Extending Software Defined Perimeters to the Cloud and Beyond

By Doug Johnson, VP Strategic Alliances

As the world moves to a software defined everything model, traditional network security needs to adapt to an entirely new approach to solving basic problems. This is evolution in motion, albeit at a much faster speed than nature moves.  Let’s look at one such evolution called Software Defined Perimeter (SDP) and how BlackRidge Technology is collaborating with Cisco Systems® to extend security perimeters to multi-cloud, IoT and other network environments.

Network security has always been evolving, usually as the result of new security threats. The need to prevent unauthorized people from accessing your network resulted in firewalls.  The need to allow authorized remote users to connect through your firewall to access your network resulted in VPNs.  Unfortunately, tools like these are difficult to manage in dynamic environments, unable to make decisions based on user context, and operate on a “connect first, authenticate second” model.  They are proving to inhibit the latest evolution in network security – the need to dynamically and adaptively segment your network on a per user or device basis without redeploying resources. 

SDP is a result of work done within the U.S. Department of Defense to create a new approach to providing dynamically segmented networks. A group of network-connected devices, usually disparate, are presented as accessible to an entity (user, IoT device, etc.) based on rules that are created and maintained in software. The entity is authenticated by the software, and network access is provided based on the entity’s attributes (group membership, locale, etc.).  The evolution that SDP is bringing about is to change the networking model to “authenticate first connect second.”

Let’s look at a typical enterprise use case – how to secure access to an application that has migrated to a cloud.  Unfortunately, a cloud environment is completely virtual, and they will not have control as it relates to the internal network security. As the computing resources are moved to the cloud and between clouds, there is a need to automate and maintain consistent and compliant control over network access, and to deliver a seamless experience for the end user.  This requires not only disparate cloud management and security tools, but that they integrate with the tools currently in use today for the on-premise datacenter.

A wise duck once said: “Work smarter, not harder.” Enterprises have already invested in many on-premise security management solutions. We should look to extend those security controls to the cloud. Not just to the cloud but to anywhere regardless of network boundary or intermediary technology. To provide this evolutionary SDP solution BlackRidge Technology partnered with Cisco Systems to integrate BlackRidge Transport Access Control (TAC) with Cisco Identity Service Engine (ISE).

Cisco customers implement ISE to manage identity and drive Access Control Lists (ACLs) for their connected network devices.

When a user accesses a network, their credentials are passed to Cisco ISE and validated. At that point rules are pushed to the Cisco network devices that define their perimeter. BlackRidge has created an ISE Agent that integrates with Cisco pxGrid to detect when ISE authenticates a network device so we can extend access for that device to relevant cloud resources. The resources in the cloud are then protected by a BlackRidge TAC gateway, where policies allowing access are created that correspond to the ISE attributes of the user or network device (user context awareness). This enables unified policy management and audits based on Cisco ISE for hybrid cloud and converged IT and IIoT networks.

To develop this solution, BlackRidge joined the Cisco Security Technology Alliance) program and Cisco announced BlackRidge as a new pxGrid solution partner in How Alliances Strengthen Your Cybersecurity Defenses. Given the speed at which the world is changing, alliances like these strengthen your cyber defenses by bringing unique capabilities together to create a better solution. Just like with evolution in nature, those that evolve to the new world will survive. Those that can’t will be on display in your local computer history museum.