Brent GaynorDecember 14, 2020
Beware the SDP in Sheep’s Clothing
Expanding on what a real Software-Defined Perimeter is and how it provides better business agility.
Optiv posted an interesting blog in mid-2019 outlining the key differentiators of the SDP standard to educate readers on what is, and is not, an SDP as defined by the Cloud Security Alliance SDP specification. The standard was developed to provide a concise and purposeful architecture for secure enterprise access. The contemporary techniques of real SDPs are inherently more secure and offer a higher degree of agility for operational efficiency at enterprise scale than other technologies masquerading as SDP.
In this blog, we cover three additional signs that a solution is grounded in the true definition of SDP:
- Conditional access
- Adaptable architecture
- Business agility
We’ll also highlight some features to look for to ensure the highest-level operational agility, efficiency and scaling of your secure access strategy. Why should you care? Because an ideal architecture that can evolve and grow with the business creates efficiencies while ensuring compliance and eliminating security gaps.
The notion of the perimeter as we once knew it is dead, but that doesn’t mean that perimeters don’t exist. The new perimeter paradigm will consist of micro-perimeters. A Software-Defined Perimeter is exactly this — micro-perimeters that are defined by software as opposed to antiquated perimeters bound by hardware. It provides a secure path from the accessing device through the network to the destination resources in a manner that both insulates and isolates authorized users from external threats and access beyond their permissions. A true SDP solution provides micro-perimeters. A micro-perimeter is a unique per-instance path that is conditionally activated to create a segment of one between the user and resource. The use of the word “conditionally” is not accidental. Access for each user is subject to frequent reassessment. In a true SDP solution, these conditions are configurable and programmable via API.
A micro-perimeter simplifies compliance. Activity is logged and tracked on a user, device, application and contextual basis. This audit trail shows access granted for each micro-segmented network, including user, device type, device posture, MFA, location and more. And because resources are isolated, the audit scope is significantly reduced. Attackers can’t even perform the most basic reconnaissance — such as port scans — because the network resources are invisible.
Another unique benefit of SDP is the “Software-Defined” bit. SDP provides a layer of adaptability that cannot be emulated with existing software or hardware models. Because tomorrow’s needs are unknown, you need the ability to pivot with minimal disruption. Whether this means deploying in a VM, as part of a container, or embedded in a device, a software-defined architecture provides the portability of a Zero Trust perimeter across an increasingly wide variety of unforeseen use cases.
Additionally, the adaptable architecture offers the ability to extend your security to employ the same high availability and scale found in enterprise cloud software. As a software-defined security framework, autoscaling for instances within a cloud is available - whether for demand-based scaling or auto-deployed instances to protect and maintain security posture for new resources. Think of the later mechanism as running “security as code”.
The digital nature of business necessitates ad-hoc access to do everything in today’s world. Customer data is needed for marketing, sales and demographic analysis. Intellectual property may be accessed for shared industry research or outsourced engineering, and operational metrics are frequently used across organizations for efficiency and cost analysis.
Over time, ad-hoc and unforeseen access demands result in the toggling of permissions and policies. This creates unrecoverable “security drift” where overworked administrators and security operators (SecOps) don’t recall nor understand the reasoning for the original granting of permissions. This creates an overexposed network.
SDP mitigates much of this drift. A properly designed SDP with a unified policy model provides control and flattens the access policies in a way that a typical legacy environment consisting of firewalls, ACLs, security groups, NACs, VPNs and identity providers simply cannot.
Lastly, agility demands an API-first approach to provide sufficient touchpoints to inject workflow policies that integrate with ITSM’s and other business systems to provide conditional- and human-validated access.
Workflow integrations such as these enable security to offer access for services and upgrades that would otherwise require manual intervention. Further, the ability to bind SDP to workflows provides a clear audit trail highlighting when and where the access was granted and revoked.
SDP is much more than a rebranding of remote access, it’s a set of architectural principles, which facilitate agile business needs that not only outperform but also empower new business models and drive operational efficiencies. We are just getting started, but as we deploy SDP-enabled environments these are some of the capabilities which differentiate a true Software-Defined Perimeter from the pretenders.
Learn More About SDP: