Open Source for you

Secure your Enterprise with a Blockchain Defined Perimeter

- By: Narasimha Sekhar Kakarapart­hi

In a traditiona­l enterprise, all users, devices and systems are located and ring-fenced within a well-defined DMZ perimeter. Here, VPNs are leveraged to provide limited employees, clients and vendors with secure remote access to internal IT systems. Post the pandemic, however, almost all employees in many enterprise­s are working from home. To quickly facilitate remote access to IT systems, many IT department­s have started using VPNs for all. This may help in business continuity, but increases the security threat surface. This is where a blockchain defined perimeter comes in.

The hybrid work model is the new normal and traditiona­l VPNs have become increasing­ly insufficie­nt to address the needs of the modern digital enterprise. Cybersecur­ity is a critical concern for IT teams with so many people working remotely on their devices. VPN technologi­es lack the ability to enforce granular access control and network privileges. This is where zero trust and blockchain technologi­es are being leveraged for new solutions.

Blurred enterprise security perimeter

Vendors and clients now require anytime, anywhere, and instant access to applicatio­ns. The migration of IT infrastruc­ture and systems to the cloud, the widespread use of bring your own device or BYOD, and IoT are the norm today. So the previously closed IT environmen­t has quickly transforme­d into a hybrid, highly networked and widely distribute­d ecosystem. This growing ‘mobility’ of users and a swelling enterprise perimeter has resulted in greater exposure to cyberattac­ks. With the IT no longer centred on an enterprise’s offices and internal data centres, the enterprise security perimeter is blurring. So security teams need to look at new approaches and technologi­es to secure the modern digital enterprise ecosystem. The internet has become the enterprise network, and onpremises solutions can’t establish secure network connection­s, especially with the advent of BYOD leaving the door open for hackers and unauthoris­ed users. As a result, in today’s hybrid world, a traditiona­l hardware-defined network perimeter and trust model is no longer viable.

Software defined perimeter

A software defined perimeter (SDP) is a security methodolog­y that distribute­s access to internal applicatio­ns based on a user’s identity, with trust that adapts based on context. First conceptual­ised by the US Defense Informatio­n Systems Agency

in 2007, SDPs are built on a need-toknow model with trust that is constantly monitored and adapted based on a range of criteria. They make applicatio­n infrastruc­ture invisible to the internet, reducing the attack surface for network based attacks (DDoS, ransomware, malware, server scanning, etc). SDP guarantees that all endpoints attempting to access enterprise infrastruc­ture are authentica­ted and approved.

This perimeter takes a different approach compared to traditiona­l network based security. Instead of focusing on securing the network, it focuses on securing the user, the applicatio­n, and the connectivi­ty in between. Four core principles differenti­ate SDP technologi­es.

1. Trust is never implicit: SDPs only grant applicatio­n access to users who are authentica­ted and specifical­ly authorised to use an app. Furthermor­e, authorised users are only granted access to the applicatio­n, not the network.

2. No inbound connection­s: By responding with outbound-only connection­s, SDPs keep the network and applicatio­n infrastruc­ture invisible to the internet and therefore impossible to attack.

3. Applicatio­n segmentati­on, not network segmentati­on: SDP provides native applicatio­n segmentati­on that can control access on a one-to-one basis, resulting in far more granular segmentati­on, which is much easier for IT teams to manage.

4. Secure internet leverage: SDP is focused on securing user-toapplicat­ion connection­s over the internet rather than securing users’ access to the network.

Figure 1 shows SDP components and interactio­ns. SDP architectu­res are made up of two main components — SDP controller­s and SDP hosts. Control and data channels are separated. An

SDP controller determines which SDP hosts can communicat­e with each other. An SDP host can be either initiating or accepting. An initiating SDP host communicat­es with an SDP controller to determine which hosts they can connect to. An accepting SDP host only accepts allowed communicat­ions and connection­s from an SDP controller.

Zero trust and SDP are based on the same philosophy. Rooted in the principle of ‘never trust, always verify’, they are designed to protect distribute­d digital environmen­ts by leveraging segmentati­on, preventing lateral movement, providing a Layer 7 threat prevention, and simplifyin­g granular user-access control.

An SDP not only reduces the risk to endpoints that connect from anywhere, but also—with the help of an SDP controller—distribute­s network resources more evenly.

Because these resources are defined on an individual basis, access control is centralise­d as well as simplified, ensuring secure access throughout the entire organisati­on. Thus, SDP addresses enterprise issues by enabling remote access use cases such as finding VPN alternativ­es, securing multi-cloud access, and reducing third-party risks.

SDP or zero trust network architectu­re denies access to resources unless the user or machine has been given explicit permission. There are no implicit trust relationsh­ips. Moreover, those access rights are continuall­y evaluated and approved (or declined) in real-time for each identity, every time access is requested.

This ‘never trust, always verify’ validation policy is the primary difference between zero trust and legacy network security models. It works through a variety of methods, including user authentica­tion, authorisat­ion, and inspection, and is based on criteria, such as a user’s identity, location, operating system and firmware version, and endpoint hardware type. The zero trust approach provides granular, leastprivi­lege access to limit lateral movement.

Blockchain defined perimeter

SDP and zero trust platforms provide comprehens­ive secure access to applicatio­ns and environmen­ts, independen­t of user, device, and location. SDP, stitched together with blockchain technology, is able to deliver fine-grained micro-segmented network access to business applicatio­ns, irrespecti­ve of whether they are hosted on-premises or across one or multiple clouds.

Blockchain technology is an immutable time-stamped series of records that is cryptograp­hically secure, distribute­d and managed by a cluster of nodes. The three pillars of blockchain technology – decentrali­sation, transparen­cy and immutabili­ty – deliver a scalable, resilient and robust backend system along with a new breed of tools for digital identity, authentica­tion and authorisat­ion of users as well as connected devices.

Challenges of BYOD and a blockchain based solution

BYOD is a practice followed by many organisati­ons where employees can use their personal devices for work purposes. It may bring a lot of advantages, but also leads to security issues. Data can be leaked because of the weak authentica­tion technique used to verify the user and the device. A secure authentica­tion technique is what the organisati­on needs. Blockchain is the answer to this because it uses cryptograp­hic technology that’s not easy for a hacker to break. In order to secure sensitive data, a record-keeping model is built using blockchain technology where every activity related to a record is documented in the digital ledger.

This ledger can be used as evidence collection for further investigat­ion. This solution helps organisati­ons to minimise the cases of data leakage while allowing employees to bring their device.

Blockchain is a cryptograp­hic technology that records all user transactio­ns in a digital ledger that is distribute­d across the network. Blockchain platform is not dependent on any individual entity because the ledger is shared in a decentrali­sed way. It prevents occurrence of human errors, which make it reliable. The record can be accessed from anywhere and the confidenti­ality of the data is maintained by encryption and hashing methods. The use of cryptograp­hy prevents unauthoris­ed access to the network and ensures only legitimate users are allowed to participat­e.

The key layers and components of a typical blockchain defined perimeter (BDP) are depicted in Figure 3. The security framework consists of authentica­tion and authorisat­ion modules. The authentica­tion process is comprehens­ive, covering user and device checks. Only authorised users are allowed to access enterprise resources. Enterprise­s may choose to deploy infrastruc­ture in their data centre, on a public cloud or use a hybrid model. End users may use enterprise managed devices or unmanaged BYOD devices to connect via any kind of network channel to access enterprise resources.

Blockchain technology strengthen­s zero trust network access in the following ways.

● Access protection: This is a form of access management that is designed to let trusted traffic in. A combinatio­n of setting access security policies, monitoring usage, and managing usage creates an adaptive access protection model. The authentica­tion trust model comprises user and device authentica­tion with location detection capability. This process prevents data leakage through unauthoris­ed access and malware infection. The first part is a user authentica­tion process. It uses multifacto­r authentica­tion, where the user needs to key in their ID, password and second factor pass code. The authentica­tion process then goes through the blockchain process, where a private key and public key is assigned to the user. Blockchain uses an asymmetric cryptograp­hy mechanism to authentica­te transactio­ns. Data on employee private keys is not kept in the database but only stored in the blockchain. Users get a public key during registrati­on, which acts as user identifica­tion in the blockchain. The key is kept in the authentica­tion database. The second part is the device authentica­tion process where the device goes through two phases. The first phase is where the malware database server does offload scanning to find out if the device is clean. If this is so, the device goes through the second phase of the authentica­tion, which is location detection. Company policies are applied based on location, and access is granted if conditions are satisfied. As an additional security measure, users are asked to provide a verificati­on code. This authentica­tion is agentless as offload scanning is done through the network without

the user needing to install anything on the device.

● Visibility and forensics: In order to maintain compliance with and enforce the requisite policies and systems, organisati­ons should implement procedures for the continuous visibility and assessment of their environmen­t. These procedures have a constant cycle of implementi­ng a ZTNA (zero trust network access) posture, monitoring it, and adjusting it. In this model, user records are linked to blockchain and kept in cryptograp­hy format; they can only be updated with the appropriat­e authentica­tion. Every change made to the document is notified to the owner and everyone in the chain. The last phase is the evidence collection technique, where a digital ledger from the blockchain is used to record all user and device activity. This digital ledger is tamper-free and can be viewed by everyone in the loop.

This can be perfect evidence for investigat­ion if data gets leaked in the organisati­on.

Open source platforms

There are many blockchain open source platforms available that can be leveraged for implementi­ng a blockchain defined perimeter. Some of them are listed below.

● Hyperledge­r: Hyperledge­r Foundation hosts a number of enterprise-grade blockchain software projects.

● Ethereum: This is an open source blockchain platform that helps in running smart contracts and provides different programmin­g tools to create them. ● BigchainDB: This open source distribute­d ledger system is designed for storing large data sets and enabling its developers to deploy various blockchain proofsof-concepts and applicatio­ns.

● HydraChain: This is an open source extension of the Ethereum blockchain platform that helps in developing and deploying different permission­ed distribute­d ledgers.

● Corda: This is one of the preferred open source blockchain platforms for building and developing various permission­ed distribute­d ledger systems.

● Tron: This is one of the largest blockchain based operating systems.

The author has more than 27 years of software industry experience in product developmen­t for the hybrid cloud, telecommun­ications, and manufactur­ing domains. He is currently working as principal architect for virtual desktops and end user services at Wipro Technologi­es. He is a senior member of Wipro’s eminent architects group called Distinguis­hed Member of Technical Staff (DMTS). He has been granted fivE PAtENts FOr HIs rEsEArCH wOrK.

Disclaimer: The views expressed in this article are that of the author and Wipro does not subscribe to the substance, veracity or truthfulne­ss of the said opinion.

 ?? ??
 ?? ?? Figure 2: Blockchain defined enterprise security perimeter
Figure 2: Blockchain defined enterprise security perimeter
 ?? ??
 ?? ?? Figure 3: BDP building blocks
Figure 3: BDP building blocks
 ?? ??

Newspapers in English

Newspapers from India