Introduction to SDP - SDP History, Benefits, & Concepts Flashcards
What does SDP stand for?
Software Defined Perimeter
SDP is a network security architecture that enhances security across various layers of the OSI model.
What is the primary function of SDP?
To provide security for all layers of the OSI model by hiding assets and establishing trust via a separate control and data plane.
How does SDP establish trust before exposing assets?
By using a single packet to establish trust through device attestation and identity verification.
True or False: SDP has roots in the Zero Trust (ZT) security model.
True
What is the goal of SDP in relation to unsecured networks?
To isolate services from unsecured networks and allow infrastructure and application owners to deploy perimeter functionality.
What does SDP overlay on existing infrastructure?
Logical components that should be operated under the control of the application owner.
Fill in the blank: SDP only grants access to the application infrastructure after _______.
device attestation and identity verification.
What is the relationship between SDP and Zero Trust Architecture (ZTA)?
SDP is categorized as an implementation option of Zero Trust Architecture.
What does the CSA define SDP as?
A network security architecture implemented to provide security for all layers of the OSI model.
What are the two planes involved in SDP?
Control plane and data plane.
What does SDP stand for?
Software-Defined Perimeter
SDP is a security framework that enhances the protection of organizational assets.
What is the premise of SDP?
Organizations should not implicitly trust anything inside or outside the network.
What is required for users to access hidden assets in an SDP implementation?
Users on validated devices must cryptographically sign in.
What type of firewall does SDP use?
Drop-all firewall.
How does SDP establish trust for connections?
Using a single packet to establish trust via a separate control plane.
What does SDP provide for connections to hidden assets?
Mutual verification of connections in a data plane.
Name some controls that SDP integrates.
- Applications
- Firewalls
- Clients
- Encryption
- Identity and Access Management (IAM)
- Session Management
- Device Management
What are the two main principles of SDP architecture?
Least privilege and segregation of duties.
What is a key control used in SDP related to firewalls?
Dynamic rules on drop-all firewalls.
What does SDP do to servers and services?
Hides servers and services.
What is required before allowing connections in SDP?
Authentication before connections.
Fill in the blank: SDP uses _______ for authorization.
Single Packet Authorization (SPA).
What type of communications does SDP utilize for security?
Bi-directional encrypted communications like mutual transport layer security (mTLS).
What type of access control does SDP implement?
Fine-grained access control and device validation.
What does ZT stand for?
Zero Trust
ZT is the umbrella category under which SDP falls.
What is the foundational principle of the ZT model?
‘Never trust, always verify’
This principle drives both SDP and ZT.
What is the first principle of the ZT model?
Making no assumptions about the trustworthiness of an entity
This applies when an entity requests access to a resource.
What does ZT require regarding privileges?
Starting with no pre-established privileges
ZT relies on a construct used to add privileges.
What does ZT assume about breaches?
Assuming breach
ZT verifies access regardless of location, identity, or resource.
What does the ZT concept retire?
Use of trusted entities inside a defined corporate perimeter
ZT mandates the creation of micro-perimeters around sensitive data assets.
What is the main goal of ZT?
Defend enterprise assets by distrusting anything inside or outside the perimeter
This includes continuous monitoring and evaluation of access requests.
What is a distinctive feature of SDP compared to other ZTA implementations?
Use of a drop-all rule and adoption of SPA
These features are foundational to SDP but not necessarily required in other ZTA implementations.
True or False: SDP is a type of ZTA.
True
However, not every ZTA conforms with SDP requirements.
What are some other implementations of ZTA besides SDP?
- Zero Trust Network Access (ZTNA)
- Google BeyondCorp
These are examples of other ZTA implementations.
What is required before granting access to assets in a ZT framework?
Verifying connection requests
This is followed by continuous monitoring throughout the access duration.
Fill in the blank: ZT mandates that enterprises create ______ around sensitive data assets.
micro-perimeters
This is to maintain control and visibility around data use.
What is SDP?
A cybersecurity approach evolved from the U.S. Defense Information Systems Agency’s Global Information Grid Black Core Network initiative
When was SDP developed?
In 2007 and later served as the basis for the CSA’s SDP framework in 2013
What does the CSA SDP framework focus on?
Controlling access to resources based on identity and device attestation
What model does SDP use to provide connectivity?
A need to know model that verifies device posture and identity
How does SDP ensure application infrastructure security?
By making it hidden and undetectable without visible DNS information or IP addresses
What is a key challenge for organizations undergoing digital transformation?
Staying ahead of the threat landscape and attack chain curves
What types of environments do organizations operate today?
- Physical, on-premises networks
- Private clouds
- Multiple public clouds
- Virtual software-defined networking (SDN) environments
What must organizations facilitate within newer environments?
- An expanding wide area network edge
- IT and operation technology convergence
- An increasingly mobile workforce
What does the shift from traditional infrastructures to virtualized architectures introduce?
New attack vectors that require a novel approach to network security
What types of network-based attacks did SDP designers focus on mitigating?
- Server scanning
- Denial of service
- SQL injection
- OS and application vulnerability exploits
- Man-in-the-middle
- Pass-the-hash
- Pass-the-ticket
True or False: SDP is ineffective against both existing and unknown threats.
False
What is a key benefit of Software-Defined Perimeter (SDP) regarding attack surface?
Attack surface reduction
SDP reduces the attack surface by ensuring that connectivity to assets occurs only after authentication and authorization.
How does SDP change the traditional approach to device connectivity?
By reversing the sequence of connection establishment
In traditional models, devices are authenticated first; SDP verifies the connection before authentication.
What must occur before access to an organization’s assets is granted in SDP?
Authentication, validation/authorization, and determination of access
These steps ensure only authorized access to protected assets.
What type of access does SDP provide to users and devices?
Access to specified hosts, resources, and/or services
Users and devices do not have general access to network segments.
Which protocols can SDP protect?
- Hypertext Transfer Protocol Secure (HTTPS)
- Remote Desktop Services (RDS)
SDP can be used to protect various services and protocols.
What is the outcome of controlling access levels in SDP?
Authorized users can access privileged services while unauthorized users are hidden from them
This enhances security by limiting visibility and access.
Fill in the blank: SDP provides _______ security through its open specification.
IAM
IAM stands for Identity and Access Management, which is crucial for security in SDP.
What does SDP stand for?
Software-Defined Perimeter
SDP is a security architecture that uses software components to enhance security over both physical and virtual infrastructure.
What is the primary function of the drop-all gateway in SDP?
To ensure authentication and authorization are performed before access is granted
This approach protects the perimeter by only allowing users with appropriate authorization to access the hidden infrastructure.
How does SDP enhance protection for assets?
By separating the control and data planes
This separation exposes assets only to verified users and devices, enhancing overall security.
What type of access control does SDP provide?
Fine-grained access control
This is achieved through role and attribute-based permissions, among other mechanisms.
What is a key advantage of SDP’s architecture compared to traditional architectures?
Reduced complexity and maintenance overhead
Traditional architectures require separate implementations for access control components, which increases complexity.
How does SDP differ from IP-based security architectures?
SDP is connection-based, granting access per connection
In contrast, IP-based architectures grant access based on allowlisted IP addresses.
What does SDP validate on the data plane?
Validation prior to any TLS/TCP handshake
This validation helps to secure communications and mitigate unauthorized access threats.
True or False: SDP allows access based on a device’s IP address.
False
SDP grants access based on independent connections, not IP addresses.
Fill in the blank: SDP provides a _______ security architecture.
connection-based
This means access is granted for each independent connection rather than based on IP addresses.
What is the role of mutually encrypted communications in SDP?
To enforce secure communications and mitigate unauthorized access threats
This practice enhances the overall security of the connections.
What is the main benefit of centralized organizational IAM security in SDP?
It allows for a single update to the SDP to address security issues, reducing maintenance overhead and complexity.
Traditional IAM requires checking and updating potentially hundreds of services for a single flaw.
What is an open specification?
A publicly available specification that benefits from community contributions.
Open specifications increase the volume of data, validity, and practicality of the developed specification.
How does an open specification benefit developers?
It allows customization, code auditing, and community feedback on faults and errors.
This enhances the development process and ensures higher quality outputs.
What types of network implementations has the SDP specification been proven on?
- SDNs
- IoT networks
- Network functions virtualization
- Edge computing
- 5G
Proven effectiveness across diverse technologies.
What was the purpose of the CSA Software-Defined Perimeter Working Group’s research?
To create high availability infrastructure using public clouds comparable to dedicated data centers.
This research aims to enhance cloud security and service reliability.
Name one reference material created by the CSA Software-Defined Perimeter Working Group.
- SDP Architecture Guide v25
- Software-Defined Perimeter as a DDoS Prevention Mechanism
These documents are publicly available and include community input.
True or False: Open specifications cannot be customized.
False
Open specifications allow customization according to user needs.
Fill in the blank: The SDP drastically decreases maintenance overhead and _______.
complexity
What does SDP enhance in organizations?
Existing cybersecurity investments
SDP optimizes security investments, making them more cost-effective.
What is a significant pressure organizations face regarding cybersecurity?
Responding to security events in a timely manner
Continuous pressure leads to substantial investments in cybersecurity.
Name three types of management that organizations invest in to enhance cybersecurity.
- Vulnerability management
- Patch management
- Configuration management
These investments help lock down machines using IP addresses.
What role does threat intelligence play in cybersecurity?
It helps organizations understand unauthorized users and their connections
Combined with endpoint threat detection and response (EDR), it enhances security.
What do many organizations manage to monitor threats?
Security operation centers
These centers respond to intrusion alerts and security events.
How does SDP help reduce the attack surface?
By hiding resources and applying drop-all rules
This leads to fewer security events or alerts.
What does SDP do to reduce lateral movement in attacks?
Keeps assets invisible to unauthorized users
This helps mitigate potential threats.
What complexity does SDP reduce in security controls?
Integrating controls like firewalls, IAM, encryption, and device management
SDP maintains rules in one place instead of for each individual implementation.
Fill in the blank: SDP helps companies focus internal resources on a smaller set of potentially _______.
Negative events
This increases the cost-effectiveness of security investments.
