CSO Perspectives (Pro) 5.23.22
Ep 78 | 5.23.22

Software Defined Perimeter (SDP): A Rick the Toolman episode.


Rick Howard: I've been binge-watching "Marvel: Agents of S.H.I.E.L.D." over at Disney+ for the last month or so. I have to say, if you're a Marvel fan or a science fiction fan or even just a super spy fan, this little TV show that ran on ABC from 2013 to 2020 is really quite good. Created by Joss Whedon of "Buffy the Vampire Slayer," "Firefly" and "The Avengers" fame, the production values are really quite high for a TV show created almost 10 years ago. And it's the perfect mindless entertainment I've been craving during the pandemic. I don't know about you, but these past two years, I've been steering clear of anything too real or too serious with the Howard family's evening entertainment activities. I just don't need any more stress in my day-to-day life as I try to forget this dumpster fire of a world right now with us just coming out of a pandemic, a senseless war in Europe and assaults on many fronts of our democratic liberal values in favor of authoritarianism. And "Agents of S.H.I.E.L.D." is a perfect palate cleanser.

Rick Howard: There's this trope in spy movies where the good guys eventually decide that they need to talk to the bad guys before the last act happens, when they all try to kill each other. Watching "Agents of S.H.I.E.L.D." last night, I had an epiphany. I noticed that the good guys don't grab an Uber, rock up to the bad guys' evil lair, knock on the door and say, hey, got a minute? 


Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: No. That's just not how it's done. Instead, the good guys meet with the bad guys at some agreed-upon location nowhere near the evil lair. Some vetting gets done on both sides in the form of weapons pat-downs and insult trading, which are usually quite funny. And then once both parties are satisfied, the bad guys put bags over the good guys' heads and whisk them off to some safe house somewhere. And I said to myself, isn't that weirdly similar to how a software-defined perimeter, or SDP, works? And I hear what you're thinking. I feel you looking down your noses at me, saying only Rick could connect the dots from superhero stories to probably the best innovation in identity and access management since AT&T patented the idea of two-factor authentication in 1995. Well, yes, of course that's true, and you're welcome. 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: But I guess that means we need to break out the Rick the Tool Man toolbox and explain what SDP is, how we got there and why it represents a better architecture for our zero-trust, first-principle strategy. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater, somewhere along the Patapsco River near Baltimore Harbor. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: When the internet really started to take off for commercial and normal everyday people in the mid-1990s, the security architecture of choice was something called defense in depth. The idea was that you would place multiple security tools in the path of any would-be adversary group. And if they managed to get past the first one, then the second one would stop them. If that failed, then the third one would, et cetera, et cetera. etc. 


Yul Brynner: (As King Mongkut) When I shall sit, you shall sit. When I shall kneel, you shall kneel, et cetera, et cetera, et cetera. 

Rick Howard: When security professionals talk about the security stack today, this defense-in-depth collection of security tools is mostly what they're referring to. In those early days, most of us only had three tools - a firewall, an intrusion detection system and an antivirus system. And that established the defensive perimeter between our organization and the internet. In other words, we used the security stack to create a barrier between the wild, wild West that was the internet and our bastion of commercial and personal activity. That was great if you worked inside the perimeter all day long and didn't have to go to the internet for anything. But what happened immediately were all these exceptions. 

Rick Howard: Our stated security policy was that we were going to block everything at the firewall that we didn't trust. But for all kinds of good business reasons, we had to punch holes through the firewall to allow contractors, partners and employees who operated outside the firewall to access the things they needed inside the firewall. Sometimes, we would just open up the firewall with specific rules for each exception. By the 2000s, though, we would just give them access to those resources via a virtual private network connection, or VPN. 

Rick Howard: The difference between coming straight through the firewall and using a VPN can be found at layer three of the TCP/IP stack, the network layer. With a VPN, the client establishes a secure tunnel, an encrypted path at layer three to the VPN server on the inside of the perimeter. Think of coming straight through the firewall as akin to walking through the front door of your office building. As you badge in with the card reader and work your way through the security checkpoint, everybody can see what you're doing. With a VPN, though, it's like you're in a "Star Trek" TV show. You walk into a transporter room on the outside of the firewall and pop out on the inside of the firewall, completely bypassing any security. 

Rick Howard: This is great for the VPN user in that nobody in the middle of that communications path can observe the data that both sides are transmitting, especially the firewall. It's all encrypted. The bad news for the security team is that you can't monitor traffic for malicious behavior. If you're running all that traffic through a security stack, like a firewall and an intrusion detection system, it doesn't matter. Whatever magic you thought your security stack was doing isn't happening because you can't see the data. 

Rick Howard: Both architectures, straight through the firewall and VPNs, are just poor designs. Leaving holes in the firewall for employees to get through also provides bad guys the same opportunity. If they manage to sneak through one of the holes, they basically have access to everything inside the perimeter. VPNs are worse in that the tunnel completely bypasses the security stack altogether. In our "Agents of S.H.I.E.L.D." analogy, this architecture is similar to the good guys rocking up on the bad guys' evil lair and knocking on the door. They know where it is, and now it's just a matter of time until they find an unlocked door or an open window that they can sneak through. And I know you're asking yourself, if the spies in the movies know this is a bad idea, why is the security community doing it in the real world? Isn't there a better design? Well, of course there is. 

Rick Howard: In the early 2000s, the U.S. military started experimenting with the idea of deperimeterization (ph) under the project name The Jericho Forum. The idea was to decouple the identification and authorization functions away from the sensitive workloads. In other words, you wouldn't connect to a system by going through the firewall or through a VPN tunnel and then try to log into it. Instead, you connect to a separate system, an SDP controller outside the firewall that verifies your identity and validates that you have a need to know and a need to access. 

Rick Howard: If you're authorized, then the SDP controller establishes a VPN-like tunnel connection between you and the workload but to nothing else. That system hides the workload and all the workloads in a kind of black cloud, as the DOD called it. In other words, any random bad guy on the internet couldn't easily see or find the sensitive workloads protected behind the perimeter. All they can see is the SDP controller handling the identity and authorization functions. 

Rick Howard: This is more akin to the "Agents of S.H.I.E.L.D." model and to our zero-trust strategy. You go to a mutually agreeable spot, validate each other and then get whisked off to a safe house, not the entire evil lair. Unfortunately, the DOD never built it. It was a proof of concept that never materialized. 


Tim Allen: (As Tim Taylor) Oh no. 

Rick Howard: In 2010, Google announced a breach to their systems by the Chinese government that came to be known as Operation Aurora. In the weeks that followed, we learned that there wasn't just one Chinese government entity operating inside the Google network. There were three - the Chinese equivalents of the FBI, the Department of Defense and the CIA. And, in a nod to government bureaucracies everywhere, they each didn't know the other two were in there until Google went public with the information. Fun fact - my editor, John Petrik, reminded me that one of the indicators of Chinese government involvement back then was the time when the attacks occurred, mostly between 9 and 5, Shanghai time. It was as if the Chinese hackers were checking in on a time clock. 


Mel Blanc: (As Ralph Wolf) Morning, Sam. 

Mel Blanc: (As Sam Sheepdog) Oh, morning, Ralph. 

Rick Howard: I remember back in those days when we all thought how significant time zones were in attribution. If the attacks occur between 9 a.m. and 5 p.m. Moscow time, then of course, the Russians did it. In hindsight, that seems a bit naive. Today, if I'm planning an offensive cyber operation, there would always be a false flag component to emulate some known adversary attack sequence along the intrusion kill chain, like the Russian Sandworm campaigns or the Chinese Keyhole Panda campaigns or the Iranian oil rig campaigns, and then leave behind time zone traces that match. I'm just saying. 

Rick Howard: In response to the Aurora attack, Google's site reliability engineers, or SREs, redesigned their internal security architecture from the ground up using the concepts of deperimeterization and the zero-trust philosophy. A few years later, they released a commercial product called BeyondCorp that incorporated many of the ideas they developed internally. In 2013, the nonprofit Cloud Security Alliance announced their Software-Defined Perimeter Initiative and released their 1.0 specification a year later. And then in 2020, NIST released their zero-trust architecture document that outlines some of the early discussion of software-defined perimeters. Finally, this year, 2022, the Cloud Security Alliance announced version 2.0 of its specification document. 

Rick Howard: Today, deperimeterization is known in the industry as software-defined perimeter, an unfortunate name because, as I have said, it has nothing to do with perimeter defense at all. There is no perimeter anymore. It completely decouples the login process from the workload. If I were in marketing, I would call it something like, you know, a software-defined wormhole or a black-hole identity and authorization system or maybe even identity and authorization-dex. Maybe I should just stick to cybersecurity and leave the marketing to the professionals. 

Rick Howard: To my mind, SDP is by far a superior cybersecurity first-principle tactic and is better suited to help us accomplish our zero-trust initiatives. It comes built in with an identity and authorization function to implement our need-to-know policies and keeps access to workloads limited to only the people and applications that should have access to them. Unfortunately, the architecture is not widely known, despite the best efforts of the Cloud Security Alliance and the NIST. 

Rick Howard: In a survey done by the Cloud Security Alliance back in 2020, only a quarter of the respondents even had heard about it. For those that did, they said the No. 1 reason that prevented adoption is that it was too hard to rip and replace existing security technologies to do so. That's unfortunate. If zero trust is indeed a cybersecurity first principle, SDP is most likely in the long-term path of tactics to get us there, and it has the added benefit of matching exactly the "Agents of S.H.I.E.L.D." model of identity and authorization. 

Rick Howard: And that's a wrap. One last thing - I wrote a companion essay to this show, as I do for all shows. But at the end of this one is a small timeline of SDP authentication, history and evolution. You can find the link to it in the show notes. Next week in the U.S. is Memorial Day weekend, which means it's a three-day holiday for us here at the CyberWire. The impact to you is no soup for you next week. 


Larry Thomas: (As Yev Kassem) Nothing for you. 

Rick Howard: But no worries. The week after, I'll be doing the last Rick the Tool Man episode of this season, this time on intelligence sharing. You don't want to miss that. As always, if you have thoughts about this week's show or any thoughts in general, send them to csop@thecyberwire.com. That's csop@thecyberwire - all one word - .com. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.