Skip to main content

Software-defined perimeter (SDP)

Software-defined perimeter (SDP) is a security framework developed by the Cloud Security Alliance (CSA) that controls access to resources based on identity. The framework is based on the U.S. Department of Defense's "need to know" model -- all endpoints attempting to access a given infrastructure must be authenticated and authorized prior to entrance.

SDPs are designed to let enterprises provide secure access to network-based services, applications and systems. The SDP approach is sometimes said to create a "black cloud" because it obscures systems within the perimeter so that outsiders can't observe them.

SDP software is purpose-built to give medium and large organizations the perimeter security model needed for zero trust applications and workload-centric network connectivity between on-premises and cloud environments. In addition to limiting the attack surface, an SDP solution also eliminates network vendor chaos by allowing for installation on any host, without network reconfiguration or appliance lock-in.

How an SDP works

The SDP uses an approach to cybersecurity that mitigates network-based attacks, protecting all classification levels of legacy IT assets and cloud services. It works by hiding critical IT assets within an opaque black cloud that can't be accessed by outsiders. It doesn't matter whether the assets are in the cloud, on premises, in a DMZ (demilitarized zone, sometimes known as a perimeter network), on a server in a data centre or even in an application server.

Essentially, an SDP functions as a broker between internal applications and users who can only provide access to services if the correct criteria are met. The SDP creates an invisible screen to protect against malware, cyberattacks and other threats.

Uses of an SDP

SDPs are used to lower the chances of successful network-based attacks, including denial-of-service (DoS) attacks, man-in-the-middle attacks, server vulnerabilities and lateral movement attacks, such as SQL injection or cross-site scripting (XSS). SDPs are implemented for many different reasons, including:

  • SDPs support a variety of devices. The perimeter can authenticate laptops and PCs, as well as mobile devices and internet of things (IoT) devices, and SDPs ensure that connections can't be initiated from unauthorized or invalid devices.
  • SDPs restrict broad network access. Individual entities aren't granted broad access to network segments or subnets, so devices can only access the specific services and hosts that are permitted by policy. This minimizes the network attack surface, as well as prohibits port and vulnerability scanning by malicious users or malicious software.
  • SDPs support a broader risk-based policy. The SDP systems make access decisions based on numerous risk criteria, including threat intelligence, malware outbreaks, new software and more.
  • SDPs can be used to connect anything. Software-defined perimeter technology enables connectivity to only the IT resources required by employees without the cumbersome management requirements or mounting hardware costs.
  • SDPs enable control of services, applications and access. SDPs are capable of controlling which applications and devices are allowed to access specified services. This limits the attack surface and stops malicious users or malware from connecting to resources.

SDP vs. VPN

The most common benefit a virtual private network (VPN) provides an organization or individual is the ability to provide users and third-parties remote access to isolated networks. However, there are two massive security risks that make the VPN an inappropriate method for providing remote access to isolated networks and applications -- credential theft and excessive access.

Credential Theft - doubly impactful to VPNs because people tend to use the same username and password across numerous websites. Because it's very possible that the credentials someone uses to access their social media account are the same as their remote access VPN account, credential theft is the most common and most effective network attack vector.

Excessive Access - A VPN provides a user a "slice of the network" with wide, often excessive access to network resources, including the infrastructure DHCP, DNS, switches and routers. Not only does this provide a large attack surface for a bad actor, it also gives legitimate users access to far more than the one or two applications they really need.

It's recommended that administrators add software defined perimeter tools to their VPN infrastructure. The goal is to help navigate security challenges, including those in hybrid and multi-cloud deployments, in order to reduce potential attack surfaces as protect key data. With SDP network security software, network administrators are able to dynamically deploy highly available micro-perimeters for hybrid and multi-cloud environments to isolate services for fine-grained user access.

In addition to the previously enumerated VPN security risks, compromised devices are the biggest challenge of using a mobile phone or tablet as a VPN access device. Any device that accesses an isolated network via VPN presents a real risk of bringing malware to that network environment. There is nothing in the VPN connection process that assesses the state of a device. If any type of malware is on an access device, the malicious software could propagate across the VPN into the broader isolated network—creating untold havoc (e.g. ransomware situations).

SDP framework

Software-defined perimeter technology enables a secure perimeter based on policies used to isolate services from unsecured networks. The goal of the CSA's SDP framework is to provide an on-demand, dynamically provisioned, air-gapped network -- a segmentation of network resources that mirrors a physically defined network perimeter but operates in software rather than via an appliance -- by authenticating users and devices before authorizing the user/device combination to securely connect to the isolated services. Unauthorized users and devices can't connect to the protected resources.

When the authentication is completed, the trusted devices are given a unique and temporary connection to the network infrastructure. The SDP framework lets companies streamline operations when it comes to user authentication and application security.

SDP deployment models

SDP deployment models can be characterized by the way they structure interactions among clients, servers and gateways. The primary approaches to implementing software-defined perimeter technology include:

  • Client-to-gateway deployment positions the servers behind an Accepting Host, which acts as a gateway between the protected servers and the clients -- Initiating Hosts in SDP terminology. The client-to-gateway SDP can be deployed inside a network to reduce such lateral movement attacks as operating system (OS) and application vulnerability exploits, man-in-the-middle attacks and server scanning. It can also be deployed directly on the internet in order to segregate protected servers from unauthorized users, as well as to mitigate attacks.
  • Client-to-server deployment is similar to the client-to-gateway deployment except that the server being protected by the SDP is the system that runs the Accepting Host software -- instead of the gateway. Deciding between the client-to-gateway and the client-to-server deployment is usually based on a number of factors, including analysis of load-balancing needs, the servers' elasticity -- how adaptable the cloud server is to changes in workloads -- and the number of servers an enterprise needs to protect behind the SDP.
  • Server-to-server deployments use servers that offer any kind of application programming interface (API) over the internet, can be protected from all unauthorized hosts on the network -- including a Simple Object Access Protocol (SOAP) service, a remote procedure call (RPC), a representational state transfer (REST) service or similar -- and use it to communicate between the Accepting Host and the Initiating Host.
  • Client-to-server-to-client implementations depend on a peer-to-peer (P2P) relationship between the clients that can be used for applications such as chat, video conferencing, IP telephony and similar applications. In this deployment, the SDP obfuscates the IP addresses of the connecting clients, with the server acting as the intermediary for both clients.


Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more