Software-Defined Perimeter: Identity-Based Security for Hybrid Environments

February 2, 2017 |
Decorative image of a lock in a cloud

I’ve talked a lot about what is a software-defined perimeter (SDP) and the benefits of SDP over network access control (NAC) solutions. At a high level, a software-defined perimeter looks like the following image.

Image of What a Software-Defined Perimeter Looks like

And it offers:

  • Individualized perimeter for each user
  • Fine-grained authorization for on-premises and cloud
  • Contextual awareness that drives access and authorization
  • Simplified firewall and security group rules
  • The ability to dynamically adjust to new server instances
  • Consistent access policies across heterogeneous environments

SDP overcomes security issues compared to traditional TCP/IP.

TCP/IP was designed for a more open world

Its “connect, authenticate second” approach puts organizations at risk, and exhibits many security vulnerabilities:

What a traditional TCP IP looks like

  • Servers are subject to reconnaissance scans
  • Unauthenticated users can exploit servers
  • Systems are vulnerable to DDoS attacks
  • Unauthorized users consume server resources

The Software-Defined Perimeter stops attackers but lets authorized users connect

It takes an “authenticate ‑first, connect second” approach, ensuring that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security:

What a Software-Defined Perimeter looks like

  • All resources are invisible to potentially dangerous reconnaissance
  • Only authenticated users can connect
  • DDoS attacks are ineffective
  • Unauthorized users cannot impact servers

Cryptzone’s AppGate Solution Implements the Software-Defined Perimeter Specification

Cryptzone’s AppGate is a distributed, scalable and highly available architecture that is protected by Single-Packet Authorization

Here you can see how Cryptzone’s Software-Defined Perimeter solution works in a production environment:

A Software Defined Perimeter simplifed

Image of number 1

  • Controller integrates with PKI and IAM systems
  • Controller is an authentication point and policy store
  • System is administered via graphical admin console

Image of number 2

  • Secure client onboarding process
  • Client authenticates to Controller
  • Communication secured with mutual TLS

Image of number 3

  • Distributed Gateways protect cloud and network resources
  • Clients securely access resources via Gateways with mutual TLS tunnels
  • Real-time policy enforcement by Gateway
  • Gateways dynamically adjust user access as systems change

image of number 4

  • Controller enhances SIEM and IDS with detailed user activity logs
  • Controller queries ITSM and other systems for context and attributes used in Policies

Want to see it in more detail? Download the Software-Defined Perimeter infographic.

Get the infographic on a Software-Defined Perimeter

Back to Blog Home

Jason Garbis

Vice President of Products, Cryptzone
Jason Garbis is Vice President of Products for Cryptzone, where he's responsible for the company's product strategy and product management. Garbis has over 25 years of experience with technology vendors, including roles in engineering , professional services, product management, and marketing. Jason joined Cryptzone from RSA, and holds a CISSP certification.

Leave a Reply

Your email address will not be published. Required fields are marked *