Reinventing the Handshake
My father used to tell me that the key to success in life was to look people in the eye and give them a firm handshake. But the art of the handshake seems to have died in my generation. I grew up in the era of high fives, forearm smashes and fist pumps. I played baseball, so there were also a lot of butt pats, (but let’s not go into that). It seems like the importance of handshakes and eye-to-eye contact have diminished even further in my daughter’s generation. Every day I watch her friends look down at their smartphones while texting each other “omg hi bff” as they greet each other at school or at the mall.
My father is gone now. But he wouldn’t like that.
It seems like the nature of handshakes is changing in the world of networking security as well, but in this case it is a good trend.
To explain that, let me provide some background. We all know that TCP/IP-based networking has proven to be hugely scalable and flexible. There are several reasons for that. One is the separation of responsibility between the network layer (IP) and the connection layer (usually TCP, sometimes UDP). The network layer focuses on efficiently moving packets from point A to point B on a large scale. The connection layer focuses on establishing and optimizing data transfer between point A and point B. Has it worked? Hundreds of millions of connected endpoints, moving steadily towards tens of billions, would tell you it has.
Up until now, the trick at the connection layer was to allow point A and point B to create a connection between them using a bi-directional handshake. That way, billions of different point A’s across the world can independently be connecting with billions of different points B’s across the world with no shared resource getting in the way other than the luck of the draw of common path elements (e.g., common network links, shared servers).
This has created great scale. But … it has also led to almost all of the network-related cybersecurity issues we struggle with today.
This is why the concept of brokered or arbitrated connection management has taken hold in the form of the connectivity model. Named Software Defined Perimeter (SDP), this model is being promoted by Cloud Security Alliance. Using SDP, applications, services, and servers are isolated from users (or other servers or IoT devices) by an SDP Gateway, which is a dynamically configured TCP Gateway. There is no connectivity that can be directly created via the traditional bi-directional handshake. The Gateway rejects all attempts at establishing connectivity unless users and endpoints are “pre-approved” by a third-party arbitrator. This third-party role is played by the SDP Controller. Endpoints desiring connectivity to a destination protected by an SDP Gateway don’t bother to send a connection request to that destination. Instead they “apply” for connectivity to the SDP Controller, who determines if they are trusted.
Trust assessment means device authentication, user authentication, and a set of context-based information that will continue to expand over time – location, BYOD vs. managed device, software posture, software integrity, etc. The goal is to evaluate overall trust as much as possible before allowing connectivity. If satisfied, the SDP Gateway dynamically configures the TCP Gateways to allow connectivity to trusted authorized users. The systems isolated and protected by the SDP gateways are never exposed to attackers who have stolen credentials, nor are they exposed to unauthorized users looking to exploit server or application vulnerabilities, trying to move laterally in a persistent search for access to sensitive data, or failing everything else – just want to deny service to others via bandwidth or resource starvation attacks.
Call it what you will; three-way handshake, arbitrated connection control, brokered connection management. Vocabulary may vary until the world agrees on some common terms. But no matter what you call it, one adjective applies –powerful.
My father would be happy that the handshake is back and even better than ever