Why Does The Software Defined Perimeter (SDP) Matter?

We’re all familiar with VPNs, they’ve been around for more than two decades and have become wildly popular with corporations and consumers alike. Now, a new, secure remote access technology called software-defined perimeter (SDP) is grabbing attention as the successor to the VPN. Given the fact that so many of us are now working from home, the timing couldn’t be better.

Next big thing

In simple terms, a software-defined perimeter is a technology based on a Zero Trust architecture that can limit a device’s access to applications and services based on dozens of configurable criteria. For devices outside the corporate network, an SDP solution has the ability to create 1-1 connections, or ‘micro’ tunnels, between users and the resources that they need.

The ‘zero trust’ concept is key here. As mentioned above, a user must prove that they have a legitimate need for a resource. SDP solutions takes it a step further – and this is where they offer a big advantage over traditional VPNs – by making it possible to add a layer of ‘least privilege’ controls. This gives users seamless access only to the particular application and data they need in that moment, and nothing more.

The beauty of this approach is that it prevents the kind of lateral movement through a network that’s often cited as a flaw with VPN credentials. Connections using SDP are to a specific resource and not the whole network.

SDP solutions do more than just authenticate the user. Naturally there are variations in the way SDPs are architected, but the common thread is that they all make use of some kind of controller. The controller acts a bit like a context-aware decision maker that gathers a variety of data such as the application being used, the location of the device, network information and much more. It then builds a risk profile of each request based on this real-time data, determining whether the user can access the resource based on the context of the moment. Depending on the circumstances, access can be revoked dynamically.

This is an elegant, conditional way of ensuring that users get what they need, while reducing the organization’s attack surface. The compelling driver for adoption is that SDPs allow organizations to treat resources equally, whether their hosted on-prem, in a private cloud or on the public internet. With 84 percent of organizations migrating to the cloud, SDP offers an elegant way to provide secure remote access in an increasingly cloud – and remote – workspace.

It is within this increasingly remote workspace, this working-from-home (WFH) culture, that the software-defined perimeter really shines. Let’s jump back to the discussion of VPNs, and look at the impact that COVID-19 has had on the way people work. As early as February and March of this year, organizations around the world rapidly scaled their remote working programs, sending employees home while scrambling to equip them with tools to work effectively outside the office.

Legacy VPNs, however, buckled under the pressure. They were simply not designed to scale so quickly to meet the needs of a remote, mobile workforce, causing security concerns and performance issues that became hot button topics among IT leaders.

With employees working from home, the corporate attack surface for all organizations broadened immensely, calling for IT teams to step up their secure remote access strategies. This is precisely when the software-defined perimeter made its way into the spotlight.

Traditionally, remote workers relied on VPNs to provide that safe, encrypted connection to corporate resources, but as the number of users has grown and the types of assets they access have changed, these legacy VPNs have become a liability. Even with multi-factor authentication (MFA) in place, older generation VPNs lack the ability to understand context. This opens the door to any bad actors holding the correct credentials.

When it comes to securing the remote access process, it stands to reason that IT teams will only be able to protect what they can clearly see. The opposite is also true; where there is little visibility and oversight of device activity, then security risks increase.

To truly understand the current mindset of IT and security leaders from a global perspective, we commissioned one of the largest remote work surveys since the pandemic began. Our survey revealed that almost half of the respondents consider remote workers to be exposed to either high or extremely high risk. The overall picture is unmistakable – a full 97 percent believe that remote workers are exposed to greater risk than traditional office workers.

We can’t deny that we have a massive blind spot when it comes to securing remote workers. Employees sit in their homes, in hotels, in airports and in cafes, connecting to dozens of different Wi-Fi and cellular networks outside the safety of the corporate network.

For most IT teams, it’s been almost impossible to ‘see’ how these devices, applications and networks have been performing at the edge – certainly more difficult than when an employee is in a company office. Against this backdrop of remote working, it is imperative that IT and security leaders have full visibility into their remote workers.

For the majority of mid-market and enterprise organizations, COVID-19 accelerated the digital transformation process and forced greater consideration of remote work. While workers will eventually start returning to the office, a significant number may remain remote for the foreseeable future, if not by necessity then perhaps by preference.

As such, any organization still using a blend of different hosting options for its enterprise resources should use both a VPN and an SDP solution to ensure security and a positive user experience, as well as to meet the increasingly zero-trust oriented needs of tomorrow.

What’s Hot on Infosecurity Magazine?