New Cloud Security Alliance Paper Explores How Enterprises Can Augment, Integrate DNS Systems With Software-Defined Perimeter (SDP) to Enhance Security

The Cloud Security Alliance (CSA) has published a new white paper, Integrating SDP and DNS: Enhanced Zero Trust Policy Enforcement. Drafted by the Software-Defined Perimeter (SDP) and Zero Trust Working Group, the document explores how enterprise DDI systems – which collectively refer to three core network services, namely Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and Internet Protocol Address Management (IPAM) – can augment and integrate with SDP to enhance organizations’ security, resiliency, and responsiveness.

DNS maps human-readable domain names (e.g., cloudsecurityalliance.org) to numerical internet protocol (IP) addresses. Setting and enforcing policy at the DNS layer isn’t compute-intensive and has the further advantage of being able to scale to millions. However, the ubiquity of DNS and the fact that it’s largely open, connectionless, and unencrypted, makes it a commonly exploited means of infiltrating malware into networks and exfiltrating data. Additional mechanisms are required for a fine-grained policy framework and enforcement to leverage the DDI database. DDI services can provide enterprises with visibility and control, and when combined with SDP can deliver considerably improved security and help organizations advance their Zero Trust security journeys.

“Integrating the three core systems that comprise DDI helps provide control, automation, and security for today’s modern and highly distributed networks. Tying together traditionally distinct systems for more holistic enforcement is a hallmark of the Zero Trust security approach, and DDI has the unique advantage of logging who’s on the network, where they’re going, and, more importantly, where they’ve been. Information security will always be multi-layered, and Zero Trust via SDP is an approach that benefits from integration with many other parts of an enterprise security infrastructure,” said Shamun Mahmud, senior research analyst, Cloud Security Alliance.

The paper explains how by integrating an SDP architecture with DNS, a strategy that results in improved security, organizations can leverage DNS as a Zero Trust network policy enforcement point alongside the SDP policy enforcement points and mine valuable DNS data for faster threat response by SDPs. Two use cases where enterprise-managed DDI integrates with SDP to improve security, contextual awareness, and responsiveness are included by way of example.

Download Integrating SDP and DNS: Enhanced Zero Trust Policy Enforcement today.