Software Defined Perimeter

  • 1.  Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    Posted Aug 19, 2021 12:29:00 AM
      |   view attached
    Hi All,

    The DOD just released Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    The ability to deliver capability "at the speed of relevance" requires an innovative approach to providing secure access to cloud environments. As highlighted in a recent report by the Defense Innovation Board, "...the threats that the United States faces are changing at an ever-increasing pace, and the Department of Defense's (DoD's) ability to adapt and respond is now determined by its ability to develop and deploy software to the field rapidly." To effectively and efficiently achieve the objective, access to cloud environments must be flexible, ubiquitous, and at the same time, provide the requisite level of security and monitoring to protect from, detect, respond to, and recover from cyber-attacks. The purpose of a Cloud Native Access Point (CNAP) is to provide secure authorized access to DoD resources in a commercial cloud environment, leveraging zero trust architecture (ZTA), by authorized DoD users and endpoints from anywhere, at any time, from any device.

    The purpose of this CNAP Reference Design (RD) is to describe and define the set of capabilities, fundamental components, and data flows within a CNAP. It presents logical design patterns and derived reference implementations for deploying, connecting to, and operating a CNAP. It is a future state design to guide the development of next-generation connectivity and cybersecurity capabilities to improve internet-based machine and user access into DoD cloud (in particular, commercial cloud-hosted) resources and services. A CNAP provides person entities (PE) (i.e., end-users and privileged users) and non-person entities (NPE) access to cloud enclaves using a combination of cloud-native and cloud-ready security mechanisms. Further, a CNAP allows authorized outbound access to the internet, for example, to enable software repository synchronization of COTS patches or new versions of Free and Open-Source Software (FOSS) projects and system-to-system interfaces with mission partners such as other Federal Departments.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    Posted Aug 19, 2021 04:02:00 AM
    Really useful and interesting - thank you for sharing.

    What I find particularly notable is that at a high level, the document references all of the aspects of ZTNA/SASE/SDP that I would expect and has a great level of coverage and detail.

    In terms of actual implementation (and arguably not the place of a reference design), there is a lack of detail about how the reference design may be realised in practice. This is the gap for vendors to fill, and some do quite well, though it is clearly still a developing market and the maturity of some of the solutions is debatable.

    It would be interesting to track implementations that are aligned to the reference design, with the aim of promoting best practice and practical implementations.

    ------------------------------
    Alistair Cockeram CISM, CISSP, CCSP, SCCP, MCIIS, MBCS
    Information Security Architect
    Financial Services
    ------------------------------



  • 3.  RE: Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    Posted Aug 19, 2021 04:13:00 AM
    Hi Alistair,

    In terms of actual implementation - you are welcome to reach out ... ZafePass goes beyond this DoD CNAP Reference Design. I can't disclose more unless we are under bi-lateral / mutual NDA - sorry - but that's an easy fix, if you want to see / learn more.

    Cheers,

    /NEA
    [email protected]

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 4.  RE: Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    Posted Aug 19, 2021 04:37:00 AM

    Hi,

    Thanks, I really thought this was good as well.

    Given the military use, I imagine there are some disclosure considerations.

    Best regards,






  • 5.  RE: Depart of Defense (DoD) Cloud-Native Access Point (CNAP) Reference Design (RD) Version 1.0

    Posted Aug 19, 2021 04:18:00 AM
    Hi Michael,

    I think there is a rather big issue with this Ref. Design. I don't like SSO in an SDP context. SSO removes the whole point of ZT/always verify in my opinion. If someone in this community can help me understand why SSO is NOT a problem in a SDP context - please enlighten me.

    There are other element in the reference design that is okay - but generally I think it can be simplified even more on several fronts.

    /NEA
    [email protected]

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------