Software-defined Perimeter (SDP)

Cloud Security Alliance, a nonprofit leading the charge in cloud-specific security research and education, formed a software-defined perimeter working group to develop and refine the technology. The principle motivating the group was to control access to the resources within a network based on the user’s identity. In this way, malicious users would be both kept away from sensitive areas within the network and the network itself.

Since its inception, software-defined perimeter solutions have been adopted and developed by many of the leading networking solutions providers in the world. The market size is expected to grow to $13.8 billion between now and 2024. It is also projected to experience a compound annual growth rate (CAGR) totaling 36.5%.

Software-defined perimeter vendors are charged with the task of not only preventing illegitimate users from accessing certain parts of the network but also from getting inside the network itself. To accomplish this, the system makes use of zero-trust security, what is often referred to as a black cloud approach, and the principle of authentication first and access afterward.

Zero trust assumes that every person, machine, and network is malicious. Before they are allowed access to a network, they have to prove their—benevolent—identity.

To illustrate, think of a concierge, whom we will call George, at a high-end apartment building where you live. When you first move in, you introduce yourself to George and he gives you a card that serves as the key to your apartment. You can also swipe the card to gain access to the gym, business area, meeting rooms, and common areas. The next day, you decide to go to the gym after you finish work. You walk in the front door, and you see George. He nods to you, recognizing your face. You nod back, say a brief greeting, and head toward the gym. You swipe your card to gain access to the locker room, change, then swipe it again to get into the workout area itself.

This is how a traditional security system works. When George sees your face, he trusts that you are who you appear to be. Also, because you have access credentials—your key card—after George nods you in, you can go to various areas of the “infrastructure” of the building. However, if you have an identical twin who steals your key card, they can probably walk in, get a nod from George, and access the same things you can. That is the weakness of a trust-based system. If a device is used and validated one day, and the same device is used the following day, a trust-based system allows access. However, someone who steals the device can abuse this trust.

On the other hand, a zero-trust security system always questions anyone or anything trying to gain access. To mirror a true zero-trust system, George will have to force you to prove your identity using biometric data every time you come into the building. Further, the legitimacy of your key card will also have to be verified, perhaps by using a constantly changing token that can only be received by a legitimate key card. In this way, if either the user or the device they are using is fraudulent, the user is denied access to the network.   

A software-defined perimeter fully aligns with zero-trust security principles because of the kinds of verifications it requires. Anyone trying to connect has to first verify their identity. Also, the SDP assesses the state of the device they are using to make sure it does not present any threats. Only after both the device and user have been deemed safe will a connection be allowed to take place.

What is SDP in networking? In a way, it is another type of zero-trust methodology. Its connection dynamic complies with zero trust because whether a user, device, or network is trying to connect, the SDP presumes it is a threat and can interface with the network only after it has proven that it is not.

SDPs and VPNs are similar in that users cannot connect to them without presenting credentials. Both use a strict authorization scheme to verify users do not present a risk.

However, that is where the similarities end. SDPs are, in some ways, significantly more secure than VPNs. For example, a VPN allows any user that has connected to the network to access the entire ecosystem. SDPs, on the other hand, do not allow all users to access every area of the network. Instead, each user gets their own specific connection.

You can set up each SDP connection in a way that meets the needs of individual users. With a VPN, you have a single secure portal that everyone shares. So deploying an SDP is a lot like giving each user their own individual VPN.

Another key difference is that SDPs can be set up anywhere you want and with a wide variety of infrastructures, simply because they are based on software instead of hardware. This means they can protect your on-premises or cloud infrastructure equally well.

By implementing a black cloud infrastructure for network security, you are putting a wall between your network and attackers. They cannot see the network. Therefore, they cannot hack into it. When an attacker is able to see into the network, they can search for vulnerabilities. Even if your various network components are secured, a hacker may still be able to figure out loopholes.

For example, some firewalls have a hard time stopping zero-day threats. If an attacker is able to see inside a network, part of which is protected by this kind of firewall, they can devise a zero-day attack that may be able to slip past it.

On the other hand, with software-defined perimeter security, the attacker cannot even see inside the network in the first place. This precludes the possibility of designing attack methods for the different components of the network or its security features.

Black cloud is so named because it makes the network behind it “black” or unseen. It is similar to a bank vault that is completely encased in a huge cube made of steel. Before a thief can even begin to try to figure out the combination for the vault, they will have to get through the steel walls around it. 

Further, because the thief cannot see past the steel walls, they do not know if the vault is secured by an old-fashioned, spinning combination lock, a biometric reader, or other security devices. The thief also has no way of knowing how the vault’s opening mechanism works. Is it a huge deadbolt, a single latch, or a combination of the two? Because the thief has no idea what is there, they do not know what tools to bring or the technology they need to get inside.

It is the same with black cloud network security. The network can be protected by firewalls, next-generation firewalls (NGFWs), web application security measures, internal multi-factor authentication (MFA), anti-malware, data loss prevention systems, email security—the list goes on. But the thief has no idea what they will face if and when they get past the “steel walls” of the black cloud.

In some ways, software-defined perimeter companies offer something similar to a virtual private network (VPN). Users are kept on the outside unless they have the appropriate credentials. However, SDPs are different, primarily in that network connections are not shared between devices that connect.

Also, SDPs offer more options than VPNs. With a VPN, once you are in, you are in. With an SDP, an administrator can choose which resources a user has access to once they are allowed network visibility and entrance. So while an SDP can incorporate a VPN as an element of its architecture, it is a very different security solution.

With an authentication first, access afterwards approach, the user is not allowed to access the network or any of its components. This differs from architectures that allow users to get inside the network but require them to provide credentials to use certain aspects of it. For example, any user can access the network, but only those with the right credentials can use the services provided by the email server.

With an authentication first, access afterwards approach, no one is allowed to get into any facet of the network unless they have first been authenticated. In this way, attackers are denied visibility into the network, its components, internal systems, and applications.

Once a user is inside, it is possible to create further access restrictions that can only be bypassed using additional authentication means. Ideally, both layers of access security should incorporate MFA, which requires multiple authentication measures, such as something the user has on their physical person, something the user knows, and the biometric data of the user.

The authentication first, access afterwards approach is another facet of an SDP that makes it similar to a VPN. With a VPN, a user needs to prove their credentials prior to gaining access to the network. If they do not have the proper credentials, they are not allowed in. In this way, they have no visibility into the network and cannot try to compromise specific aspects of it.

However, similar to a VPN, if additional security measures are not applied, an SDP could be vulnerable if an attacker steals someone else’s credentials. Another danger that comes from overrelying on an authentication first, access afterwards approach is, unlike a VPN, communications happening within the network are not automatically encrypted within the confines of an SDP. Therefore, if a malicious actor gains access, they can potentially spy on the communications of others within the network.

For these reasons, it is important to bolster an SDP solution with additional security layers. Some examples include NGFWs or web application firewalls (WAFs).

To set up a software-defined perimeter, you have to first verify the identity of the user. This can be done using MFA, single sign-on (SSO), or other methods, such as Security Assertion Markup Language (SAML).

The next step is to verify the security of the device. This needs to be done both before the device is allowed to connect and after the session has finished. Various data points pertaining to the device can be used to do this, including its location, malware status, registry information, antivirus settings, encryption on its hard drive, firewall status, and more. Predefined policies determine the settings and states that will be accepted or rejected. If the device conforms to the policies, it is allowed to connect.

The final step is to ensure the data is protected. This is where the SDP vendor plays a critical role. They have to take the extra step of setting up secure tunnels of communication between the device and the applications it is accessing. If data is encrypted for the entire session, the user can enjoy a private, safe connection without compromising sensitive information.

FortiToken Cloud provides administrators with a simple, central authentication system. It helps you grant, deny, revoke, and manage access privileges. This is accomplished through the deployment of two-factor tokens using FortiToken Mobile. Users need to have the tokens issued to them to connect to the protected environment. 

The system can interface with a FortiGate environment, making secure connections straightforward and fast. With FortiToken Cloud, you can also easily add deployments if you need to increase the number of users quickly.

A software-defined perimeter (SDP) is a method of concealing infrastructure that is connected to the internet, such as routers and servers, preventing external users from being able to see it. 

A software-defined perimeter prevents illegitimate users and/or devices from accessing certain parts of the network and from getting inside the network itself. To accomplish this, the system makes use of zero-trust security, what is often referred to as a black cloud approach, and the principle of authentication first and access afterwards.

To set up a software-defined perimeter, you have to first verify the identity of the user. This can be done using multi-factor authentication (MFA), single sign-on (SSO), or other methods, such as Security Assertion Markup Language (SAML). The next step is to verify the security of the device. The final step is to ensure the data transmitted during the connection is protected via secure tunnels between the device and the services it is using.