Recently there was a terrific article by Chris Preimesberger in eWEEK , Why Software-Defined Perimeters Outflank VPNs for Secure Remote Access, that examined the emergence of software-defined perimeters (SDP) as a more secure solution for VPNs.
As a pioneer and partner in the development of SDP with the Cloud Security Alliance, Waverley Labs is pleased to see growing industry recognition of SDP’s as a potential paradigm shift in cyber security. In his article, Preimesberger focused on secure remote access and VPN replacement as a potential first area of adoption for SDPs that employ a Zero Visibility and Zero Trust approach.
- Zero Visibility – by securing every connection to a service, application or critical infrastructure. It dynamically creates one-to-one connections between every authorized device, user and the data they access.
- Zero-Trust – in that anyone attempting to access a resource must “authenticate first.” All unauthorized resources are virtually invisible. This applies the principle of least privilege to the network and eliminates the attack surface. By default, users are not allowed to connect to anything – the opposite of traditional corporate networks, where once a user is given an IP address, VPNs allow access to everything on the network. Instead, SDPs ensure that once proper access criteria are met, a dynamic one-to-one connection is generated from the user’s machine to the specific resource needed. Everything else is completely invisible.
In addition to outflanking VPNs, SDPs also provide a proven and superior replacement solution for DDoS mitigation and credential theft protections while enabling proper firewall and incident response strategies.
SDP’s deny-all, authenticate-first approach eliminates the need for exhaustive analysis of voluminous log management data and allows cyber experts to immediately know who is accessing their network, where they are coming from, and what they are accessing. Using dynamic firewalls instead of continuing with the static implementation of firewalls, eliminates the need for the management of cumbersome firewall rules. Organizations can now focus on onboarding applications to allow connections only from authorized users and devices while being hidden behind a deny-all firewall.
SDPs are IP agnostic and connection-oriented instead. There is no centralized network chokepoint. It’s completely distributed and as scalable as the internet itself. An SDP is engineered to operate natively in cloud networks and are compatible with existing corporate networks, integrating and augmenting security tools and network devices, modernizing your existing investments.
SDPs have been successfully deployed and proven effective by leading enterprises such as Coca-Cola, Mazda, and Google, and in the public sector by DHS, and continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion+ attempts to date – all unsuccessful.
To learn, more check out Waverley Labs who worked closely with the Cloud Security Alliance to develop the commercial SDP specification and has since delivered the industry’s first open source SDP as part of an award by the DHS to create new tools to defend against large and sophisticated Distributed Denial of Service (DDoS) attacks.