Security visibility, resiliency, and responsiveness can be improved by combining Domain Name Systems and enterprise-managed DDI systems with SDP
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, has published a new white paper, Integrating SDP and DNS: Enhanced Zero Trust Policy Enforcement. Drafted by the Software-Defined Perimeter (SDP) and Zero Trust Working Group, the document explores how enterprise DDI systems – which collectively refer to three core network services, namely Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and Internet Protocol Address Management (IPAM) – can augment and integrate with SDP to enhance organizations’ security, resiliency, and responsiveness.
DNS maps human-readable domain names (e.g., cloudsecurityalliance.org) to numerical internet protocol (IP) addresses. Setting and enforcing policy at the DNS layer isn’t compute-intensive and has the further advantage of being able to scale to millions. However, the ubiquity of DNS and the fact that it’s largely open, connectionless, and unencrypted, makes it a commonly exploited means of infiltrating malware into networks and exfiltrating data. Additional mechanisms are required for a fine-grained policy framework and enforcement to leverage the DDI database. DDI services can provide enterprises with visibility and control, and when combined with SDP can deliver considerably improved security and help organizations advance their Zero Trust security journeys.
“Integrating the three core systems that comprise DDI helps provide control, automation, and security for today’s modern and highly distributed networks. Tying together traditionally distinct systems for more holistic enforcement is a hallmark of the Zero Trust security approach, and DDI has the unique advantage of logging who’s on the network, where they’re going, and, more importantly, where they’ve been. Information security will always be multi-layered, and Zero Trust via SDP is an approach that benefits from integration with many other parts of an enterprise security infrastructure,” said Shamun Mahmud, senior research analyst, Cloud Security Alliance.
The paper explains how by integrating an SDP architecture with DNS, a strategy that results in improved security, organizations can leverage DNS as a Zero Trust network policy enforcement point alongside the SDP policy enforcement points and mine valuable DNS data for faster threat response by SDPs. Two use cases where enterprise-managed DDI integrates with SDP to improve security, contextual awareness, and responsiveness are included by way of example.
Download Integrating SDP and DNS: Enhanced Zero Trust Policy Enforcement today.
The Software-Defined Perimeter and Zero Trust Working Group was created to validate and protect the devices and connections on a network. Those interested in learning more about the group or participating in future research are invited to join.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
View source version on businesswire.com: https://www.businesswire.com/news/home/20220413005302/en/
Contacts
Kristina Rundquist
ZAG Communications for CSA
kristina@zagcommunications.com