Three reasons why SDP is replacing the VPN
For nearly three decades, the world of secure remote access has been dominated by the remote access VPN. But, with applications migrating to cloud and the number of remote users growing exponentially, the VPN has lost its footing. The VPN simply wasn’t built for the security, scalability or visibility needs of today. A new, more nimble and secure approach—led initially by Google BeyondCorp—has entered the arena, threatening the reign of the VPN.
The software-defined perimeter (SDP), also referred to as software-defined access, is a term coined by Gartner. It’s quickly becoming the choice of enterprises looking to switch from legacy solutions and decouple network access from private applications, like SAP or Oracle, running in hybrid and multi-cloud environments. To understand why SDP solutions continue increasing in popularity—and why companies like Google, National Oilwell Varco, Perdue Farms, and MAN Energy Solutions have already adopted software-defined solutions as a replacement for their remote access VPNs—let’s explore what makes SDP so different from the traditional VPN.
1. User experience
With the IT world moving to cloud, users have been conditioned to expect a cloud-like connectivity experience when accessing internal apps. Remote access VPNs are inconvenient to use, requiring users to log in and out repeatedly, and they’re slow. User traffic is backhauled to data centers that are often hundreds of miles away—or more—creating latency and increased user frustration.
SDPs were built for the age of cloud for an enhanced user experience. Whether your users are in the office, at Starbucks, or flying cross-country, their access to your private apps is always simple and secure, and they’re empowered to access apps from the device or location of their choosing. Users no longer have to deal with the constant disruption of entering their VPN credentials or having to think about whether the app is located in the data center or the cloud. And with SDP solutions, users are no longer bogged down with latency—faster connections mean happier users.
SDPs allow organizations to shift away from a network-centric approach to security and move to a user- and app-centric security strategy. By decoupling application access from network access, users are no longer placed on the network (no FW policies or ACLs!). The internet can become the new secure network via encrypted tunnels that keep private apps private—without a VPN.
Some SDPs can actually make private applications invisible by using inside-out connections, so IPs are never exposed to the internet—and there’s no VPN concentrator sitting at the edge of your network listening for inbound pings. Since SDPs use a micro-segmentation strategy, not network segmentation, they create a secure segment of one between an authorized user and a named application, minus the overhead of managing network segments.
A good way to think of this is that VPNs are like a castle-and-moat approach to network security, creating a (not so) tough perimeter on the outside but leaving the interior vulnerable to anyone within the castle. That makes it difficult to minimize security risk. SDPs create a secure, isolated environment around each private application, and provide least-privilege access only to specific authorized users.
3. Visibility and control
With the increase in mobility, IT requires a higher level of visibility and control over networks, applications, and users. Security teams need to have the ability to easily monitor, identify, and diagnose any security threats that are aimed at the enterprise.
With a VPN, information accessible to security teams is limited to a device’s IP address, port data, and protocols. So you can see who has logged in and from what IP address, but you don’t have visibility into what the user was actually doing while on the network.
SDP solutions empower administrators with comprehensive information about all activity between users and apps. Not only is each transaction tracked in real time, but beyond just listing the IP and port data, SDPs capture data around the user identity, named application, latency, locations, and more. So, it’s easy for admins to consume and analyze the information. The data can then be automatically streamed to a SIEM provider in real time.
Some SDPs can also discover previously unknown private applications running in the environment, display them in the GUI, and allow security teams to enforce granular controls.
So what do you think? VPN or SDP?
It’s one thing to read about the benefits of the software-defined perimeter, but quite another to witness it in action. Watch this video and see for yourself how the legacy VPN fares against the SDP solution from Zscaler. Don’t forget to share it with your network and security teams :)
Resources you may like: