Why a Software-Defined Perimeter

What is the Software-Defined Perimeter?

The Software-Defined Perimeter is a security architecture developed by members of the Cloud Security Alliance, and is designed to provide on-demand, dynamically provisioned secure network segmentation for user access. A Software-Defined Perimeter solution ensures that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users. A Software-Defined Perimeter overcomes the constraints of traditional tools by effectively creating a dynamic, individualized perimeter for each user – a network segment of one.

As shown in the diagram above, a Software-Defined Perimeter dynamically creates individualized network segments for each user, based on attributes such as their identity, device profile, location, and authentication method. Users obtain all the access they need to be productive, while access is automatically controlled by a simple set of policies, reducing the workload on security and network teams.

CSA at RSA 2017 - The Software-Defined Perimeter

Jason Garbis, VP of Product at Cryptzone recently gave the keynote at the Cloud Security Alliance Summit discussing the Software-Defined Perimeter and why it’s important as the world has become more hybrid and diversified. 

In this video, Garbis discusses some of the reasons why we need to move to a Software-Defined Perimeter:

  • IT is becoming Hybrid and Diversified 
  • Hybrid IT Spans Platforms, Tenancy, Locations
  • Embracing Trends Including Identity-Centric Security
  • TCP/IP is a Weak Security Foundation. 
  • The brilliance of a Software-Defined Perimeter

How SDP Works

A Software-Defined Perimeter (SDP) architecture is made up of three main components:

  • A Client, which runs on each user’s device
  • A Controller, to which users authenticate (via an optional connection to an Identity Management system), and which evaluates policies and issues tokens granting each user their individualized network entitlements 
  • A set of Gateways, which broker access to protected resources

Users and their devices are validated with multi-factor authentication, and both user and device context are included in the Controller’s policy evaluation. Once a user obtains their entitlements from the controller, all network traffic to the protected servers is encrypted and tunneled between the device and the corresponding SDP Gateway. Access to protected servers is transparent to the user; they just access it normally through clients such as a web browser or an SSH client. But, all access is logged for compliance and auditing purposes, and most importantly is very carefully controlled. Access policies determine which users can access which services on which servers.

Growing Software-Defined Perimeter Adoption

The Software-Defined Perimeter model has gained considerable momentum across the security community, with increasing awareness and usage by enterprises worldwide. This usage is expected to grow dramatically – leading analyst firm Gartner recently stated that “through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter technology”. They go on to say that “by 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters, up from less than 1% in 2016” [1]

[1] “It’s Time to Isolate Your Services from the Internet Cesspool”, Gartner, Sept 30, 2016

Designed for Today’s Hybrid Environments

SDP is also designed with today’s dynamic, cloud-centric environments in mind. SDP Gateways can be deployed across a hybrid infrastructure, protecting both on-premises and cloud-based resources. And, Cryptzone’s SDP solution, AppGate, can automatically detect new cloud server instances and automatically adjust user access. This lets organizations achieve the agility promised by cloud and virtualized environments without sacrificing security or compliance.