Software-defined perimeter brings trusted access to multi-cloud applications, network resources

Many companies today have a hybrid approach to their networking and IT infrastructure. Some elements remain in an on-premise data center, while other portions have gone to the cloud and even to multi-cloud. As a result, the network perimeter is permeable and elastic. This complicates access requirements at a time when it’s more important than ever to enable accessibility while preventing unauthorized access to applications and data.

To reduce risk, some organizations are applying a zero-trust strategy of “verification before trust” by incorporating stronger, stateful user and device authentication; granular access control; and enhanced segmentation no matter where the applications and resources reside.

One implementation of a zero-trust strategy that is starting to gain some traction is software-defined perimeter (SDP). SDP is a defined architecture by the Cloud Security Alliance. SDP has been around for several years now and has primarily been used to protect cloud-based or SaaS applications and data. Pulse Secure recently announced an SDP solution for hybrid IT, which should make it more attractive to enterprises that have a diverse infrastructure.

How a software-defined perimeter works

The notion of a software-defined perimeter is to establish trust closest to the resources involved. That means establishing trust at the entity making the request for access, as well as establishing trust at the application or network resource that is to be accessed. Several distinct components are needed to establish this trust and to ultimately make the desired, secured connection.

The first component is a client that wants to gain access to an application or other resource (an entity). A key security feature is that the entity has no DNS entry, so it’s hidden and can’t be reached directly. Instead, the client has an SDP-enabled agent or agentless means to communicate with the second component, an SDP controller that holds the security policy and arbitrates all the connectivity between end user and Internet of Things (IoT) devices and the hidden entities. The controller has a finite list of users who are trusted and authorized, as well as a list of devices that are registered.

The controller communicates with the client to understand who the user is and the security state of the device. This information is checked against a roles-based access control and resource policy managed by the controller, which inherently interfaces with the enterprise identity management system. If everything checks out, the controller communicates and authenticates with the third component of the solution, an SDP gateway located close to the target entity.