Orlando -- The Cloud Security Alliance (CSA) is putting forward an innovative encryption-based security architecture for software-defined networks and cloud environments that draws some of its inspiration from high-security networks used by the U.S. Department of Defense and intelligence agencies.
Called the "Software Defined Perimeter," the CSA's architecture plan calls for use of VPN-style authentication and encryption that would enable a security process could strictly determine availability of services and applications in a cloud environment. At the CSA Congress this week, some of the technical authors of the proposed architecture known as "Software Defined Perimeter" spoke about why the CSA, whose mission is establishing best practices and standards for cloud security, is strongly backing the concept and what's expected of it in the future.
The rise of cloud-based services has accelerated the disappearance of traditional network perimeters and new methods need to be adopted to protect data that's shared with cloud data centers, corporate networks and mobile devices, they say.
"Part of this initiative is to come up with an easily adjustable way to adjust the perimeter," said Bob Flores, former chief technology officer at the Central Intelligence Agency, a contributor to the "Software Defined Perimeter" architecture document. The idea that CA is proposing would change the way that people, applications and data flows can be authenticated by requiring an identification process first before network access is granted.
The "Software Defined Perimeter" makes use of technologies such as "mutual TLS" based on digital certificate exchange and an encryption for very strong identification, explained Jamaid Islam, CTO at Vidder, who is also a contributor to the "Software Defined Perimeter" architecture document. Other co-authors include Alan Boehme, chief of enterprise architecture and emerging technologies, the Coca-Cola Company and Jeff Schweitzer, chief innovation architect at Verizon.
Vidder's Islam said ideally the CSA's ideas for strong cloud security, which draw directly from Department of Defense high-security networks, would be built into the modern Software-Defined Network products now emerging in the marketplace. The advantage of CSA's plan is that it can achieve what's called a "dark" network that's hard to see on the Internet and thus much harder to attack.
"The DoD world is dark," said Flores during his talk about the new architecture yesterday evening. "It's extremely difficult to attack something you don't actually know exists, if they don't see the surface of the network."
The CSA's concept does rely on key management structures being in place, acknowledges Vidder's Islam. He said it's possible that cloud service providers could play a role there, plus more and more of them are starting to make various Hardware Security Modules (HSM) available to their customers as services. But enterprise customers could maintain their own key-management processes in-house as well. Islam said his company has built this style of high-security network for private-sector companies, though he wouldn't identify them.
As with all new ideas put forward to be adopted on a large scale, there's the question of how far the high-tech industry and their customers will go in actually adopting it.
Flores said there is one large company now making use in production of exactly what the CSA is proposing with "Software Defined Perimeter," and at the upcoming RSA Conference next year there will be news about industry support and more. CSA plans to make available "Software Defined Perimeter" software as open source for the public to adopt as well.
"We believe this could be a game changer," said Flores. "The right thing to do is to put this into the open-source community so cloud computing becomes one of those things you don't have to think about."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]
Read more about wide area network in Network World's Wide Area Network section.