The Benefit of a Software-Defined Perimeter

The Benefit of a Software-Defined Perimeter .jpeg

By Don Boxley

The decentralization of the modern enterprise is an established fact. The bevy of cloud benefits — cheap storage, pay-per-use pricing, disaster recovery, and on-demand resources — will likely continue to spur adoption rates for some time.

Equally undeniable is the reality of security breaches, which are seemingly increasing in regularity (if not severity) with each new threat. A discomforting amount of data breaches occur in the cloud, imperiling the utility of perhaps the most innovative infrastructure advancement of our times.

What’s needed to reinforce the cloud’s value proposition is a security paradigm as flexible and as low latent as the very opportunities and threats that cloud computing affords. It should minimize the surface area for attacks while escaping the notice of intruders; it should be deeply embedded within an organization to safeguard its data as the enterprise assets they are.

Software-Defined Perimeter (SDP) is a progressive security model issuing these benefits and others. When properly implemented, it secures gateways at the application layer both to and between clouds for unassailable security with cloaked micro-tunnels that criminal hackers won’t see or detect.

The best of these implementations relies on proprietary protocols rarely used, offer micro-tunnel failovers for continuous application connectivity between clouds and on-premise settings, and are dynamically positioned wherever resources are.

With encryption capabilities to ensure that even third-party software providers aren’t privy to transmissions, they’re the most fortified, deep segmentation perimeter method purposefully designed for hybrid and multi-cloud deployments.

Traditional Limitations

Hybrid and multi-cloud deployments are becoming increasingly necessary to reduce organizational costs and boost productivity. In fact, according to 451 Research's Voice of the Enterprise: Cloud Hosting and Managed Services, Budgets and Outlook survey of 644 enterprise IT decision-makers, 58% of organizations are pursuing a hybrid strategy involving integrated on-premises systems and off-premises cloud/hosted resources.

Moving data centers or specific applications to the cloud to enable uniform access for distributed locations is a common use case; establishing different nodes in the major public cloud providers for various pricing options, failovers or burst performance needs is another. Typical perimeter security measures in these examples and others involve establishing Virtual Private Networks (VPNs), which actually multiply risk in numerous ways.

VPNs were designed for traditional on-premise security; they’re less effective in the cloud because they expand network surface area, enabling more room for lateral movement attacks.

This credential-based security method is also difficult to manage with messy access control lists and the continual reconfiguration of firewalls.

Competitive Software-Defined Perimeter solutions exceed these limitations in several ways. They effectively implement segmented micro-tunnels between applications or servers — in different clouds and on-premises — creating micro-perimeters to decrease network attack surface, not expand it. The lack of network expansion means that users are simply connected at the application layer via a micro-tunnel gateway that effectively cloaks this conduit so intruders have nothing to scan.

In comparison, VPNs leave ports open for hackers to detect. All the access control lists, firewall concerns, costs and risks of standard VPN measures are obsolete with Software-Defined Perimeter security.

Granular Security

Because Software-Defined Perimeter options facilitate the described invisible security ports directly between applications or servers, they’re highly transferable between settings. They result in a dynamic deployment of perimeter security wherever needed, isolating specific services for engrained user accessibility.

Certain implementations of these solutions, however, offer more protection than others do. Most platforms create micro-tunnels with Transmission Control Protocol (TCP), which is widely used and well known to malignant actors. More competitive approaches involve User Datagram Protocol (UDP), which is much less frequently used and therefore less familiar to potential cyber criminals. One reason that TCP is more commonly used than UDP is because it has innate error correction capabilities that keeps data orderly. By supplementing UDP with similar data correction capabilities found in TCP, competitive Software-Defined Perimeter solutions keep data packets in order while relying on a lesser known protocol for improved security and lower data transmission latencies.

Thus, when distributed, on-premise Oracle clients’ applications are using such a solution to simultaneously talk to an application server in the Azure cloud for a financial services use case. For example, one of the first things to transpire is the opening of randomly generated UDP ports between the on-premise micro-tunnel gateway and the Azure micro-tunnel gateway.

Security is enhanced by the random generation of the port (whereas many applications rely on standard ports known to all users) and the fact that most algorithms are trained to hone in on TCP, not UDP, ports. Once the micro-tunnels are in place, the client application and cloud server application hosts only communicate via their respective micro-tunnel gateways. Their ports are never exposed to the Internet, effectively cloaking them from everyone.

If database administrators instituted this finely grained security, not even their own network administrators, let alone attackers, would know that their servers are connected.

Encryption and Availability

The most robust Software-Defined Perimeter implementations offer a pair of advantages that competitors don’t. The first is application-level encryption and Public Key Authentication. Even if attackers did manage to find and access these invisible ports, they’d only get encrypted data. Usually, providers of this form of security don’t encrypt data which makes them privy to this information. Impregnable implementations of this paradigm involve software connecting the micro-tunnels between applications without further involvement with the data — because they’re encrypted.

The second boon is unique to this implementation as the actual gateways are highly available. All users have to do is implement multiple gateways between settings. If the micro-tunnel between an on-premise application and AWS, for example, failed for any reason, the data could automatically failover to an Azure cloud for availability.

Another use case for multi-cloud deployments involves burst performance. If users had a three-node cluster on premise, in Azure and in AWS for OLTP, they could rely on this implementation of Software-Defined Perimeter to burst to large nodes in the cloud for end of the week or month tallying, which would otherwise tax their on-premise resources. If one provider failed for any reason, users could securely go to the other to continue operating.

Cloud Agnostic

Not only do such Software-Defined Perimeter implementations exceed traditional security measures for hybrid and multi-cloud access, but their protocols, encryption and high availability surpass those of other implementations. They’re also cloud agnostic for complete flexibility between clouds, enabling users to eschew vendor lock-in with the most effective security for multi-cloud and hybrid usage.

About Don Boxley

Don Boxley is a DH2i co-founder and CEO. Prior to DH2i, Boxley held senior marketing roles at Hewlett-Packard where he was instrumental in product, sales and marketing strategies that resulted in significant revenue growth in the scale-out NAS business.

More About Don