Software Defined Perimeter
Cloud is an emerging technology for IT. It becomes more important day by day. Usage statics shows that like Virtualization, it gains momentum in the IT world. As you know in previous trends security was a follower of the trend. And this was a problem for both operation and security. But now there is more weight in security and the IT world is more aware of it than before.
Cloud Security Alliance is a foundation driven by big IT companies and works on cloud security. CSA published a security guide for Software Defined Perimeter to make cloud more secure. The main motivation is to make cloud more secure by adding extra layers to access cloud. As perimeter means first steps toward the destination. In SDP there is cloud consumers like app, system, user etc. and between client side and cloud site there is SPD gateway and controllers that manage them. Here is the steps for SDP
Single Packet Authorization
If you have experience in pentesting you know that types of pentest. One of them is black box pentesting where the attacker have no previous info about the victim. If we apply this to the cloud here is single packet authorization. The SDP controller looks in first packet to gain info about client and if trust the client further network communication can resume but not it is blocked.
Mutual Transport Layer Security
TLS is generally used to make HTTP communication confidential but other features of tls in not used. There is practical reason to not use these features in internet domain. Implementing full TLS for cloud consumers makes sense for security. So each communicating side implement to authenticate and encrypt the communication.
Mutual Transport Layer Security provides a way but what is keys are stolen. Here comes the device validation. a device has to be validated before gaining access to the cloud services. By the way this can hurt mobility.
In this step firewalls have only deny all rules and permit rules are added dynamically after previous steps which makes system less vulnerable to exploit.
In this step only authorized consumers can use authorized applications/ports may be functions. This makes security more granular and created less attack surface.