Cloud Security Alliance offers ultra-high cloud security plan

Orlando -- The Cloud Security Alliance (CSA) is putting forward an innovative encryption-based security architecture for software-defined networks and cloud environments that draws some of its inspiration from high-security networks used by the U.S. Department of Defense and intelligence agencies.

Called the "Software Defined Perimeter," the CSA's architecture plan calls for use of VPN-style authentication and encryption that would enable a security process could strictly determine availability of services and applications in a cloud environment. At the CSA Congress this week, some of the technical authors of the proposed architecture known as "Software Defined Perimeter" spoke about why the CSA, whose mission is establishing best practices and standards for cloud security, is strongly backing the concept and what's expected of it in the future.

The rise of cloud-based services has accelerated the disappearance of traditional network perimeters and new methods need to be adopted to protect data that's shared with cloud data centers, corporate networks and mobile devices, they say.

"Part of this initiative is to come up with an easily adjustable way to adjust the perimeter," said Bob Flores, former chief technology officer at the Central Intelligence Agency, a contributor to the "Software Defined Perimeter" architecture document. The idea that CA is proposing would change the way that people, applications and data flows can be authenticated by requiring an identification process first before network access is granted.

ALSO FROM THE SHOW:IT security pros often seen as innovation killers,' says ADP's IT security chief

The "Software Defined Perimeter" makes use of technologies such as "mutual TLS" based on digital certificate exchange and an encryption for very strong identification, explained Jamaid Islam, CTO at Vidder, who is also a contributor to the "Software Defined Perimeter" architecture document. Other co-authors include Alan Boehme, chief of enterprise architecture and emerging technologies, the Coca-Cola Company and Jeff Schweitzer, chief innovation architect at Verizon.

Vidder's Islam said ideally the CSA's ideas for strong cloud security, which draw directly from Department of Defense high-security networks, would be built into the modern Software-Defined Network products now emerging in the marketplace. The advantage of CSA's plan is that it can achieve what's called a "dark" network that's hard to see on the Internet and thus much harder to attack.

"The DoD world is dark," said Flores during his talk about the new architecture yesterday evening. "It's extremely difficult to attack something you don't actually know exists, if they don't see the surface of the network."

The CSA's concept does rely on key management structures being in place, acknowledges Vidder's Islam. He said it's possible that cloud service providers could play a role there, plus more and more of them are starting to make various Hardware Security Modules (HSM) available to their customers as services. But enterprise customers could maintain their own key-management processes in-house as well. Islam said his company has built this style of high-security network for private-sector companies, though he wouldn't identify them.

As with all new ideas put forward to be adopted on a large scale, there's the question of how far the high-tech industry and their customers will go in actually adopting it.

Flores said there is one large company now making use in production of exactly what the CSA is proposing with "Software Defined Perimeter," and at the upcoming RSA Conference next year there will be news about industry support and more. CSA plans to make available "Software Defined Perimeter" software as open source for the public to adopt as well.

"We believe this could be a game changer," said Flores. "The right thing to do is to put this into the open-source community so cloud computing becomes one of those things you don't have to think about."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of DefensesecurityCloudcloud security allianceWide Area Networkcloud computingintelinternet

More about CSAIDGRSAVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place