Back in World War II, citizens in many cities were required to turn off outdoor lights at night and cover their windows with heavy blackout curtains. By minimizing all light that could be seen from a plane, blackouts helped prevent enemy bombers from hitting their targets.
That same concept is being applied today in many data centers. Software-defined perimeter technologies essentially “black out” network segments so that sensitive data cannot be detected by unauthorized users.
Gartner recently named software-defined perimeter as one of the top security technologies in 2017. According to Gartner, “a software-defined perimeter defines a logical set of disparate network-connected participants within a security computing enclave. The resources are typically hidden from public discovery, and access is restricted via a trust broker to the specified participants of the enclave, removing the assets from public visibility and reducing the surface area for attack.”
In other words, the software-defined perimeter creates a virtualized network segment that abstracts applications and data from the underlying physical infrastructure. Access is restricted to authenticated users, who can only see those resources they’re authorized to access. All other segments are hidden from view so they cannot be compromised.
Software-defined perimeter effectively establishes a “network segment of one” that is unique for each user. Users must first authenticate with a controller before a gateway establishes an encrypted tunnel to the user’s device. Authorization is based on device, user and other contextual attributes. User sessions are provisioned as needed then shut down automatically to prevent unauthorized access.
The software-defined perimeter approach differs from traditional security models, in which users who have been authenticated at the perimeter to access a particular network segments can still see other segments. Because they are visible, those segments are identifiable targets.
Software-defined perimeter evolved from the U.S. Defense Information Systems Agency’s “need to know” model, and has been formalized as a specification published by the Cloud Security Alliance (CSA). It has been popularized by companies such as Google, with their BeyondCorp security model, as well as several other organizations that are active in CSA working groups.
Gartner predicts that through the end of 2017, at least 10 percent of enterprise organizations will leverage software-defined perimeter technology to isolate sensitive environments. According to Stratistics MRC, the global software-defined perimeter market totaled $737 million in 2015 and is expected to exceed $6 billion by 2022. That’s a compound annual growth rate of more than 35 percent.
Some of the key drivers of software-defined perimeter adoption include lack of cyber security talent, growing use of cloud-based applications, increasingly stringent regulatory compliance requirements, and demand for policy-driven, scalable and programmable security architectures. Moreover, rising numbers of network-connected devices associated with Internet of Things and Bring Your Own Device models are expected to contribute to the growth of the market.
Blackout drills have little value today — satellite-based navigation systems and night-vision goggles make it possible to locate military targets in low-light conditions. However, restricting visibility to authenticated users can dramatically boost network security. Software-defined perimeter effectively protects key resources by creating an “invisible infrastructure” that can’t be seen by attackers.