‘Black Cloud’ darkens the enterprise to all but authorized devices

 

Connecting state and local government leaders

An open source, software-defined perimeter being developed by the Cloud Security Alliance and Waverley Labs aims to stop distributed denial of service attacks dead in their tracks and enable highly secure cloud-based applications.

The Internet has a fundamental problem with security that’s a part of its very DNA. And if things stay as they are, that problem -- and Internet security -- can only get worse. The Cloud Security Alliance (CSA) and its industry partners intend to change that.

If things go as planned, within two years the partners will produce the first “Black Cloud” -- an open source, software-defined perimeter (SDP) solution that will stop distributed denial of service attacks dead in their tracks and enable highly secure cloud-based applications.

“We think this a pretty big idea,” said Jim Reavis, the CSA’s co-founder and CEO. “We’ve already defined a very specific framework for how you could implement this so that organizations can build the software themselves, and several government agencies are now doing that.”

The current project, which the CSA is developing with Waverley Labs, will develop open source code for one specific use case to start. The intent is to create standards, Reavis said, and to start seeding the market with open source software that will then be embedded in the solutions provided by information security and network providers.

“We’ve been working for a while with the [CSA] SDP working group, and have already had several proprietary versions that have gone into different security control layers,” said Juanita Koilpillai, the  CEO of Waverley Labs. “So we thought, why not make this an open source project, which we’ll develop versions for multiple layers over time, the first being single-packet authentication that will allow [network] devices to deny all connections from anything other than the application they want to talk to.”

Similarly for applications, the goal is to deny all connections except for the device that’s been authorized to talk with them, which provides the ability to hide applications from all eyes except those that have a specific right to see them.

This essentially turns the original concept of the Internet, as an open communications medium, on its head. The fabric of the Internet is now like Swiss cheese, with so many holes that it’s all but impossible to completely defend against modern threats such as man-in-the-middle or SQL injection attacks. If you use the Internet, you are vulnerable.

The CSA’s SDP approach instead makes total security the starting point for the Internet and allows only those connections it can authenticate. It can’t be done for the whole of the Internet all at once, but with the Internet of Things looming, where millions of embedded computers and sensors are connected over the Internet, “fundamentally we are now at the point where we are going to have to shift from this default open approach to layer on default closed, to darken parts of the Internet,” Reavis said.

One place where this could be immediately useful is in spurring the move of organizations to the cloud. Despite various mandates and directives, this has been a slow process for government because of security concerns, which has prompted the rise of the hybrid cloud model, where some applications and services reside in the public cloud while keeping more sensitive information behind the agency firewall in private clouds. That solution can still be costly for agencies, however, because the cost savings associated with the public cloud are blunted by having to maintain on-premise, private cloud infrastructure.

In the CSA model, however, everything could be moved to the public cloud because SDP allows the creation of dark clouds inside the public cloud infrastructure. Those dark clouds would be owned by the government agency and would be invisible to everyone except for those designated and authenticated. There’d be no possibility for anyone else in the public cloud to share the organization’s data or be able to get a look at it, the main fear of agencies in moving sensitive applications and their data to the public cloud.

“Virtual private cloud is going to be such a commonplace term once this gets implemented, and that’s going to be the default way that people operate,” Reavis said. “It’s going to be a big shift for IT and will deliver big cost savings to agencies over time.”

diagram of software defined perimeter

 

None of the technology the CSA and its partners are using for the project is new. It’s based on protocols developed by the Defense Department and National Security Agency, and it uses standard security tools such as public key infrastructure, layered security, IPsec and Security Assertion Markup Language (SAML), along with well understood concepts such as geolocation and federation to enable connections.

Up to now, however, most SDP implementations have been highly customized solutions, available only to the organizations (like Coca-Cola) that developed them. The goal of the CSA project is to move the SDP model to a more general audience, The open source version now being developed by Waverley Labs is aimed at bringing people together to talk about how to implement SDP generally, what standard protocols could be used, what sequence of events needs to be followed, how to write JSON files to allow interaction with applications and so on.

“Our goal is to create a community that is really struggling to protect their applications and help them either hide them or move them to the cloud,” Koilpillai said. “None of the problems we are trying to tackle with this are simple; otherwise, they would have been solved by now.”

Waverley will do a phased release of the SDP for different security layers over the next 18 to 24 months. The open source project will help federal agencies see how an actual implementation works, she said, which is vital for this kind of thing because “you actually have to take that and prove it, otherwise people won’t believe you.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.