SDP or software-defined perimeter is a security solution that allows accessing resources based on user identity. The technology enables different users (suppliers, business partners, employees, contractors etc.) to safely access applications and services from various locations and devices while applications are located at SaaS service providers, public clouds and data centres.
The solution was created based on the US Defense Information Systems Agency need-to-know model that required all users trying to access the infrastructure to be authorised and authenticated before the access. The SDP solution can create a black cloud, i.e. conceal systems by covering them within the perimeter and saving them from being observed. Apart from the benefit of secure access and reduced cyberattacks, SDP provides better structure for vendors and enables to install the solution on any host without reconfiguring the network or locking in the device.
The way SD works is it reduces chances of cyberattacks by protecting IT assets regardless of where they are stored. SDP serves as a mediator between internal apps and users who can get access to services only if the authentication and authorisation criteria are observed. SDP strictly provides information requested by a device or a user and does not share IP addresses, DNS information or internal network port information.
SDP solution has proved its efficiency in reducing network threats, including DoS, brute-force and MitM attacks as well as lateral movement attacks and server vulnerabilities.
In addition, SDP has number of other benefits, including:
– Various devices support (authenticates mobiles phones, PCs, laptops and IoT devices)
– Broad network access restriction (devices can only access hosts and services that are permitted)
– Larger risk-based policy support (SDPs permit access based on risk criteria)
– Greater connectivity (connects only to the required IT resources avoiding unnecessary management requirements or additional costs associated with hardware installation)
– Access, applications and services control (SDP controls which devices and apps can access particular services)
– App isolation (SDP isolates data and vital app infrastructure from unauthorised users)
– Hybrid and private cloud security (SDP enables organisations to hide hybrid and private cloud environments that use public and private clouds).
SDP architecture works around creating a secure perimeter using policies that isolate services from unsecured networks. They secure devices using principle for least privilege to control access and only grant access to users or devices enough to perform the given task. The air-gapped network allows authenticating devices and users prior to authorisation process granting access to the isolated services. The resources remain well protected giving no chance for unauthorised users or devices to connect. Once the authentication is successful, users or devices get single temporary connection to access the network. With SDP, all company operations get streamlined in terms of authentication and app security.
SDP architecture comprises two key elements:
– SDP controllers (they decide which hosts can interact with each other)
– SDP hosts (depending on whether a host is initiating or accepting, they can either connect to another host determined by SDP controller or accept interaction with another host allowed by SDP controller). Sometimes, SDPs use gateways that perform the accepting host function between the devices or users.
SDP most common deployment models include:
– Client-to-gateway deployment (excellent for companies using cloud-based apps or willing to protect on-premises legacy applications)
– Client-to-server deployment (suits for companies using cloud-based apps)
– Server-to-server deployment (works well for companies with cloud-based IoT or virtual machine environments)
– Client-to-server-to-client deployment (great for companies using IP telephony, chats and video conferencing apps)
– Client-to-gateway-to-client deployment (works well for companies using IP telephony, chats and video conferencing apps as well as P2P).
– Gateway-to-gateway deployment (good for networked and IoT devices like scanners, printers and smart sensors).
SDP is often compared to VPN, however SDP technology supersedes VPN in scalability, control, access and security.
SDP supports the zero-trust concept through the approach where users and devices get authenticated and authorised regardless of their location. Combined with zero-trust, SDP is able to secure the network and resources at its best.
The most popular SDP software are Perimeter 81, NetMotion, Zscaler Internet Access, Connect Secure, FortiGate SD-WAN, Twingate, Cisco DNA Center, Instasafe ZTAA, Azure ExpressRoute.
If you’re interested in developing your SDP software with Magnise or have any other questions don’t hesitate to get in touch with our team.