Software-Defined Perimeter: Moving Beyond Traditional VPNs

Information and applications are moving into the cloud at breakneck speed to support the accessibility requirements of today’s increasingly decentralized enterprise—whether it is a commercial, nonprofit or government agency. Workforces are spread out geographically, accessing data from their laptop or favorite smart device. And, customers are located in all corners of the globe. This, together with the additional wide array of cloud benefits—inexpensive storage, pay-per-use pricing, disaster recovery (DR) and on-demand resources—will certainly continue to drive cloud adoption rates for some time.

Similarly, incontrovertible is the fact that security breaches are growing in regularity (if not severity) with each new assault. And, an increasing number of these data breaches are occurring in the cloud, endangering the benefit of possibly the most innovative technology advancement of our times.

What’s needed to fortify the cloud’s value proposition is a security paradigm as flexible and as low latent as the very opportunities cloud computing affords. It should minimize the attack surface area, while escaping the notice of intruders; it should be deeply embedded within an organization to safeguard its applications and information as the enterprise “family jewels” that they are.

Software-defined perimeter (SDP) is a progressive security model delivering these benefits and may others. When well-implemented, it ensure secure gateways at the application layer both to and between clouds for impregnable security with cloaked microtunnels hackers cannot see or detect.

The best of these implementations rely on proprietary protocols seldom used, offer microtunnel failovers for continuous application connectivity between clouds and on-premises settings and are dynamically positioned wherever resources are located.

With encryption capabilities to guarantee even third-party software providers aren’t privy to transmissions, they’re the most fortified deep segmentation perimeter methodology purposefully designed for hybrid and multi-cloud deployments.

Traditional Limitations

Hybrid and multi-cloud deployments are becoming more and more necessary to decrease organizational costs and increase productivity. In fact, according to 451 Research’s “Voice of the Enterprise: Cloud Hosting and Managed Services, Budgets and Outlook” survey of 644 enterprise IT decision-makers, 58 percent of organizations are pursuing a hybrid strategy involving integrated on-premises systems and off-premises cloud/hosted resources. Moving data centers or individual applications to the cloud to enable uniform access for distributed locations is a common use case; establishing different nodes in the major public cloud providers for various pricing options, failovers or burst performance needs is another. Standard perimeter security measures in these examples and others involve creating virtual private networks (VPNs), which actually multiply risk in countless ways. VPNs were designed for traditional on-premises security; they’re less effective in the cloud because they expand the network surface area, creating more room for lateral movement attacks. This credential-based security method is also challenging to manage with messy access control lists and the frequent reconfiguration of firewalls.

Competitive software-defined perimeter solutions surpass these limitations in several ways. They effectively implement segmented microtunnels between applications or servers—in different clouds and on-premises—creating microperimeters to virtually eliminate network attack surface, as opposed to expanding it. The lack of network expansion means users are simply connected at the application layer via a microtunnel gateway that effectively cloaks this conduit so intruders have nothing to scan. In contrast, VPNs leave ports open and vulnerable for hackers to detect. All the access control lists, firewall concerns, costs and risks of standard VPN measures are obsolete with software-defined perimeter security.

Fine-Grained Security

Because software-defined perimeter options facilitate the described invisible security ports directly between applications or servers, they’re highly transferable between settings. They result in a dynamic deployment of perimeter security wherever needed, isolating specific services for ingrained user accessibility. Certain implementations of these solutions, however, offer more protection than others. Most platforms create microtunnels with Transmission Control Protocol (TCP), which is widely used and well-known to malignant actors. More competitive approaches involve User Datagram Protocol (UDP), which is much less often used and therefore less familiar to potential hackers. One reason TCP is more commonly used than UDP is because it has innate error correction capabilities that keeps data orderly. By supplementing UDP with similar data correction capabilities found in TCP, competitive software defined perimeter solutions keep data packets in order while relying on a lesser-known protocol for improved security and lower data transmission latencies.

Consequently, when distributed, on-premises Oracle client applications are utilizing such a solution to concurrently talk to an application server in the Azure cloud for a financial services use case, for example, one of the first things to transpire is the opening of randomly generated UDP ports between the on-premises microtunnel gateway and the Azure microtunnel gateway. Security is augmented by the random generation of the port—whereas many applications depend on standard ports known to all users—and the fact that most algorithms are trained to hone in on TCP, not UDP ports. Once the microtunnels are in place the client application and cloud server application hosts only communicate via their respective micr-tunnel gateways. Their ports are never exposed to the internet, effectively cloaking them from everyone.

Software-Defined Perimeter Advantages

The most robust software defined perimeter implementations offer a pair of advantages competitors don’t. The first is application-level encryption and public key authentication. Even if attackers did manage to find and access these invisible ports, they’d only get encrypted data. Typically, providers of this form of security don’t encrypt data, making them privy to this information. Impenetrable implementations of this paradigm involve software connecting the microtunnels between applications without further involvement with the data—because they’re encrypted.

The second boon is unique to this implementation as the actual gateways are highly available. All users have to do is implement multiple gateways between settings. If the microtunnel between an on-premises application and AWS, for example, failed for any reason, the data could automatically fail over to an Azure cloud, for instance, for high availability. Another use case for multi-cloud deployments involves burst performance. For example, if users had a three-node cluster on-premises, in Azure and in AWS for OLTP, they could rely on this implementation of software-defined perimeter to burst to large nodes in the cloud for end of the week or month tallying, which would otherwise tax their on-premises resources. If one provider failed for any reason, users could securely go to the other to continue operating. 

Cloud Neutral

Not only do such software-defined perimeter implementations exceed traditional security measures for hybrid and multi-cloud access, but their protocols, encryption and high availability surpass those of other implementations. They’re also cloud-agnostic for complete flexibility between clouds, enabling users to eschew vendor lock-in with the most effective security for multi-cloud and hybrid usage.

Don Boxley Jr.

Avatar photo

Don Boxley

Don Boxley is a DH2i co-founder and CEO. Prior to DH2i, Don held senior marketing roles at Hewlett-Packard where he was instrumental in sales and marketing strategies that resulted in significant revenue growth in the scale-out NAS business. Don spent more than 20 years in management positions for leading technology companies, including Hewlett-Packard, CoCreate Software, Iomega, TapeWorks Data Storage Systems and Colorado Memory Systems. Don earned his MBA from the Johnson School of Management, Cornell University.

don-boxley-jr has 4 posts and counting.See all posts by don-boxley-jr