Before FAANG companies ever existed, protecting a business’s assets involved hiring security professionals, giving everyone keycards, and locking rooms where servers were housed.
Everything changed when the cloud began to emerge.
While blocking physical access to buildings was still relevant, it didn’t stand a chance against cyberattacks. Organizations needed to go beyond hardware security and safeguard their data via software. That’s where software-defined perimeters were born.
Software-defined perimeters, or SDPs, mask cloud infrastructure from potential attackers while allowing authorized users to access the tools and data they need. SDP methodology enables companies to adapt their level of trust with a user based on context, like a user’s device or aspects of their identity, which provides greater control over who can perform certain actions on specific devices.
But how do SDPs work, and how do they fit into our working world today?
In this piece, we’ll explain how SDPs defend against bad actors, the benefits they confer, and their contribution to a Zero Trust security model.
How Does a Software-Defined Perimeter Work?
Think of SDPs like a bouncer at an exclusive yet low-profile event. Most people don’t even know the event is happening, and if they do, the bouncer will double and triple-check the list of approved guests before allowing the person to enter.
After each person gets in, the bouncer locks the door again. Once inside, other security staff may restrict guests’ access to certain areas depending on their ticket type. All in all, it’s a tight operation that makes the chances of something terrible happening very low.
To achieve a similar environment, SDP solutions rely on identity and device verification, least privilege access, and one-to-one connectivity. Let’s review each in detail.
Identity and Device Verification
Going back to the bouncer example, the first step is to make sure guests are who they say they are and have the right credentials to enter the party. Bouncers may look at someone’s ID, cross-reference a list of names or scan a ticket, put belongings through a metal detector, and generally assess whether people belong at the party. Technologically speaking, this is equivalent to identity and device verification.
With SDPs, user identities are confirmed first by third-party identity providers (IdPs), verifying that the user is who they say they are. Then, most software-defined perimeters integrate with single-sign-on (SSO) or multi-factor authentication (MFA) applications to ensure that users are part of their system and have the proper devices to complete authentication. At the same time, devices are evaluated for the presence of malware, up-to-date software, and other potentially harmful characteristics.
If users and their devices do not match software-defined perimeter requirements or show signs of malicious intent, they will not gain access to a company’s internal infrastructure. As a result, the identity and device verification component of SDPs reduces the risk of phishing, brute force attacks, and other forms of compromise prevented by SSO and MFA.
Least Privilege Access
Let’s harken back to our example again. Say that each guest has a certain level of access. VIPs and performers get to enter some rooms that other attendees don’t. Bouncers attach wristbands to every guest that denote their level of access and have a pre-programmed mechanism to open doors to specific areas of the event space.
This situation is analogous to least privilege access from a cybersecurity standpoint. Because SDPs represent the barrier to an organization’s overall architecture, IT teams must pay special attention to what users can access once they get in. And ultimately, that means users should only be able to access the resources they need in order to do their jobs 一 no more, no less.
Software-defined perimeters help companies track and enforce authentication and authorization because only users who have passed identity and device checks will be able to find and use applications they are specifically permitted to use within an encrypted network. In other words, SDPs both dole out and continuously check people’s wristbands.
One-to-one connectivity is tougher to connect to our bouncer-event example, but it’s easier if you think of the event as a tailored, guided experience. From the moment someone gets their wristband, they are whisked away to the area of the event they are meant to see and nothing else. So some people get a full tour and have free rein to explore, while others are limited to certain parts of the event.
In a similar way, software-defined perimeters don’t connect users to an organization’s full network (the whole event). Instead, SDPs create a one-to-one connection between users and the resources they have permission to use (wristband-permitted areas). No other person shares the same connection and cannot access the same applications (everyone has a different experience).
Software-defined perimeters take this connection further by encrypting them and requiring that users log in through a VPN. To access a particular dataset or tool, bad actors have to make it through identity and device verification, then ensure they have the right access, and finally, penetrate encrypted networks. On top of that, networks are constantly observed for potential threats, lowering the risk of eavesdropping or other cyberattacks.
Benefits of a Software-Defined Perimeter
Software-defined perimeters have many advantages over legacy, on-premise security methods that have started to become obsolete with the expansion of cloud computing. Below we examine just a few of the benefits SDPs confer.
Because software-defined perimeters aren’t hardware-based, they can support both cloud and on-premise infrastructure, making them ideal for companies that have already moved to the cloud or are in the middle of their transition.
Supports Remote Work
SDPs can be used at any time by anyone. This quality has become exceedingly crucial as more and more companies continue in a remote-first environment. Software-defined perimeters can support virtually every device anywhere and help IT oversee and maintain data and application permissions 一 an essential feature for remote employee onboarding. All the activity conducted on those platforms is hidden from cyberattackers behind the cloak of the SDP.
Simplified Device Management
One of IT’s biggest expenses is deploying and managing an organization’s applications. Software-defined perimeters eliminate the need for and costs associated with administering and monitoring firewalls, DDoS protection, global load balancing, and more.
Plus, SDPs can authenticate laptops, PCs, mobile devices, and IoT devices, ensuring that IT still has oversight of these devices and employees can still securely access the information and applications they need when they are on the go.
Simplified Network Management
Software-defined perimeters restrict broad network access and can secure both hybrid and private clouds. With this design, employees aren’t granted access to subnets or network segments, which simplifies IT’s job, minimizes the potential network attack surface, and inhibits port and vulnerability scanning by malicious actors.
Software-defined perimeters limit a company’s exposure to cyberattackers in several ways. First, SDPs are difficult to detect. Cyberattackers can’t penetrate an SDP without finding it. SDP solutions also permit or prohibit access based on many criteria, from aspects of a user’s identity to running threat intelligence on their devices. Furthermore, SDPs empower security teams to control services within the perimeter using least privilege access principles.
Easier M&A Integration
Software-defined perimeters can significantly streamline the M&A integration process. Typically these integrations can take years and years to complete, separating all the different networks and IP addresses of both parties and then determining how to stitch them all together. If both organizations already have SDPs, the process becomes much less complicated, combining the contents into one larger SDP.
SDPs and Zero Trust
Because of their many advantages, software-defined perimeters have become a core component of a Zero Trust architecture. Within a Zero Trust model, no device, network, or user is considered “safe” until it clears an organization’s security checks. SDPs conform exactly to this model, blocking access to internal resources until users and devices are verified.
SDPs also make vendor management more organized and transparent. Since applications can be installed on any host, companies aren’t locked into one vendor and aren’t required to reconfigure any networks.
Overall, SDPs enable organizations to truly implement a Zero Trust model and adopt a more cost-effective, robust approach to safeguarding their employees and protecting their customers’ data in a remote working world.
Do you know if your organization is on track to achieve Zero Trust? Use JumpCloud’s Zero Trust Assessment Tool to find out where you are on the road to embracing Zero Trust and gain tips on how to advance to the next stage.