What Will Software Defined Perimeter Mean for Compliance?
Published 12/08/2017
By Eitan Bremler, VP Marketing and Product Management, Safe-T Data
Your network isn't really your network anymore. More specifically, the things you thought of as your network — the boxes with blinking lights, the antennae, the switches, the miles of Cat 5 cable — no longer represent the physical reality of your network in the way that they once did. In addition to physical boxes and cables, your network might run through one or more public clouds, to several branch offices over a VPN, and even through vendor or partner networks if you use a managed services provider. What's more, most of the routing decisions will be made automatically. In total, these new network connections and infrastructure add up to a massive attack surface.
The software defined perimeter is a response to this new openness. It dictates that just because parts of your infrastructure are connected to one another, that doesn't mean they should be allowed access. Essentially, the use of SDP lets administrators place a digital fence around parts of their network, no matter where it resides.
Flat Networks Leave Data Vulnerable
Where security is concerned, complicated networks can be a feature, not a bug. For companies above a certain size, who must protect critical data, a degree of complexity in network design is recommended. For example, can everyone in your company access the shared drive where you store your cardholder's information? This is bad practice — what you need to adopt is a practice known as segmentation, recommended by US-CERT.
Any network in which every terminal can access every part of the network is known as a "flat" network. That is, every user and application can access only those resources which are absolutely critical for them to do their jobs. A flat network operates by the principle of most privilege — everyone gets access to anything. In other words, if a hacker gets into an application, or an employee goes rogue, prepare for serious trouble.
Flat networks are also a characteristic of networks lacking a software defined perimeter.
Create Nested Software Defined Perimeters for Extra Security
Flat networks introduce a high level of risk for flat organizations, but the use of SDP can eliminate this risk. The software-defined approach can create isolated network segments around applications and databases. What's more, this approach doesn't rely on either physically rewiring a network or creating virtual LANs, both of which are time-consuming processes.
This approach is already used in public cloud data centers, where thousands of applications that must not communicate with one another must coexist on VMs that are hosted on the same bare-metal servers. The servers themselves are all wired to one another in the manner of a flat network, but SDN keeps their networks or data from overlapping.
Do You Need SDP in Order to Be Compliant?
Software defined perimeters are strongly recommended for security, but it's actually not necessary for compliance — yet. PCI DSS 3.2 doesn't require network segmentation — in the main because the technology is still in its relative infancy, and is not yet accessible to every company. Those companies that can segment their networks, however, do receive a bit of a bonus.
If you manage to segment your network appropriately, only the segments of your network that contain cardholder data will be subject to PCI audit. Otherwise, the entirety of a flat network will be subject to scrutiny. Clearly, it's easier to defend and secure a tiny portion of your network than the entire thing. Those who learn the art of network segmentation will have a massive advantage in terms of compliance.
Look for Software-Defined Perimeter Solutions
Solutions using the SDP method will help organizations set Zero Trust boundaries between different applications and databases. These are effectively more secure than firewalls, because they obviate the necessity of opening ports between any two segmented networks. This additional security feature lets companies reduce the scope of PCI without changing