CDN Security
03 Aug 2020

SDP, VPN, or Hybrid. Securing the New Perimeter

SDP, VPN, or Hybrid are three models organizations can leverage to strengthen their cybersecurity. As securing the perimeter of your network is a fundamental requirement for any organization, enterprises need to ensure they adopt the best possible approach. Not only do you have to ensure you protect your systems from unauthorized access, but you also need to provide users with the ability to work from anywhere, at any time.

Although remote work is increasing, it is not a new requirement. Businesses have always required the capability to provide their employees with some form of remote access. Administrators attending to systems maintenance after hours and salespeople accessing company data on the road are just two examples. However, as the world embraces cloud-first mobile computing, users, devices, and workloads no longer reside behind the traditional corporate perimeter. Users access data and services from on-prem, as well as cloud-based services, and organizations need a solution that meets the demands of this new way of working.

The Benefits of a Current Generation Virtual Private Network (VPN)

A Virtual Private Network (VPN) has been a decades-old standard for remote access. By creating an encrypted tunnel connecting authorized external users to your internal network, it adds a needed level of protection. Over and above using these platforms for remote access, organizations can also leverage a VPN solution to secure the network connecting their various locations for a low cost. They can also use it to control access to apps, data, and services they host in the cloud. In addition to these benefits, modern solutions also provide organizations with the capability to control access based on user profile while delivering enhanced visibility and monitoring. 

The Drawbacks of a Current Generation VPN in a Cloud-First World

VPN technologies have been around for just over two decades with the publishing of the Peer to Peer Tunneling Protocol (PPTP) in 1999. Since then, there have been several waves of change that have altered the technology industry. In the last decade, we have seen a monumental shift to cloud computing and the rise of mobile devices at home and in the workplace. Although the VPN still has a role to play in the modern information age, organizations need an alternative remote access solution to cater to the needs of a cloud-first, mobile world. With the rise of Edge Computing, this need is now more relevant than ever.

The Benefits of a Software-Defined Perimeter (SDP)

A Software-Defined Perimeter (SDP) takes a Zero-Trust approach to cybersecurity. It provides a universal user experience for individuals, whether they access resources on-premise or from beyond the corporate network perimeter. The benefit of this cybersecurity approach is that users do not need to manage any manual connections as they would with a standard VPN. As an SDP leverages a Zero Trust approach to cybersecurity, it provides a resilient, robust, and next-generation strategy aligning with current and emerging threat models. 

What is Zero Trust

Zero Trust is a cybersecurity model that assumes all connections, whether they are internal or external, cannot be trusted. This information security strategy places the sanctity of an organization’s data at its core. It then states that any connection to that data, be it a user, device, workload, or network is untrusted by default. Enterprises that adopt and implement a Zero Trust approach need to enforce strict control and ensure the validity of connections accessing an organization’s data. Advanced Identity and Access Management (IAM) is at the core of this cybersecurity model, and a Software-Defined Perimeter enforces the checks and balances needed for Zero Trust access control.

SDP and Zero Trust

A Software-Defined Perimeter solution offers multiple features that align with a Zero Trust cybersecurity model. First and foremost, an SDP leverages the Principle of Least Privilege. It authorizes every connection, whether its source is internal or external, before allowing entry. This universal access control deviates from the traditional VPN solutions that only monitor and enforce authorized external access. Once the user, device, or workload connects, the SDP platform only permits the requesting party access to sanctioned applications, systems, or data, further enforcing the Principle of Least Privilege and Zero Trust.

Over and above the granular access control an SDP provides, it also possesses several other features that protect the organization and its data. Unlike a traditional Firewall, it has no open ports that malicious actors can leverage to enumerate online services in a particular environment. An SDP also integrates with any existing Identity and Access Management solution. Most of these platforms provide support for SAML, Active Directory, and LDAP, so the level of hardware and software integration is minimal. They also typically leverage a lightweight client leading to simple end-user configuration, if any. 

SDP Architecture

The Cloud Security Alliance released a Software-Defined Perimeter architecture guide in 2019. This document describes how organizations can use an SDP platform in various environments. It also assists businesses in implementing a successful SDP solution that aligns with their unique enterprise architecture. In this document, the CSA outlines the three primary components of an SDP solution – the client or Initiating Host (IH), the service or Accepting Host (AH), and the Software-Defined Perimeter controller or gateway.

SDP Architectural Components

Typically, an SDP solution deploys a client to every device. When a user, workload, or device initiates an access request, the SDP client sends it to the SDP controller. This component has a continuous, encrypted connection to every AH and manages access and authentication through a list of authorized hosts and IP addresses. The controller then verifies the request and passes a deny or allow action back to the initiating host. The IH then accesses the resource on the accepting host through a mutual, encrypted Transport Layer Security (TLS) tunnel.

SDP, VPN, or Hybrid?

Although a VPN solution remains a relevant access control technology, the exponential increase in the use of cloud services demands a change in the way organizations protect their data. While it would be possible to implement a hybrid approach where you can control access to your internal network via a VPN while protecting your cloud services with an SDP, it would be both complex and inefficient. As the rise of cloud and mobile computing has effectively eroded the traditional corporate perimeter, an SDP is a logical choice to protect both internal and external resources in a cloud-first, mobile world.