Software Defined Perimeter

Expand all | Collapse all

Question fro ma customer on CSA's SDP/ZTA paper

  • 1.  Question fro ma customer on CSA's SDP/ZTA paper

    Posted Dec 02, 2020 03:04:00 PM
    A customer asked me a question regarding a quote I referenced from the CSA Software Defined Perimeter/Zero Trust Paper and I would appreciate some help if you can

    Here is the section from the paper I quoted:

    "Software Defined Perimeter implementations compliant with the CSA SDP version 1 specification create zero trust implementations that prevent common methods of attack such as DDoS, credential theft, and the notorious top ten threats published by the Open Web Application Security Project (OWASP)"

    Here is the question from the client:

    SDP can prevent the OWASP top ten items?  you would need to have the web server and backend in a trust relationship, and the end consumer must be able to access the web server at any time, so not sure I understand how.  Expanding on tis would be helpful to the reader, or at least reference an external source to get more details on this. 

    Can anyone help with the answer or a reference? Does Zero Trust apply to clients accessing web servers or is it just in situation where authentication is required?

    Thanks for any assistance

    Keith Patterson
    Malpaso Consulting

  • 2.  RE: Question fro ma customer on CSA's SDP/ZTA paper

    Posted Jun 26, 2021 12:25:00 AM
      |   view attached
    Hi Keith,

    Let me try. There are probably a few ways to do this. In our case, we launch a "agent" .. its not one that needs to be installed, you can have the "client code" on any media, autolaunch and it will find the gateway (SDP methodology) - auth the device, then establish the encrypted micro-segmented session based communication, then let the user auth - and the entitled resources are then deployed to the user. 

    If the user then wants to connect to mail ... they simply click mail. In the backend the IT-team has defined a few ways this can happen. If they define that this user launch a - lets say firefox session for the OWA . then we capture that request - encapsulate it and multi-encrypt the session .. for the user it looks like he is using firefox (or another browser) - but in reality it is a controlled secure and safe session. 

    I don't know if this provide any clarity - if you want a deeper explanation, reach out to me and we can have a private session. You can find a bit more "highlevel" info in the enclosed.

    Kind regards,


    Niels E. Anqvist