Blog article

All You Need to Know About the Software-Defined Perimeter

The software-defined perimeter is a virtual business infrastructure that uses strong encryption and interconnects remote users, offices, branches, and clouds.

Petr Pecha

9

Min read

ZTNA
Table of Contents
This is also a heading
This is a heading
Try the most usable zero trust solution

Modern computer networks consist of office locations, remote workers, private and public clouds, and more. It’s a heterogeneous mess of often incompatible parts that is difficult to manage, let alone secure.

This article describes the software-defined perimeter, a networking model that brings it all together in a way that is secure, easy to manage, and relatively simple to implement.

Table of contents

  1. From the “new normal” to just “normal”
  2. What is the software-defined perimeter?
  3. Is the software-defined perimeter the same as a VPN?
  4. The GoodAccess model of SDP
  5. Branch & Cloud Connector
  6. High-availability branch and cloud connections
  7. Access control
  8. Global accessibility

From the “new normal” to just “normal”

What everyone has gotten used to calling the “new normal” has become standard over the past two years. Remote is a perfectly legitimate way of working, and the rapid adoption of SaaS apps and workspaces testifies to the trust that cloud-delivered services enjoy.

However, that certainly does not mean that the “old” has disappeared. Many organizations have their company systems on site, in branches, or in local networks. These systems are only accessible via a dedicated infrastructure; accessing them remotely can be a hurdle.

It’s similar when it comes to public clouds. To connect one to your network, you either have to make it publicly accessible, which is far from secure, or you can connect it via IP whitelisting as long as you have a static IP address. A secure alternative is a connection via an IPsec tunnel, but this is harder to configure.

The challenge increases with the rising number of connecting endpoints, each representing a potential target for a phishing attack and a potential point of entry for online adversaries, which means you now need to authenticate not just remote users but all their devices as well.

The company perimeter, though obsolescent in its traditional form, is transforming and adapting to the virtual environment, becoming software-defined.

What is the software-defined perimeter?

The SDP works interconnects all users and company assets in a shielded environment on the network layer. This means it only establishes a connection once it has verified the identity of the user and determined if the user device meets the conditions for connecting.

Therefore, the authenticated user does not gain access to the entire network but only to systems to which they have access privileges, and will do so via a unique private connection. The security aspect is thus embedded in the basic architecture of the SDP.

The idea of a software-defined perimeter was prototyped by the Cloud Security Alliance as an identity-based access control framework. Software-defined perimeter (or SDP) is sometimes referred to as a black cloud because it hides both traffic and the infrastructure from outside interception.

The SDP makes good use of the scalability and flexibility of the cloud. Public clouds can be included in the virtual infrastructure, as can SaaS applications. Because there is no need to put physical devices and wiring in place, the SDP model responds very easily to varying numbers of users inhabiting it.

In the overall scheme of things, SDP is considered a component of SASE.

Is the software-defined perimeter the same as a VPN?

This distinction will depend to an extent on how broadly you interpret the concept of VPN. All the same, some VPN functionality is often part of SDPs, but with mechanisms in place to make management more granular and connections more secure. For a detailed comparison of VPN and SDP, check this article.

These mechanisms make the SDP architecture an excellent vehicle for effective access control because the design makes it impossible for a user to access any resources unless authorized (this is different from application-layer authentication which grants access to the entire network and limits only user privileges). And once authorized, the communication takes place via a unique private connection that interconnects only the individual users with the pool of assigned systems.

However, both application- and network- level authentication work simultaneously in SDPs, so you can easily control both system access and user privileges centrally on a least-privilege basis and build your access control policy according to the zero-trust model.

Zero trust is a mindset that attributes access on a strictly need-to basis to prevent intruders from escalating their activity in case they penetrate company systems with stolen credentials.

Zero trust network access (ZTNA) is a materialization of this mindset in a network architecture that, among other things, introduces network segmentation. Basically, this means what was touched on above – users of a certain role can only access systems associated with that role.

For instance salespeople have access to the CRM systems but are barred from development systems and tools. That way, if someone’s credentials are stolen, the compromise will only affect those systems associated with them, making the threat easier to contain.

The GoodAccess model of SDP

GoodAccess provides you your own software-defined perimeter as a cloud service. It’s like having your own private island isolated from the treacherous waters of the public internet where only you and those you trust can enter.

Branch & Cloud Connector

The built-in Branch and Cloud Connector enables multiple private clouds, datacenters, and entire office buildings to connect to the GoodAccess network via a secure tunnel. The technology is based on IPsec, IKEv2, or OpenVPN, depending on your preference.

It allows you to interconnect all your geographical locations into a single software-defined perimeter and securely access your local resources from anywhere in the world.

High-availability branch and cloud connections

If you need highly available remote access to your on-prem or cloud systems, you can set up a redundant IPsec or IKEv2 tunnel as a failsafe.

You’ll need to add a backup gateway and create a tunnel between your branch or cloud to each gateway. In this setup, if your primary gateway fails, you can still access your systems via the second.

Access control

GoodAccess segments your private network using the least-privilege system of access cards; an easy to use zero-trust mechanism that allows you to assign role-based access to systems on the network level. More on this topic in this blog article.

In addition, you can tighten your access control with SSO and two-factor authentication (2FA).

Global accessibility

You don't need any extra concentrators or servers. GoodAccess offers pre-built global infrastructure, so you can connect from anywhere in the world with convenient access to your cloud and branch assets.

If you are not a GoodAccess user yet and would like to test it out, check our free trial.

Let’s get started

See why your peers choose GoodAccess. Create your free account today and enjoy all premium features for 14 days, hassle-free.
Create Free Account
Book 1-1 call
Trusted by 1300+ customers

release news

What’s New: Device Posture Check & Forced Always-On Connection

Release notes: Device Posture Check keeps non-compliant devices out of your perimeter while forced always-on connection ensures security measures are active at all times.

Learn more

5

Min read

Remote work

What is a backup gateway and why do you need one?

A backup gateway provides redundancy in case an unexpected outage or performance issues impact the primary gateway. This ensures business continuity and reduces the cost of downtime.

Learn more

4

Min read

Release news

Out Now: GoodAccess Linux App

The GoodAccess Linux app enables simple configuration and management of Linux devices connecting to the GoodAccess secure environment.

Learn more

2

Min read

In GoodAccess, we invest our passion into developing a cybersecurity platform that is easy to deploy, easy to manage, and easy to use.

Education
VPN with Static IP Explained
What is Business Cloud VPN
What is IP Whitelisting
DNS Filtering Explained
Zero Trust Network Access
35+ Gateways Worldwide
How secure is GoodAccess
Compliance Made Easy
Platform
Free business VPN
Business VPN
Zero trust network access
Software defined perimeter
Secure web gateway
Remote access VPN
Features
Dedicated VPN gateway
Static IP address
Central dashboard
Zero-trust access control
DNS filtering
Multi-factor authentication
Network access control
Split tunneling
Access logs
IP whitelisting
SSO
Resources
Product tour
Blog
Events & webinars
Support portal
Customers
Integrations
SLA
Company
About us
Careers
Newsroom
Contact us
Partner Programs
Become a partner
Become an affiliate
Pricing
Plans
Small teams
Starter
Download App
Windows
Mac
Android
iOS
Linux
Chrome OS

Copyright ©2024
GoodAccess

Facebook icon LinkedIn iconTwitter icon
Acceptable Usage Policy
Term & Conditions
Privacy Policy