zorandim75 - Fotolia

Gas distribution network SGN invests in software-defined perimeter

SGN manages the network that distributes natural and green gas, and is now updating its corporate IT network for the cloud

SGN, the gas company that serves homes in the south of England and Scotland, has begun using next-generation access control from Vidder, based on the concept of a software-defined perimeter (SDP).

The software-defined perimeter will be part of a multi-layered approach to network security using a zero-trust model.

SGN is under pressure to reduce costs and pass cost savings up the supply chain. Initiatives to tackle costs include the roll-out of smart metering, and using robotics to inspect pipes.

The utility company is using Vidder PrecisionAccess to support its migration to the cloud.

“Our IT strategy is to go cloud first,” says SGN chief information security officer Mo Ahddoud. “We have an 18-month transformation period, during which about 80% of our application will be cloud-enabled.

“All our applications will be consumed through the cloud – so we won’t have an on-premise datacentre.”

From an end-user computing perspective, SGN runs desktops, laptops and tablets, and third-party companies also need network access.

Ahddoud says the company wants to simplify the way its users access the network, which could also be extended to cover third parties and non-corporate devices. “We want to prioritise access control,” he says. “We want to support mobility across business operations. We don’t care whether you connect through a coffee shop or home Wi-Fi. It’s all just an internet pipe.”

But SGN must still be able to monitor end-point devices and provide stringent access control, says Ahddoud.

In the past, businesses would have deployed network access control (NAC) to enable people to log into the corporate network from outside.

Read more about software-defined perimeters

  • The Cloud Security Alliance software-defined perimeter initiative is meant to secure BYOD and the collective internet of things.
  • The Cloud Security Alliance’s software-defined perimeter protocol can help enterprises achieve dynamic air-gapped networks. Expert Ed Moyle discusses how SDP works and the benefits it can provide.

In a blog post, Vidder says NAC adoption was driven by the emergence of enterprise Wi-Fi a decade ago. “NAC products combined Active Directory authentication with posture checking to determine whether employees should get to access to the datacentre.”

NAC would have required SGN to invest in its network infrastructure, which Ahddoud says did not fit with the company’s cloud-first strategy.

Instead, it decided to look at implementing a software-defined perimeter, which essentially treats the network as untrusted and encrypts the connection. “We authenticate the users, who are then allowed to connect to the network,” says Ahddoud. “They are given restricted access to the applications they are allowed to use.”

For Ahddoud, accessing a traditional network perimeter is a bit like visiting a hotel. “You give the concierge your reservation number, then you can walk through the whole hotel,” he says. “Each of the rooms has a lock. In a software-defined perimeter, you only get access to your room and maybe access to the swimming pool and bar.”

The Vidder blog describes SDP functions as a gateway between the user and application resources. “The distributed design of SDP allows it to be deployed inside the enterprise and in public clouds,” it says. “SDP provisions connectivity in real time, thus ensuring access matches policy. And, most important, the SDP control channel can be combined with advanced malware detection software, tamper-proof RAM and micro-virtualisation technologies to ensure the endpoint is truly trusted.”

Zero-trust model

From SGN’s perspective, this means that as users connect, they can move around the network, but their identity determines the applications and data they can access. “Identifying the user is very much key to supporting a zero-trust model,” says Ahddoud.

SGN is planning a multi-phased roll-out, he says. “Phase one is about securing our perimeter, to provide connectivity on the network. The second phase is to provide role-based access control, where we map users using the Windows Active Directory.” This enables SGN to provide role-based access, but getting to phase two requires a number of changes at the company first, says Ahddoud.

For example, the process when employees join or leave the company must be tied into access control, he says. SGN’s HR processes will need to be updated, but Vidder is able to support SGN once it is ready. Ahddoud says: “One of the reasons we chose Vidder is that it can meet our capabilities going forward.”

One of SGN’s goals is to try to reduce network footprint, he says, which means providing end-users with a fast and seamless login experience to access the corporate network. “User experience is a key criterion,” he adds. “We want to move as much security into the background as possible.”

In SGN’s setup, a software agent is used on the end-user’s device, which integrates with Octa’s cloud-based federated ID management. ....................................................................................................

Read more on Cloud security