Software-defined perimeters use a “verification before trust” strategy that demands and assesses the security status of an entity requesting access to applications or data.
“The vast majority of IT environments are both data center and cloud, which will require organizations to utilize perimeter-based VPNs [virtual private networks] and SDP [software-defined perimeter] architectures that support zero-trust tenets,” said Scott Gordon, Pulse Secure’s chief marketing officer.
The new Pulse SDP technology adds eight security elements to the vendor’s Secure Access Suite: dual-mode VPN and SDP architectures; multi factor authentication and authorization options; uniform policy management; granular and stateful access enforcement; enhanced access option; separate data and control planes; deployment flexibility; and reduced cost of ownership.
“Pulse SDP makes the company’s remote access technologies [VPN suite] smarter,” wrote Shamus McGillicuddy, Enterprise Management Associates’ research director for network management. “Enterprises can apply things like location- and behavior-based intelligence to the authentication mechanisms in Pulse’s remote access solutions, and this allows them to make better-informed decisions about who has access to applications and services across the data centers, public clouds, and private clouds. For example, if a CEO’s credentials are stolen by someone overseas, Pulse SDP can detect the fact that the CEO’s account is trying to access the network from an IP address in North Korea,” he explained. “A standard remote access solution wouldn’t necessarily flag this issue.”
The Pulse SDP, which consists of controllers, gateways, and clients, securely connects to a cloud application or resource with separate control and data planes. The controller verifies users’ device identity and validates its security status between the client and the gateway before granting access. The data plane provides encrypted high speed data transfer once the conditions of access are met.
Gordon says this approach is scalable and flexible. “Typically, SDP addresses cloud access with such business cases as remote workforce access to cloud resources, being able to more easily support BYOD within their mobile workforce to access cloud applications, facilitating third party access to cloud hosted resources,” Gordon wrote in an email. “It allows organizations to enable users to directly access applications without having to go through VPNs or onboard the enterprise network. And by enabling user access on a per-application basis, it helps organizations reduce their attack surface, exposure to cyber threats and malware.”
The bifurcation of the data being transferred and the methods by which trust is established is vital to secure operations. “Since a device connected via an SDP-based process will only connect to a controller and have conditional access to the resources that have been defined in a centrally managed policy held by the controller, the overall attack surface is reduced,” he said. “It would be impossible for an attacker or malware to move laterally inside a perimeter – everything else on the network is effectively undiscoverable.”
The value proposition is that the integration of an SDP into an on-premises suite of services reduces complexity.
“Many enterprises have amassed a variety of secure access solutions through firewalls, UTMs, NAC, gateways, proxies, and VPNs, leaving organizations to cobble together a piecemeal secure access strategy in order to support their distributed environment and business needs,” Gordon said. “Frequently, this results in unnecessary complexity for users and administrators, visibility and security gaps, and high integration and operational costs.”
McGillicuddy said EMA research shows that organizations want to integrate remote access into broader platforms that include overall network and security policy management and administrative elements. In parallel, they see that hybrid cloud and multi-cloud infrastructure is challenging. “Enterprises are finding it increasingly difficult to build effective security architecture in these complex environments,” he said. “An SDP solution that can span these environments and integrate with remote access solutions can deliver good value.”