Good Days and Bad Days for Infosecurity Professionals: Introducing AppGate 3.0 for Implementing a Software-Defined Perimeter
I love working in the information security industry – it’s interesting, technically challenging, and I feel lucky and motivated to have such an important mission. But some days are difficult, and 2016 had more than its fair share of difficult days, with too many successful breaches, leaks, and ransomware infestations.
To misquote the classic movie Network, we should all be shouting:
“We’re mad as hell and not going to take it anymore!”
However, screaming out the window, while a useful stress-reduction technique, doesn’t actually improve cyber security.
The good news is that there’s a sea change underway, as security leaders recognize that we’ve got to have a better security foundation to prevent and contain these malicious activities. This “transformational network security” change calls for a security architecture where all network services, both internal and external, adopt an identity-centric security model. Leveraging the “authenticate first, connect second” approach defined as part of the Software-Defined Perimeter specification, all users are validated with multi-factor, context-sensitive authentication and network security is controlled by dynamic policies, not static rules.
This approach can be transformational in two ways:
- Because it’s dynamic, it’s a significant improvement over traditional static network security
- It allows organizations to transform the way they approach security, finally having the ability to take a fully identity-centric approach to user access across the full stack.
For years, organizations have invested in Identity and Access Management systems, and have seen many benefits across security, compliance and operational efficiency. However, enterprise security teams have been hampered because these systems have never been able to extend to the network level.
Traditional network systems, and network security tools are not built around identities, but rather IP addresses (or even MAC addresses!), and this disconnect – between the identity and network worlds – is one of the reasons that infosecurity teams have so many bad days.
Implementing and Extending a Software-Defined Perimeter with AppGate
Today I’m pleased to announce the availability of the newest version of AppGate, which implements (and extends) the Software-Defined Perimeter specification to provide dynamic, identity-centric security and improve compliance. (If you’d like more detail on what is a Software-Defined Perimeter, read my recent blog for an introduction).
AppGate implements the core Software-Defined Perimeter specification – including a distributed architecture with a Controller and Gateways, and support for Single-Packet Authorization. In AppGate 3.0, we’ve gone beyond the specification to fill in gaps such as high availability and a robust policy model.
More importantly, with AppGate, customers can realize a fully dynamic, identity-centric security architecture. Policies – which ultimately control network traffic – are nonetheless built around identities, dynamically adjusting to user, server and system and device attributes.
For example, user access can be dynamically adjusted based on the device posture check or location, on server attributes, or even on broader system attributes such as an overall alert status within a SIEM. Access could even be dynamically adjusted based on the existence of an open service desk ticket that grants user X permission to access server Y to resolve an issue.
This kind of transformational network security is incredibly exciting – and I’m very pleased to see that increasingly organizations “get it” and are actively deploying SDP-based architectures.
I’m optimistic about what’s in store in 2017 – and despite all-too-frequent bad days, I’m confident that with a Software-Defined Perimeter based approach to security, organizations will have far more good days in their future.
Learn more about a Software-Defined Perimeter.