We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.
So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).
This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based... So have a listen!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
-----
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---
Show Notes:
https://en.wikipedia.org/wiki/Software_Defined_Perimeter
https://cloudsecurityalliance.org/group/software-defined-perimeter/
Hmmm… seems like a standard created by companies selling their products for it
Have a product, create a problem, fix the problem...
How much alike is this to things like ‘Beyondcorp’?
http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html
De-perimeterization - removing all the bits ‘protecting’ your computer
Treat your computers as ‘on the Internet’
https://en.wikipedia.org/wiki/De-perimeterisation
https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf
https://github.com/WaverleyLabs/SDPcontroller
2FA becomes much more important, or just plain needed, IMO --brbr
Questions:
How will development of applications change when attempting to implement these technologies?
If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?
Can this cut down on the “Shadow IT” issue? Does the user control the certs?
How does this work with devices with no fully realized operating systems?
Phones, HVAC, IoT
Legacy SCADA or mainframes?
What is the maturity level of a company to implement this?
What minimum requirements are needed?
Asset management?
Policies?
Who/how do you monitor this?
More blinky boxes?
Will WAFs and Web proxies still function as expected?
Are there any companies companies were this is not a good fit?
What’s the typical timeline for moving to this network model?
What’s the best way to deploy this?
Blow up old network, insert new network?
Phase it in with new kit, replacing old kit?
Compliance
How do explain this to auditors?
“We don’t have firewalls, that’s for companies that suck, we are 1337”
Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide