In recent years, the rapid development of information and communication technology (ICT) in China, enterprises to apply new technology in the business environment, promote its digital application and development. At the same time, there are also many information security problems, such as user information leakage and embezzlement, data loss caused by viruses, external attacks caused by business pause, and so on, which have a great impact on the development of enterprises and society. Ensuring the long-term, safe and reliable operation of enterprise’s increasingly complex IT systems has become a huge challenge faced by many enterprise IT decision-makers. In addition, with the promulgation of the Cybersecurity Law of the People’s Republic of China as the symbol of a series of laws and regulations and various standards, cybersecurity has become an important national strategy. Network security is not only an internal problem of enterprises, but also an important part of enterprises’ legal and compliant business.
With the rise of cloud computing, big data, mobile Internet, Internet of Things (IoT), the fifth generation mobile communication (5G) and other new technologies, the traditional network security architecture is difficult to adapt to the development needs of The Times, a network security architecture technology revolution is quietly taking place, which is recognized by more and more enterprise IT decision makers.
In the traditional security concept, the server and terminal office equipment of the enterprise mainly run in the internal network, therefore, the network security of the enterprise mainly revolves around the construction of the network “wall”, that is, based on the border protection. However, physical security boundaries have natural limitations. With the integration of cloud computing, big data, mobile Internet, Internet of Things and other technologies, it is impossible for enterprises to confine their data to their own internal network. For example, if an enterprise wants to go to the cloud, it cannot load the public cloud into its own firewall; Enterprises to develop mobile office, the Internet of Things, but the firewall can not cover the external corners; To embrace big data, companies will inevitably have to exchange data with their partners. Therefore, the traditional security boundary model gradually disintegrates under the development trend of new technology, and becomes an obstacle to the development of enterprises in the new era of Internet of Everything. Therefore, enterprises need to establish a new network security model.
In this context, a new generation of network security architecture based on the concept of zero trust emerges at the historic moment. It breaks the traditional security boundary, no longer default security within the physical boundary of the enterprise, no longer based on the location of the user and the device in the network to judge whether or not to Trust, but Always Verify the identity of the user, the legitimacy and authority of the device, that is, follow the zero Trust concept of “Never Trust, Always Verify”. In the concept of zero trust, the network location becomes no longer important, and it completely defines the security boundary of the enterprise through software, “where the data is, the security is where”. Relying on its own advantages, SDP has become the best choice to solve many security problems in the new era. Its security and ease of use have also been verified by the practice of a large number of enterprises. In order to promote the implementation of SDP technology in China, CSA (Greater China) established the SDP Working Group in 2019.
Based on the achievements of the SDP working group, this book summarizes and organizes the theories and concepts scattered in different literature, introduces the complete architecture of SDP from top to bottom, and provides a complete guide to the technical architecture of software-defined boundaries with a large number of practical cases.
1. The audience for which this book is intended
(1) enterprise information security decision-makers. This book provides complete technical guidance and case reference for enterprise information security decision makers to design enterprise information security strategy based on SDP.
(2) Professionals in the fields of information security, enterprise architecture, or security compliance. This book will guide them in evaluating, designing, deploying, and operating SDP solutions.
(3) Solution providers, service providers, and technology providers will benefit from the information provided in this book.
(4) Researchers in the field of security.
(5) People who are interested in SDP and are willing to work in the security field.
2. The main content of this book
Chapter 1 introduces the basic concepts and main functions of SDP.
Chapter 2 introduces SDP architecture, working principle, connection process, access control and deployment mode.
Chapter 3 introduces the specific protocol and log of SDP architecture.
Chapter 4 introduces the deployment pattern of SDP architecture and its applicable scenarios, making technical preparation for the enterprise deployment of SDP architecture.
Chapter 5 introduces the issues that need to be considered in enterprise deployment of SDP, integration of SDP and enterprise information security elements, and application fields of SDP.
Chapter 6 analyzes and introduces the technical principles and IaaS usage scenarios, and guides enterprises to secure the cloud.
Chapter 7 shows the defense mechanism of SDP against DDoS attack to enhance readers’ knowledge and understanding of SDP.
Chapter 8 describes the application of all levels of SDP Peer Protection 2.0 requirements. Through in-depth interpretation of peer-to-peer insurance 2.0, it shows how to meet the compliance requirements of enterprise equal-insurance 2.0 through SDP.
Chapter 9 introduces SDP strategic planning and deployment migration methods, and provides guidance for enterprises at the level of strategic planning and deployment migration.
Chapter 10 introduces the zero-trust architectures and implementations of NIST, Google, Microsoft, and Forrester.
Chapter 11 introduces the main domestic SDP and zero trust practice cases.
3. This book follows conventions
(1) This book is mainly based on IaaS products of Public Cloud, such as Amazon Web Services, Microsoft Azure, Google Compute Engine and Rackspace Public Cloud. Its associated use cases and methods are also applicable to IaaS deployed privatizably, such as VMWare-based or OpenStack-based private clouds.
(2) Vendors that are commercialized in accordance with SDP specifications and those that are not developed in strict accordance with SDP specifications have different architectures, methods and capabilities in the process of building products. This book is vendor neutral and avoids references to capabilities related to header vendors. If there are examples of differentiation due to vendor capabilities, try to use terms such as “perhaps, typically, and generally” to explain these differences to avoid diminishing the readability of the book.
(3) High availability and load balancing are beyond the scope of this book.
(4) The SDP policy model is beyond the scope of this book. The SDP use cases and approaches discussed in this book also apply to platform-as-a-service (PaaS).
(5) The following contents are quoted text.
Zero-trust networks, also known as software-defined boundaries (SDP), are identity – and context-based logical access boundaries created around an application or a group of applications. The application is hidden, undiscoverable, and restricts access to a specified set of entities through trusted agents. The agent verifies the identity, context, and policy compliance of the specified visitor before allowing access. This mechanism eliminates the application resources from the public view and reduces the attack surface significantly.
(6) The following contents are in the format of data packets.
IP TCP AID (32-bit) password (32-bit) counter (64-bit)
(7) The contents of the box with the words “JSON canonical format” in the title are in the standard format of JSON files.
