Software-defined access, or SD-access, applies the principles of software-defined networking, or SDN, to the access edge of the network. SD-access puts the access edge under the management of a centralized network controller instead of managing each access switch as an independent entity.
The goal of SD-access is to push fine-grain control of network access to the edge. The main driver of enterprise SD-access adoption is the desire for improved network security. Even though SDN-style centralized management can control all aspects of edge switch behavior, the primary motivation for SD-access is to tighten security controls on whom and what can connect, as well as determine what connected entities can do.
How does SD-access compare to other authorization measures?
Authenticated network access
SD-access goes further than standard authenticated network access. With authenticated network access, standardized for Ethernet under IEEE 802.1x, a system connected to a protected port can initially talk only to the edge switch to which it's connected. It can't interact with the rest of the network, including other ports on the same switch.
The edge switch forces the system to authenticate itself with a recognized identity source, usually the enterprise directory. If the system fails to provide an identity authorized to use the network, the switch won't grant the system access to the network past the port to which it is connected. Authenticated access is a step up from open access, but it falls short when it comes to securing the network edge thoroughly. Authenticated access only analyzes identity and only checks for it once at initial admission to the network.
Network access control
Comprehensive network access control (NAC) systems go considerably further than authenticated network access. NAC runs health checks on endpoints to look for signs of compromise or noncompliance with security policy. Some NAC systems can also monitor network use to watch for anomalous behaviors, such as a node trying to access parts of a network that it's not permitted to enter. NAC systems also include mechanisms that cut off access to the network when systems misbehave.
SD-access aims to bring this broader and finer-grain control into the core of network functions, more so than both authenticated network access and NAC. SD-access aligns with current ambitions for a zero-trust network because SD-access provides a platform that network teams can use to ensure a system behaves in an acceptable fashion, not just at admission but also in every interaction that follows. Under SD-access, the network doesn't have to trust a system it previously trusted. An SD-access network can implement a software-defined perimeter (SDP) or zero-trust network access (ZTNA).
How does SD-access work?
SD-access works by tying together the following three elements:
- Edge access control
- A centralized policy engine
- Behavioral threat analysis
Edge access control
Edge switches provide the access control portion of SD-access. They enforce initial authentication of system identity and any reauthentication after initial admission. They also assign virtual LANs (VLANs) and apply access control lists (ACLs) to each port, controlling which parts of the network that port can reach. In a conventional network, those assignments are essentially static; in an SD-access network, they are dynamic and are subject to update at any time.
When a policy changes, those assignments may change, too. Such changes will apply immediately and systems reauthenticate and reauthorize. When a system misbehaves and must be isolated from other systems, its port can be blocked or assigned to a quarantine VLAN.
Centralized policy engine
Edge switches assign ports to VLANs and apply ACLs at the direction of a centralized policy engine. At the core of an SD-access system, edge switches push out access policies, which are what enable -- but don't require -- SD-access to implement zero trust. The access policies can create a broad range of security environments. These can range anywhere from completely open, which doesn't require any form of authorization, to fully zero trust, which blocks all access that isn't explicitly permitted.
Behavioral threat analysis
The behavioral threat analytics tool makes the SD-access network behavior-aware, which is essential to implementing an SDP or ZTNA. It can detect anomalies in behavior -- such as behaviors associated with attacks or compromised systems -- and notify the policy engine. The policy engine can then instruct the edge network to block, quarantine or restrict access for the associated entity or identity.
SD-access is one of many approaches to zero trust. Enterprises interested in pushing zero trust into the access edge of their networks should evaluate SD-access along with other options, such as SDP. Additionally, they should consider implementing ZTNA as soon as resources permit.