Gartner Blog Network


Software Defined Perimeter Technology is More than a Fancy VPN

by Lawrence Pingree  |  September 23, 2015  |  3 Comments

It’s been a while since I’ve blogged, but I wanted to expand a bit on how Software Defined Perimeter technology works. The key reason that this technology helps reduce the network attack surface is that before SDP is deployed onto a host, the  default TCP/IP stack will automatically strip, parse and process all headers/packets and then send payloads up to the Application Layer for reciept. In an SDP implementation, application connectivity is only provided once the user and device is authenticated and trust is established. This means that traditional attacks that rely on the default-trust flaws built into traditional TCP/IP will be thwarted when using SDP because any non-SDP trusted traffic is discarded prior to stack processing. SDP is not a panacea, but does provide a significant improvement for trusted system access and it tightly couples ubiquitous encrypted network access to applications. The down-side of other offerings that deliver similar functionality is the complexity and lack of ubiquity across many environments, especially where you don’t own the underlying infrastructure (for example public clouds & external hosted environments).  Technology providers that play in the networking space should take notice of SDP and its implications. Gartner clients that have questions related to SDP can have an inquiry with me as part of their Gartner subscription.

 

 

Category: security  

Lawrence Pingree
Research Director
6+ years with Gartner
19 years industry experience

Lawrence Pingree is a Research Director in Gartner's Security Technology and Service provider group. His responsibilities include providing critical insights to both end users and technology providers. He closely tracks the information security markets, technologies, technology and adoption trends, and competitive market dynamics.… Read Full Bio


Thoughts on Software Defined Perimeter Technology is More than a Fancy VPN


  1. In the Vidder Precision Access implementation of SDP placing a public or private cloud-based service within the software defined perimeter is at least as easy and perhaps easier than doing so for a service within the traditional perimeter. The reason for this is that there is no need to build complex firewall rules for allowing the SDP components to reach the service being protected.

    Thanks for blogging about SDP!!!

  2. Jason Garbis says:

    Lawrence, thanks for your post. I want to expand on the point you made about authentication and trust. What’s key here is that a well-designed SDP solution must go beyond static authentication and static authorization policies, and take into account user context when making access decisions. Specifically, it’s important that the solution understand both static user attributes – such as department – as well as dynamic user attributes – such as network location – and to base authentication and authorization decisions on these.

    Done properly, an SDP solution will truly deliver Attribute-Based Access Control in a way that transparently allows business users to access authorized resources, and stymies malicious users from accessing unauthorized resources.

    At Cryptzone, we believe we’ve solved this problem well, and encourage enterprises to look at the SDP model to obtain an improved security posture.

  3. Blake Dournaee says:

    Great post Lawrence. One of the most fascinating and exciting things about the SDP security model is that it seems to enable wholesale use of the commodity public cloud, even for “crown jewel” type Enterprise applications.

    The fact that attackers don’t know where the application lives is a powerful security posture. Other than brute force hacking mutual TLS or a strong keyed MAC, the only other possible attack seems to be against the controller or a brute force search on the full IP address space of all applications running in the public cloud.

    This moves the attack surface to the client as the most probable avenue of attack. Will be interesting to see how this develops.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.