The document discusses Software Defined Perimeter (SDP) as a new approach to cybersecurity that reduces the attack surface. SDP implements a zero trust, need-to-know access model where device posture and identity are verified before access to application infrastructure is granted. It combines previously separate security protocols like single packet authentication and dynamic firewalls. This makes application infrastructure invisible to threats while cryptographically signing legitimate users and devices into a secure perimeter. The document provides examples of how SDP has benefits like simplified security, reduced costs, lower risk proportionate to effort, and improved user experience for companies.

1. Software Defined Perimeter:
Reducing the Attack Surface
GTSC
August 17, 2017
Juanita Koilpillai
Waverley Labs

2. THE STATE OF CYBER SECURITY - STATUS QUO
2
Machine to Machine
Connections FORCE
securing machines
Access to Services
allowed BEFORE
Authentication
Firewalls are Static –
ONLY network
information
BUSINESS
SERVICES
IT
PERIMETER
- Conventional wisdom is just that – conventional
Waverley Labs

3. SMART COMPANIES ARE SAYING - CYBER SECURITY
SOLUTIONS AREN’T GOOD ENOUGH!
VPNs - don’t scale and once
inside the network there is no
control over what users can
access without additional tools
Authentication - multi-factor vs. multi-level is
hard to implement according to the guidelines.
ID mgmt typically not tied to access control
3
Key Management - too many
to effectively manage ie. user
keys, device keys, encryption keys
Firewalls - are static and the more rules
that need to be added, the more
maintenance it needs, logs are hard to
analyze in real-time, onboarding
applications is a long process, services are
not just exposed to one user.
Vulnerability/Patch Mgmt
- number of vulnerabilities is
increasing, hard to prioritize
and IT held hostage by old/
legacy applications that are
hard to upgrade
Waverley Labs

4. THE DIGITAL THREAT LANDSCAPE
4
…. Today, many paths exist to attack enterprises
Insider threats within a user group (role).
External Threats from all over the
world..
Insider threats, across user group
boundaries.
Waverley Labs

5. Hackers can’t attack what they can’t
see

6. Insiders can’t steal what they can’t
see

7. Enter Software Defined Perimeters (SDP)
• Connectivity
– Based on need-to-know access model
– Device posture & identity verified before access to application
infrastructure is granted
• Application infrastructure
– Effectively invisible or black
– No visible DNS information or IP addresses
• Combines security protocols previously not integrated
– Single Packet Authentication
– Mutual Transport Layer Security
– Device Validation
– Dynamic Firewalls
– Application Binding
• Cloud Security Alliance adopted SDP for its membership
• Follows NIST guidelines: crypto protocols & securing apps in
cloud

8. SDP Architecture
SDP
Controller
Protected
Host
SDP Client
Device
Control Plane
Data Plane
Access in order
to Authen6cate
Perimeter has User
Context + Dynamic
Authen6ca6on
Before Access
Firewall
has only Network
Info + Sta6c
Protected
Host
Current
SDP

9. SDP Integration
SDP
Controller
Protected
Host
SDP Client
Device
Control Plane
Data Plane
Firewall/Gateway
provides network
awareness
Applica6on
provides user
awareness
Protected
Host
Client provides
device awareness

10. SDP cryptographically signs
clients into the perimeter
1-Net facing servers hidden
2-Legit user given unique ID
3-Legit user sends the token
4-Perimeter checks the token
5-Valid device + user = access
SDP
Controller
Protected
Host
SDP Client
Device
Control Plane
Data Plane
AuthN + Encryp6on Key
Protected
Host

11. Use Case – Anti-DDoS
SDP Client
Device
Control Plane
Data Plane
AuthN + Encryp6on Key
Today packet filtering and load
distribu6on techniques affect
all good traffic
• Hosts are hidden
• Clients coordinate w/ mul6ple perimeters
• Good packets known
• Upstream routers informed about bad
packets
• Akamai (content distribu6on)
• Avaya (networking hardware)
• Verizon (network provider) etc.
With SDP

12. Open Source Community
Software
Defined
Perimeter
12
Coca Cola: removing VPN and
2-Factor AuthN has improved
user experience
Coca Cola: Users access
limited to a single connection
to each authorized
application – eliminating
malware and information
theft
Coca Cola: Removing access to
business applications on the
internet is reducing attacks
Mazda: easier to isolate authorized
and unauthorized users/devices
Google: Enabled BYOD and
reduced the number of
company laptops

13. SDP: New model with many benefits
• Wrap applications in a black cloud – inaccessible by the
bad guys
• Simplifying what has been a complex landscape
– Point products go to background
• Clear vision to the security failure presenting greatest
risk
• Cost effective
– Over time eliminate costs of some point solutions
and the headcount to manage them
• Less vulnerable to talent drain
– SDP is smart
• Lower risk: Effort equal to risk
– Prioritize applications that present the greatest risk
– Optimized by defining failure scenarios
• Effective assurance for risk insurance

14. Continue the conversation . . .
Juanita Koilpillai
jkoilpillai@waverleylabs.com
linkedin.com/in/juanita-
koilpillai-5551b111
Cybersecurity Assessments
SDP Design & Implementa6on
Defini6on of Failure Scenarios