The Cloud Security Alliance (CSA) is a not-for-profit think tank of volunteers that spend their time trying to better the internet. These people are the antithesis of cybercriminals; they spend their energy trying to figure out ways to make our data safer. They create best practices for providing security assurance within cloud computing, or in this case, they determine how a cloud environment can be used to enhance and scale authentication for a service that can be cloud-based or private data center-based.
Just last week, CSA announced the results of a worldwide Hackathon against an implementation of their Software Defined Perimeter (SDP) to see what would happen. The results were very positive. Their SDP withstood over a month of pounding from individuals and groups representing amateurs, self-taught enthusiasts/hackers, as well as trained professionals from over 100 countries. They threw everything they had at it. Like McDonald’s, there were billions [of packets] served up, and in the end, none succeeded in breaching the SDP that protected the public cloud.
Per the CSA, the SDP is:
a new approach to security being developed as an open standard by the Cloud Security Alliance (CSA). SDP mitigates network-based attacks by creating dynamically provisioned perimeters anywhere in the world–including in a cloud, on the DMZ, and in the data center. Intrinsically secure, the SDP starts with zero visibility and zero connectivity. Only after the user and his device have been authenticated, the SDP dynamically builds networks to authorized applications. Enterprise companies use Software Defined Perimeter to protect applications on the Internet, such as business and partner portals, cross-company collaboration, and for their migration to Infrastructure-as-a-Service and SaaS services. And, in addition to using SDP to internally isolate critical applications, enterprises use it to protect internal business critical applications for non-employee and BYOD access.
The first question that most people ask is “How much will it cost?” The good news is, because they are not-for-profit and create standards that rely on open source and public domain technology, anyone can create an in-house solution that is fairly low-cost. Implementers have to buy the hardware, OS (if you want to use Windows), web stack (if you want to use IIS), and the appropriate certificate(s), but the rest is freely available. They also have to the option to look for solutions vendors that build around the standard. Companies that use the standards should require less R&D, allowing them to launch solutions sooner and thus keeping the overall price lower while providing higher security.
Another question that comes up is “How complex is it?” This is also good news. I spoke with a couple of CSA representatives involved in the project who told me it is “elegant in its simplicity.” Prior to the Hackathon, they also had a number of people tell them that it was too simple and could easily be hacked. Interestingly enough, that was not the case. The primary reason for that is the way that security is layered together. Though the original naysayers thought that the pieces were simplistic, the composite solutions security rivals, or is possibly stronger, than other existing commercial solutions.
Then comes the question, “How do you do it?” Not going deep into it, the standard uses a Hashed Message Authentication Code One Time Password (HMAC OTP). Hash-based MAC generates an OTP and signs it with a digital certificate, making the request and response nearly impossible to forge and spoof. Next, the authenticated request is responded to with a SAML assertion to control where you can go in the environment. The OTP is a 64-bit number that rotates for each challenge, and the certificate should be a 256-bit key that can be a commercial or internal authority, depending upon the use requirements.
Lastly, I asked “What makes this so tough to crack?” The strength comes in the layering. Yes, a key can be extracted from a certificate, and yes, some OTPs can be guessed, but the odds on being able to do both to render a guess of a 64-bit OTP (that’s a number the size of a trillion, trillion or 1×10^24) and work out the certificate issues and falsify the SAML assertion are just too great a combination on a per-attack basis.
During the conversation, I asked what the most interesting attack was that they saw. Though they wouldn’t go into details because a number of them were equivalent to very sophisticated (but unsuccessful) zero-day attacks, they did say that they were amazed at the resourcefulness of attackers and felt that they really got a no-holds-barred contest. They stated, “The number of sophisticated attacks used were not only extensive, but very well scripted and orchestrated so quickly that many normal organizations could have been easily compromised.”
CSA’s full report on the Hack-A-Thon will be out in November. For additional information on the Hackathon please refer to Software Defined Perimeter (SDP) Prevailing after Hackathon Kickoff at Cloud Security Alliance Congress 2014. You can visit the CSA at https://cloudsecurityalliance.org, and follow them on Twitter @cloudsa.