What Is a Software Defined Perimeter (SDP)?

A software-defined Perimeter (SDP) is a security methodology that controls access to resources based on identity and forms a virtual boundary around networked resources. SDP is based on a need-to-know model, where device posture and identity are verified before access to application infrastructure is granted. This approach is delivered by the cloud and uses business policy to determine who gets access to what resources. SDP solutions restrict access to resources to authorized users through a multi-stage process, offering cybersecurity and enforcing a zero-trust security model.

SDP is designed to make application infrastructure invisible to the Internet, thereby reducing the vulnerability of network-based attacks such as DDoS, ransomware, malware, and server scanning. It also integrates security at the network, transport, session, presentation, and application layers and supports a variety of devices, including laptops, personal computers, mobile devices, and IoT devices. By limiting access to the internal network based on user identity, SDP dramatically reduces an organization’s threat surface and exposure to cyber risk.

For decades, the traditional security model sent all traffic to a corporate site with requisite security functionality. At the turn of the century, that model made sense because most employees worked at a corporate location, and cloud computing didn’t yet exist, so backhauling a small amount of internet traffic was tolerable.

A lot has changed. Seventy percent of people currently work remotely at least one day a week, while 92% of companies use public cloud services, with the average company accessing just under five different providers.

SDP is a security framework designed to manage, secure, and control access to networked systems and environments. Here’s how it works:

• Identity verification: Before granting access to application infrastructure, SDP verifies the identity and posture of the device seeking access. This ensures that only authorized users gain access to resources.
• Virtual boundary: SDP forms a virtual boundary around networked resources, making the application infrastructure invisible to the Internet. This perimeter reduces the attack surface from network-based attacks such as DDoS, ransomware, malware, and server scanning.
• Cloud-delivered: The cloud delivers SDP and uses business policy to determine who can access resources. This provides secure access management throughout the organization.
• Zero-trust security model: SDP solutions restrict access to resources to authorized users only through a multi-stage process, offering cybersecurity and enforcing a zero-trust security model.
• Multi-factor authentication (MFA): SDP often employs MFA, adding an extra layer of security. Users must authenticate their identity through multiple methods, like passwords, biometric verification, or security tokens.

Through context-aware policies, SDP adjusts access rights based on contextual factors like user location, device health, and time of access. This dynamic policy adjustment helps mitigate risks associated with various access scenarios. SDP systems also continuously monitor and log access, allowing for real-time analysis and response to potential threats. This ensures ongoing evaluation of trust levels and immediate reaction to suspicious activities.

Many users requiring remote access to corporate data centers connect via a VPN. However, this approach has several limitations. For example, VPNs create significant new attack vectors in part because once users are authenticated, they are considered trusted and granted unduly broad access. VPNs can also be challenging to manage and often result in poor user experience.

VPN routing can be notoriously inefficient, especially with the rise of remote work and the increased use of personally owned devices for business purposes. These devices connecting to corporate IT assets via VPNs may be infected with malware or non-compliant with corporate security policies, posing a risk to the network.

Remote access VPNs often lack built-in security features, requiring additional deployment of security solutions behind each VPN server. This can make it more challenging to directly link every potential traffic source and destination, leading to backhauling traffic to the headquarters’ network for inspection, which can degrade performance and increase latency.

For users who need to access the Internet, IT could either haul traffic from remote users back to a central site before handing it off to the Internet, or they could hand that traffic off directly to the Internet. The first approach increases cost and degrades the user’s experience. The second approach leaves the company highly exposed to security breaches. This makes an alternative to VPN access necessary.

Software-Defined Perimeter (SDP) and Virtual Private Network (VPN) are secure access approaches, but they have significant differences in access control, connectivity, network visibility, and automation.

• Access control: VPNs grant users full network access, while SDPs allow access based on custom policies. SDPs don’t share connections, and each user has a separate encrypted network connection, limiting their ability to roam around other network assets. SDP solutions restrict access to authorized users through a multi-stage process, enforcing a zero-trust security model, while VPNs connect devices to networks sharing the same network access.
• Connectivity: SDP tools create secure connections between users and central or cloud-based assets, essentially acting like a “private VPN,” hiding users and assets from external view. VPNs are IP and network-centric, connecting devices to networks, while SDPs provide secure connections between authorized users and authorized applications, not the network.
• Network visibility: VPNs limit network visibility for IT, while SDPs enable it. SDP is a more flexible solution, giving IT teams better control without sacrificing security.
• Automation: Policies can be automated with an SDP, offering scalability within dynamic IT environments, while VPNs are not as easily automated.

In summary, SDP provides a more secure and flexible approach to access control, especially in modern dynamic IT environments, making it a better security solution than traditional VPNs.

The logical alternative to the site-centric approach to network security is a simple holistic solution in which remote users don’t connect to a site but to a global Network as a Service (NaaS) solution that provides continuously available secure connectivity. From an architectural perspective, one of the most significant differences between the traditional approach to security and NaaS is that it leverages the huge technological advances associated with the megatrend of providing all forms of IT functionality as a service.

The cloud-native NaaS approach recognizes that enterprises no longer have a well-defined perimeter, so the solution relies on a Software-Defined Perimeter (SDP). According to Gartner, a Software-Defined Perimeter architecture is defined as a logical set of disparate, network-connected participants within a secure computing enclave. This approach offers multiple advantages:

• Improved security and data protection: SDP provides stronger security by creating a virtual boundary around networked resources, regardless of location, and controlling access based on identity. The resources are typically hidden from public discovery, and access is restricted via a trust broker to the specified participants of the enclave, which removes the assets from public visibility and reduces the attack surface. This approach mitigates internal and external network security attacks and protects against various attack vectors such as denial-of-service, brute force, credential theft, and man-in-the-middle attacks.
• Reduced attack surface: SDP greatly reduces the attack surface, providing enhanced protection for cloud applications and giving more centralized control to system owners while increasing visibility to all authorized connections. This reduction in the attack surface minimizes the risk of external and internal threats, thereby improving internal security and reducing the risk of hacking.
• Flexibility and consistency: SDP offers greater flexibility and consistency in access controls, policy management, and network protection. It allows for simplified policy management and integrates security at multiple layers, including network, transport, session, presentation, and application layers.
• Compatibility and cost reduction: SDP supports a wide range of devices, including laptops, PCs, mobile devices, and IoT devices. SPD also lowers the overall cost of ownership by reducing costs for endpoint prevention/detection and incident response while minimizing the complexity of integrating controls.

To fully leverage these benefits, effective implementation is key. The SDP-reliant NaaS solution must be based on a network with a sufficient number of Points of Presence (PoPs) so that every endpoint is within a few milliseconds of a PoP. To truly be holistic, the solution must support all types of endpoints, including remote users, branch offices, corporate facilities, and data centers, as well as public cloud data centers. It must also support all users, whether using a managed device or not, and capture complete logs from all devices. Those logs must be accessible and available for a range of analytics tools.

Given the intensity and sophistication of current security attacks, organizations can no longer risk a security model that trusts authenticated users and grants them broad access. Instead, a zero-trust security model gives users a unique, fixed identity and creates dynamic one-to-one connections between users and access to the needed resources. The default is denial unless explicitly granted, and the right to access is continuously verified.

How people work and acquire IT services has changed significantly over the last ten to fifteen years. During that time, the sophistication, frequency, and intensity of security breaches increased dramatically. As a result, the old model of securing an enterprise’s perimeter is no longer valid.

IT organizations have no alternative—they must adopt a new security paradigm based on the principles of zero-trust security and a software-defined perimeter.

An SDP provides an impressive alternative to traditional VPNs. It enables organizations to deploy and secure remote access for all users, helping to scale rapidly and economically while reducing the potential risk of attacks. When integrating an SDP system, organizations should consider the entire ecosystem that shapes their security posture.

• Evaluate protocol support: Some SDP solutions may not support peer-to-peer (P2P) protocols, Voice over Internet Protocol (VoIP), Session Initiation Protocol (SIP), or Signaling System 7 (SS7). Evaluating the SDP solution’s protocol support is essential to ensure compatibility with the organization’s specific requirements.
• Define access policies: With SDP, the goal is to provide fine-grained access based on user needs. Organizations should create a list of specific enterprise applications and services to offer selectively to each user group. This involves setting up identity-based, custom policies for groups and users and defining access to specific applications and services.
• Implement SDP policies: After defining access policies, organizations need to implement these policies using the SDP administrative interface. This involves setting up the access policies planned in the previous steps to ensure that the SDP solution aligns with the organization’s security and access control requirements.
• Consider network visibility: SDP enables network visibility, providing IT teams with better control without sacrificing security. It’s important to consider how the SDP solution enhances network visibility and control within the organization.
• Evaluate automation and flexibility: SDP solutions can be automated and offer a more flexible approach than traditional VPNs. Organizations should evaluate the SDP solution’s automation capabilities and flexibility to ensure it aligns with their dynamic IT environment and security needs.

Lastly, seek SDP solutions that simplify device management, reduce administrative overhead, and eliminate the need for managing traditional network security components such as firewalls and global load balancing. For more insight, consult Proofpoint.