What is a Software-Defined Perimeter (SDP) and its importance for ZTNA

Companies have been adopting cloud technologies at a ferocious pace, with Gartner predicting the worldwide public cloud market to grow by 17% to $266 billion in 2020. As companies continue to incorporate cloud services into their IT workflows, it has become clear that legacy perimeter security services are no longer fit for purpose in a mobile, cloud-centric world.

VPNs have traditionally been used to provide secure remote access, but they’re notoriously unreliable, offer a poor user experience, are overly permissive in terms of access, and can be problematic when it comes to configuration. Additionally, end users can connect to SaaS directly rather than needing to use a VPN. For instance, an employee can download a file-sharing application onto their device and simply log in to their corporate account with little need for that connection to be managed or encrypted.

A Software Defined Perimeter (SDP) is the way that modern businesses are managing their access policies, in addition to minimizing risks and overall security exposure.

What is a Software Defined Perimeter?

SDP is a security approach that enables Zero Trust Network Access (ZTNA), providing protection regardless of whether a service is located on-premise or in the cloud.

With SDP, connectivity is based on the need-to-know model, with ‘default deny’ to all services. End-users and their devices need to be authenticated and authorized before connecting, and this includes an assessment of identity as well as device posture. The application of adaptive access is an important component of ZTNA, for ensuring that context-aware access control is applied to balance the level of trust against risk.

Once security checks have been conducted, a dynamic one-to-one connection is made between a device and an application. Adhering to the notion of least-privileged access, all other corporate services that are irrelevant to that user are invisible and, therefore, safe. The use of micro-segmentation prevents broad unnecessary network access by creating separate secure zones within data centers and cloud deployments, to isolate workloads from one another.

What are the benefits of SDP?

Many companies have adopted Identity and Access Management (IAM) solutions to move towards ZTNA. However, despite identity being an important part of ZTNA, on its own, it fails to consider the wider context of an access request, such as a device’s health or network security strength. Gartner sees device health as an important part of a zero-trust SDP solution. Just because someone is able to provide correct user credentials, it by no means guarantees they are who they say they are or that their device is secured from malicious third parties. Adaptive access needs to be applied to consider contextual factors associated with the request.

For example:

• Does the device have malware installed?
• Is the user attempting to connect from a reasonable location?
• Are there any vulnerabilities on the device or in its apps?
• Is the connection secure, or is it vulnerable to a Man-in-the-Middle attack?

All of these factors are used to calculate a risk score, helping organizations move away from overly simplified binary rules of authentication.

As SDP authenticates users before connections are made, corporate services are invisible to prying eyes. Even after authentication, only the sanctioned services approved for a user can be seen. This not only mitigates the threat of network-based attacks (such as denial of services, SQL injections, server scanning, etc.) but limits the potential damage of insider threats. A disgruntled employee from HR couldn’t just log onto the CRM and download contacts — they wouldn’t even be able to get to the login page.

The policy can be applied on a per-user basis as opposed to ‘broad-brush rules’ based on user groups, a concern that is particularly pertinent in the case of third-party access. With SDP, access controls can be applied to any user, in any location, to any application or service, whether on-premise or in the cloud, giving administrators far more control. When considering third-party access, clearly defined permissions, levels of access, and start and end dates need to be established, and this can result in delayed access provision or skipped security steps.

SDP enables businesses to accommodate the challenges associated with migrating to cloud technologies, as well as issues associated with a mobile workforce, by delivering a security solution to where the end-user is rather than backhauling traffic to the corporate data center. SDP helps businesses achieve ZTNA by enabling more control over who accesses what by enforcing least-privileged access and hiding corporate services from unsanctioned users. For SDP to be effective, rather than just another technological nuisance for end-users, a global network is needed to deliver high speed, low latency connections that can enforce policy regardless of where a user is, as well as enable access based on adaptive access principles.