assurance, cloud, cyber security

Software-Defined Perimeter Networks

Posted by jackfielduk on

Software-defined perimeter (SDP) networks are an advanced iteration of a zero-trust network (ZTN) strategy for access to enterprise resources.

As organizations migrate more and more services to the cloud, regardless of deployment model or location, the potential attack surface is dramatically changed. Securing the data (not just the network) has therefore become an existential concern.

Since SDP is agnostic of the underlying IP-based infrastructure, it is the best architecture for businesses looking to leverage all the advantages of cloud. Fundamentally, the principle is based on securing all connections by ring-fencing digital assets as opposed to traditional IP-based networks that rely on securing the network boundary. Anchoring connections to a known source IP address and routing only those packets poses a huge security risk in today’s evolving and expanding borderless networks. 

Organizations should no longer automatically trust anything inside or outside the traditional perimeter network. Instead, all resources should be securely accessed no matter who creates the traffic and from where it originates. This is a big change in approach and removes the ‘connectivity before authentication’ legacy mindset. In this way, participants are never ‘on the network.’ Instead, ZTN secures Layers 1-7 of the OSI model by using a single packet to establish trust via a separate control and data plane prior to connectivity. This requires verification of anything and everything that tries to connect to resources before granting access. In addition, sessions are continually evaluated for the entire duration of their connection.

The National Institute of Standards and Technology (NIST) describes using trust boundaries – a control plane to negotiate the parameters of the session (e.g., by establishing mTLS), and a data plane to route the traffic. The SDP controller establishes the mTLS session and identity of the originating user session and determines the list of authorized hosts. Prior to this control plane process, these hosts are invisible to clients through ‘DENY-ALL/PERMIT EXCEPTIONS firewall polices. When the SDP client (user) receives a list of known host IPs, it can establish mTLS sessions across the data plane.

With users demanding ubiquitous access to services across a continually changing corporate landscape, this type of connection-based security architecture supports their business needs. Furthermore, by introducing an SDP solution based on ZTN, it hides assets from unknown users preventing many attacks before they occur. It is this blend of performance, agility, and innovation coupled with access to the open-source community that will be the next battleground for business.

If you are interested in hearing more about SDP, ZTN or would simply like to discuss your cloud migration strategy, MIC Solutions Ltd would be delighted to hear from you

Leave a comment