Vidder Inc. has added endpoint trust assessment to its PrecisionAccess software-defined perimeter product, which provides access protection at the software application level.

The company’s approach is based upon the Software-Defined Perimeter initiative that is being developed by the Cloud Security Alliance. SDP is essentially an evolution of network access control, or NAC, that provides a finer-grained level of control over what a device can do once it passes the network perimeter.

With organizations opening up their networks to business partners, occasionally connected devices and cloud services, “you really can’t trust the network any more,” said Chief Executive Mark Hoover. “You need to take a different approach.” The company, which has raised over $20 million in funding, provides trusted and unified access control across internal networks, clouds and external users by continually ensuring that only trusted devices used by authenticated users can see and access enterprise applications.

When a user or device attempts to connect the network, the company’s technology not only runs authorization checks on the user but assesses software on the device to look for evidence of compromise. Its unique twist is a set of attack profiles the company created to identify signs that a connected device has been compromised. It can block such devices from attaching to the network until security administrators have examined them.

“We look at where that endpoint has been, such as a site that distributes malware,” Hoover said. “Every attack leaves a little signature.” Vidder has written about 500 attack profiles that cover various indications of compromise.

A matter of trust

PrecisionAccess already protected servers from unauthorized users, unregistered devices and attackers with stolen credentials. With the addition of trust assessment, the software can now allow only trusted clients to access enterprise applications while preventing access by compromised devices. Applications can be either internal or cloud-based.

For example, a compromised device may be permitted access to case studies from the marketing library but blocked from accessing financial applications. The agent technology that detects the status of connected devices is based upon OS Query, an open-source endpoint query tool developed by Facebook Inc.

Traditional NACs mainly block or permit access to the network but don’t regulate what the user can do beyond permissions. “We’ve taken approach that the battleground is the path to the server,” Hoover said. “Who cares if you get packets on the network if they can’t reach the resource they want?”

“From a business value perspective, this allows organizations to create perimeters around devices throughout the network without deploying new equipment because SDP creates a perimeter using software and a gateway only at sensitive servers or networks,” said Lawrence Pingree, research vice president for technology and service providers in the security technologies practice at Gartner Inc.

SDP shows promise as an eventual replacement for NAC, but the technology is still immature, Pingree said. “Competitors in SDP need to further augment their solutions to perform better device discovery, compliance assessment and configuration monitoring and orchestration with other security controls in order to compete better with today’s network access control solutions,” he said. NAC was a hot technology about a decade ago but has lost some of its luster because of complexity issues and the need to manage a greater variety of devices.

Image: Flickr CC