What is a Software-Defined Perimeter (SDP)?
While zero trust has become a well-known security framework over the last few years, many people don’t realize that it was based on the same principles as software-defined perimeter (SDP) technology. The concept of SDP was first developed by the Defense Information Systems Agency (DISA) that resulted from the Global Information Grid project back in 2007. The Cloud Security Alliance (CSA) took interest in the concept and began developing the SDP framework in its early stages. In 2011, while SDP was still a new concept, Google became an early adopter with the development of its own SDP solution known as GoogleBeyond Corp.
SDP is a security strategy for the cloud and mobile world. While traditional security is centralized in the data center, SDP is everywhere, delivered by the cloud, and uses business policy to determine who gets access to what resources. SDP distributes access to internal applications based on a user’s identity and with trust that adapts based on context. SDPs are 100% software-defined and built on a “need-to-know” model, with trust that is constantly monitored and adapted based on a range of criteria. SDP makes application infrastructure invisible to the internet, so it evades network-based attacks (DDoS, ransomware, malware, server scanning, etc.), and reduces business risk.
The adoption of SDP technology has grown as organizations seek to modernize their application security with zero trust security.
How does SDP work?
Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:
- Trust is never implicit – Traditional network security offers excessive trust to its users; trust must be earned. SDPs only grant application access to users who are authenticated and specifically authorized to use that app; furthermore, these authorized users are only granted access to the application, not the network.
- No inbound connections – Unlike a virtual private network (VPN), which listens for inbound connections, SDPs receive no inbound connections. By responding with outbound-only connections, both network and application infrastructure are kept invisible or cloaked to the internet and therefore impossible to attack.
- Application segmentation, not network segmentation – In the past, organizations had to perform complex network segmentation to limit a user’s (or an infection’s) ability to move laterally once on the network. While this approach worked well enough, it was never granular and required constant maintenance. SDP has native application segmentation that can control access down to a one-to-one basis. The result is far more granular segmentation that is much easier for the IT team.
- Leveraging the internet securely – With users everywhere and applications moving outside the data center, organizations need to shift away from a network-centric focus. Security must shift to where your users are, and this means leveraging the internet as your new corporate network. SDP is focused on securing user-to-application connections over the internet rather than securing the users’ access to the network.
From an architectural standpoint, SDP differs fundamentally from network-centric solutions. SDPs are 100% software-defined, eliminating the enterprise overhead of deploying and managing appliances. The adoption of SDP also leads to the simplification of the inbound stack as organizations no longer require VPN, DDoS protection, global load balancing, and firewall appliances. The Cloud Security Alliance (CSA) built out the initial SDP architecture diagram (below), but as SDP has evolved, Gartner has developed a market guide for the technology, defining it as zero trust network access (ZTNA) and has highlighted the two key ZTNA architecture models in the Gartner ZTNA Market Guide.
While SDP has many use cases, most organizations choose to start in one of the following four areas:
Most organizations are looking to reduce or eliminate their VPN usage. Because VPNs are notoriously slow for users, introduce security risk, and are difficult to manage, Gartner predicts that, “By 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA [SDPs].”
Secure multi-cloud access
Multi-cloud, as the name suggests, is the use of multiple cloud computing services in a single environment. Many organizations use Workday and Office 365, as well as infrastructure services from AWS and Azure, and they may use a cloud platform for development, cloud storage, and more. So, securing these environments is a popular way for organizations to start on their SDP/ZTNA journeys, because SDP isn’t tied to any particular cloud or network—it secures every connection based on policy, no matter where users connect or where applications are hosted.
Reduced third-party risk
Most third-party users receive overprivileged access which creates a security gap for the enterprise. SDPs significantly reduce third-party risk by ensuring external users never gain access to the network and that only authorized users gain access to applications they’re permitted to use. Users can’t even see applications to which they’re not permitted access.
Accelerated M&A integration
With traditional mergers and acquisitions, IT integration can span years as organizations must converge networks and deal with overlapping IPs—incredibly complex processes. SDP simplifies the process and slashes the time required to ensure a successful M&A and provides immediate value to the business.
- Securing Cloud Transformation with a Zero Trust Approach
- Gartner Market Guide for Zero Trust Network Access
- Why IT leaders should consider a zero trust network access (ZTNA) strategy
- The Network Architect’s Guide to Adopting a Zero Trust Network Access Service
- Blog: “ZTNA” technologies: What they are, why now, and how to choose one