In the second of a series of blog posts on a Cloud-based Enterprise, we’ll examine how a Secure Enclave utilizes a Zero Trust Network to protect itself from cyberattacks.
Zero Trust Networking (ZTN) is a new term that combines concepts from secure communications, trusted computing and role-based access into an integrated security model. The key aspect of ZTN, as the name implies, is not trusting the user, not trusting their device and not trusting the network they’re using. Pretty paranoid view of the world! As one would guess implementing a ZTN can be pretty complex task if one has to integrate software from multiple vendors.
To streamline the process of creating a Zero Trust Network a Secure Enclave utilizes a Software Defined Perimeter (SDP) architecture. The key feature of SDP that makes a cloud-based ZTN possible is a Control Channel that allows multiple verification and risk analysis functions to occur before role-based access is granted. As seen in the image below, the different ZTN processes actually don’t need to be integrated as the SDP Controller combines the output of individual systems.
A great example of the value of a Control Channel is handling PKI tasks. A core aspect of a ZTN is to utilize Digital Certificates to ensure messages have not been tampered and are encrypted. One of the biggest challenges in PKI systems is integrating all the components. Some Enterprises might desire self-signed Certificates for convenience while others want a cloud-based HSM for added security. While other Enterprises might want an offline HSM at their data center. All this variation can turn into an implementation nightmare especially when you consider it'll likely change. However the Control Channel design makes it simple to implement any PKI topology (and then change it).
As user devices attempt to create a Mutual TLS connection with the SDP Controller, Certificates can be transparently validated locally or remotely. Moreover, IT admins can re-configure the PKI architecture in minutes without disrupting other systems (a sharp contrast to the months PKI changes usually require).
Building on the PKI example, the SDP Control Channel also allows Enterprises to deploy different types of Trust Assessment. Some Enterprises might wish to deploy an OSQUERY solution while others prefer a machine-learning service. These different Trust Assessment solutions can utilize the same Control Channel to query endpoints.
Vidder has created a Secure Enclave SaaS product in the AWS Marketplace to protect mission critical Enterprise applications. It utilizes a SDP Control Channel architecture to implement a Zero Trust Network. More importantly it allows Enterprises to have a state-of-the-art security architecture at a fraction of the cost of traditional solutions.
In the next post we’ll explore how a Secure Enclave protects Cloud-based Enterprises against the newest generation of self-propagating malware.