeffrey Schweitzer, chief innovation architect at Verizon Enterprise Solutions, told CIO Journal.
There are skeptics in the security industry who question whether the concept will work. One U.S. government security expert, who declined to speak for attribution, suggested that the new security model – which positively identifies approved users through their devices – could exacerbate the theft of mobile devices. But if efforts such as the Coca-Cola trial are successful, the technology will be a direct replacement for network security appliances such as firewalls, virtual private networks and network access control device, said Junaid Islam co-chair of the software defined perimeter working group and president and CTO of Vidder Inc.
If SDP takes off, it could impact suppliers such as Cisco Systems Inc., Check Point Software Technologies, Ltd. and Fortinet Inc. Those companies have the largest worldwide sales of network security appliances during the fourth quarter of 2014, according to the IDC Worldwide Quarterly Security Appliance Tracker, released March 12. In 2014, the worldwide market for these network security appliances was $9.4 billion, according to IDC.
Cisco and Fortinet did not respond to a request for comment. Check Point said in a statement that it provides software security solutions with its Software Blade technology that can operate on security appliances or in public or private virtual clouds.
“We’ve been looking for a number of years at how you change the game without making a major investment,” said Coca-Cola’s Mr. Boehme, speaking at a September conference about the new security model. “We had this perimeter and we had a concept that we were going to defeat the bad guys with a perimeter,” he said, adding, that using a perimeter alone won’t work.
Today, employees typically access corporate applications by using the domain name system to locate an application and then providing a name and password. They also may have some type of token such as a key fob or a smart card they use to log in. The biggest problem with this model is that applications are easy to find, which opens them up to denial of service and other types of attacks that overwhelm servers with massive amounts of traffic.
The new scheme first authenticates an employee’s device and then confirms his or her identity. After determining which corporate software or cloud services that employee has permission to access, the system sets up a one-time use virtual private network for those specific apps or cloud services. This structure prevents the theft of passwords and tokens, and helps protect against distributed denial of service attacks or complex hacks in which cybercriminals move laterally through corporate networks to breach systems that harbor intellectual property or credit card numbers, project participants say.
The technology these SDP developers use exists in the public domain, which means that companies won’t have to buy expensive proprietary software to create software defined perimeters. Most major corporations have identity management systems and public key infrastructure, which is the hardware and software to support the management of digital certificates. They also typically provide support for an open format for exchanging authentication and authorization data among parties, which uses Secure Assertion Markup Language or SAML. SDP makes use of those building blocks. “It’s just tying the pieces together in a different manner,” said Mr. Boehme, speaking March 17 on a panel at a Security Innovation Network conference in Silicon Valley.
In the new model, employees pre-register any computer, tablet or phone that they plan to use with a cloud service that hosts the software defined perimeter and serves as a controller. Vidder Inc. is the only company that offers a software defined perimeter controller at the moment. Since the technology is in the public domain, any company could make and sell controllers which can either be a cloud service or a piece of software, said Mr. Islam.
The controller issues a 64-bit number that serves as the employee’s trusted ID. That ID is used to generate a secure token. It’s similar to when Twitter users have Twitter send a secure login code to their phones for an extra layer of protection. When the device connects again it identifies itself as a trusted device. The user’s credentials get relayed through the controller to the enterprise identity system, which could be SAML or Active Directory, Microsoft’s directory service for Windows.
This setup is designed to stop different types of attacks such as denial of service. SDP essentially hides DNS information and IP addresses of the applications behind gateways that sit in front of servers. Theft of credentials such as user name and passwords or certificates – which was a factor in the Target hack – is addressed with multifactor authentication and the fact that users can only log on with pre-registered devices.
The participants acknowledge that no security solution is perfect. SDP doesn’t work if a company’s identity systems aren’t up to date, which is a struggle for many companies. One criticism participants say they’ve gotten from others is that the solution is too simple. In response, the Cloud Security Alliance has held two hackathons at security conferences in the past year, even offering a $10,000 prize last fall to people who could overcome the defenses. At last fall’s event, billions of packets were fired at the SDP from individuals in 100 countries over the course of a month. Nobody was able to break in.
At the RSA security conference in April, the group plans to host another hackathon and invite people to hack into the system and retrieve target information on the protected file server. Robert Flores, the former chief technology officer of the Central Intelligence Agency has been advising the CSA group on the project. This time they’re even going to give out Mr. Flores’ password to hackers.
Fonte: WSJ
By RACHAEL KING