animind - Fotolia
The widespread popularity of SaaS applications, BYOD and millions of unsecure IoT devices has effectively eliminated the notion of a hardened perimeter where IT and security organizations can control access to their sensitive data.
Software-defined perimeter (SDP) technology makes users and devices invisible and inaccessible to outside attacks. An alternative to VPN technology, SDP can be deployed in data centers, branch offices, internet on-ramps and hosting centers to provide comprehensive security coverage.
Defining the software-defined perimeter
The goal of software-defined perimeter is to remove internet-connected devices and applications from public visibility and reduce the surface area for attack. SDP is a secure, private overlay network that connects users and devices over the internet to servers and applications in the data center or public cloud. Each device has its own private IP address space to obscure it from the underlying internet. Software-defined perimeter can reduce threats from many attack types, including denial-of-service, SQL injection, application vulnerability exploits, man-in-the-middle and cross-site scripting.
SDP uses preauthentication and preauthorization to create networks that are invisible to outside attackers. Users have access only to authorized applications to reduce threats from compromised devices. It also employs various software-based networking technologies, including network virtualization, segmentation, end-to-end encryption, invitation-only network access control and fine-grain policy control.
The internet security challenge
The popularity of cloud-based applications has created a wealth of new challenges for network and security professionals. The typical end user now uses between five and 20 IaaS and SaaS cloud-based applications in their workday. IT and security organizations have limited visibility or control over data migrating to or from the cloud. Also, unfettered access to the internet opens organizations to various security attacks. According to the Cloud Security Alliance, a majority of organizations have experienced SaaS-specific security incidents.
Millions of IoT devices connect to enterprise networks over the internet; largely unsecured devices result in an attack surface of unprecedented proportions. Many organizations open their systems, services and data to internet-connected digital business supply chains. Attackers use application vulnerabilities that bypass firewalls and intrusion prevention systems.
Traditional network security architectures with hardened perimeters and no direct internet access -- demilitarized zones -- have become obsolete. VPNs provide only limited security protection. As most attacks originate from the public internet and attackers will target any exposed surface, IT and security teams must deploy new security models based on obscurity. Software-defined perimeter provides the ability to create private virtual overlay networks that are cloaked from the underlying internet.
Requirements of the software-defined perimeter
Software-defined perimeter enables service isolation that doesn't directly expose users, devices and applications to the internet. An SDP should be seamless to implement, massively scalable and highly reliable. It should use cloud-based scalability and intelligence. The software-defined perimeter will need to be integrated with other installed network security systems and have centralized management consoles.
Companies to watch in this space include Citrix, Cradlepoint, Pulse Secure, Vidder and Zscaler, among others.
Dig Deeper on Network Infrastructure
Related Q&A from Lee Doyle
SD-WAN technology is available in a variety of business models, including SD-WAN as a service and managed SD-WAN. But how do the different ... Continue Reading
When contemplating SD-WAN managed services, organizations should ask questions about network security, infrastructure compatibility and bandwidth ... Continue Reading
Service mesh separates itself from SDN and NFV approaches with its clear focus on managing the communication and forwarding between multiple ... Continue Reading