While zero trust has become a well-known security framework over the last few years, many people don’t realize that it was based on the same principles as software-defined perimeter (SDP) technology. The concept of SDP was first developed by the Defense Information Systems Agency (DISA) that resulted from the Global Information Grid project back in 2007. The Cloud Security Alliance (CSA) took interest in the concept and began developing the SDP framework in its early stages. In 2011, while SDP was still a new concept, Google became an early adopter with the development of its own SDP solution known as GoogleBeyond Corp.
SDP is a security strategy for the cloud and mobile world. While traditional security is centralized in the data center, SDP is everywhere, delivered by the cloud, and uses business policy to determine who gets access to what resources. . SDP distributes access to internal applications based on a user’s identity and with trust that adapts based on context. SDPs are 100% software-defined and built on a “need-to-know” model, with trust that is constantly monitored and adapted based on a range of criteria. SDP makes application infrastructure invisible to the internet, so it evades network-based attacks (DDoS, ransomware, malware, server scanning, etc.), and reduces business risk.
The adoption of SDP technology has grown as organizations seek to modernize their application security with zero trust security.
Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:
From an architectural standpoint, SDP differs fundamentally from network-centric solutions. SDPs are 100% software-defined, eliminating the enterprise overhead of deploying and managing appliances. The adoption of SDP also leads to the simplification of the inbound stack as organizations no longer require VPN, DDoS protection, global load balancing, and firewall appliances. The Cloud Security Alliance (CSA) built out the initial SDP architecture diagram (below), but as SDP has evolved, Gartner has developed a market guide for the technology, defining it as zero trust network access (ZTNA) and has highlighted the two key ZTNA architecture models in the Gartner ZTNA Market Guide.
While SDP has many use cases, most organizations choose to start in one of the following four areas:
Most organizations are looking to reduce or eliminate their VPN usage. Because VPNs are notoriously slow for users, introduce security risk, and are difficult to manage, Gartner predicts that, “By 2023, 60% of enterprises will phase out most of their remote access VPNs in favor of ZTNA [SDPs].”
Secure multi-cloud access
Multi-cloud, as the name suggests, is the use of multiple cloud computing services in a single environment. Many organizations use Workday and Office 365, as well as infrastructure services from AWS and Azure, and they may use a cloud platform for development, cloud storage, and more. So, securing these environments is a popular way for organizations to start on their SDP/ZTNA journeys, because SDP isn’t tied to any particular cloud or network—it secures every connection based on policy, no matter where users connect or where applications are hosted.
Reduced third-party risk
Most third-party users receive overprivileged access which creates a security gap for the enterprise. SDPs significantly reduce third-party risk by ensuring external users never gain access to the network and that only authorized users gain access to applications they’re permitted to use. Users can’t even see applications to which they’re not permitted access.
Accelerated M&A integration
With traditional mergers and acquisitions, IT integration can span years as organizations must converge networks and deal with overlapping IPs—incredibly complex processes. SDP simplifies the process and slashes the time required to ensure a successful M&A and provides immediate value to the business.