Understanding Software-defined Perimeters

As the physical world of servers and telephones gave way to virtual machines and VoIP, so shall device security be defined by software rather than hardware. The newest push? Software-defined perimeters (SDP) virtualizing endpoint protection.

Based on research done by the Defense Information Systems Agency, SDP only allows individually authenticated devices access to network resources. Even internal devices on the network must have “need to know” status before access. “Every connection between an object and a machine has to be recognized and monitored,” says Dan Cummins, a security analyst for 451 Research. “It’s a logical evolution to automate access without the hassle of physical objects, making security more programmable.”

“You isolate an application so it’s invisible to everyone on the untrusted network, you verify the user and device trustworthiness, and only then do you connect the authorized user and trusted device to the protected application,” says Junaid Islam, president and CTO of Campbell, Calif.-based Vidder Inc., one of the leading vendors in this new area. “The architecture consists of the controller, gateway, and client. The three components work together to defeat the most crippling attacks being used in advanced threats.”

Credential theft is a big part of large hacks, says Islam, so SDP relies on a device ID much stronger than device authentication used today. “The device ID is created based on a number of variables, such as the MAC address, private key, a counter, and more,” continues Islam. “All this is transparent to the user. And if a device ID is used with the wrong device, you know it’s been hacked.”

VPN for Each Network Device
In a sense, SDP constructs a unique virtual private network for every device in the network. Companies focused on mobile devices have a head start in this new security philosophy. “Aruba [a Hewlett Packard Enterprise company in Sunnyvale, Calif.] and ForeScout [Technologies Inc., of San Jose, Calif.] are two companies with a lot on the ball,” says Cummins. “Discovery is a big challenge. Who’s on your network? What’s the business use? This is a $1 billion market that’s still growing in the mid-teens per year.”

Islam and Vidder helped found the Cloud Security Alliance, where resources on SDP are all in the public domain. “The Department of Defense model verifies the user and device first, checks their role, and then sets up connections to resources,” says Islam.

Cummins adds, “Cisco has done well with [its] last few security acquisitions to help in this area. VMware is also pushing in this area. Look for details about microsegmentation from these and other vendors.”

Resellers providing managed security services should be involved in SDP already, according to Cummins and Islam. Look for SDP announcements from public cloud providers as well, and keep up with hardware firewall appliance vendors as they shift to a more virtual, software-defined security model.