Modern computer networks consist of office locations, remote workers, private and public clouds, and more. It’s a heterogeneous mess of often incompatible parts that is difficult to manage, let alone secure.
This article describes the software-defined perimeter, a networking model that brings it all together in a way that is secure, easy to manage, and relatively simple to implement.
What everyone has gotten used to calling the “new normal” has become standard over the past two years. Remote is a perfectly legitimate way of working, and the rapid adoption of SaaS apps and workspaces testifies to the trust that cloud-delivered services enjoy.
However, that certainly does not mean that the “old” has disappeared. Many organizations have their company systems on site, in branches, or in local networks. These systems are only accessible via a dedicated infrastructure; accessing them remotely can be a hurdle.
It’s similar when it comes to public clouds. To connect one to your network, you either have to make it publicly accessible, which is far from secure, or you can connect it via IP whitelisting as long as you have a static IP address. A secure alternative is a connection via an IPsec tunnel, but this is harder to configure.
The challenge increases with the rising number of connecting endpoints, each representing a potential target for a phishing attack and a potential point of entry for online adversaries, which means you now need to authenticate not just remote users but all their devices as well.
The company perimeter, though obsolescent in its traditional form, is transforming and adapting to the virtual environment, becoming software-defined.
The SDP works interconnects all users and company assets in a shielded environment on the network layer. This means it only establishes a connection once it has verified the identity of the user and determined if the user device meets the conditions for connecting.
Therefore, the authenticated user does not gain access to the entire network but only to systems to which they have access privileges, and will do so via a unique private connection. The security aspect is thus embedded in the basic architecture of the SDP.
The idea of a software-defined perimeter was prototyped by the Cloud Security Alliance as an identity-based access control framework. Software-defined perimeter (or SDP) is sometimes referred to as a black cloud because it hides both traffic and the infrastructure from outside interception.
The SDP makes good use of the scalability and flexibility of the cloud. Public clouds can be included in the virtual infrastructure, as can SaaS applications. Because there is no need to put physical devices and wiring in place, the SDP model responds very easily to varying numbers of users inhabiting it.
In the overall scheme of things, SDP is considered a component of SASE.
This distinction will depend to an extent on how broadly you interpret the concept of VPN. All the same, some VPN functionality is often part of SDPs, but with mechanisms in place to make management more granular and connections more secure. For a detailed comparison of VPN and SDP, check this article.
These mechanisms make the SDP architecture an excellent vehicle for effective access control because the design makes it impossible for a user to access any resources unless authorized (this is different from application-layer authentication which grants access to the entire network and limits only user privileges). And once authorized, the communication takes place via a unique private connection that interconnects only the individual users with the pool of assigned systems.
However, both application- and network- level authentication work simultaneously in SDPs, so you can easily control both system access and user privileges centrally on a least-privilege basis and build your access control policy according to the zero-trust model.
Zero trust is a mindset that attributes access on a strictly need-to basis to prevent intruders from escalating their activity in case they penetrate company systems with stolen credentials.
Zero trust network access (ZTNA) is a materialization of this mindset in a network architecture that, among other things, introduces network segmentation. Basically, this means what was touched on above – users of a certain role can only access systems associated with that role.
For instance salespeople have access to the CRM systems but are barred from development systems and tools. That way, if someone’s credentials are stolen, the compromise will only affect those systems associated with them, making the threat easier to contain.
GoodAccess provides you your own software-defined perimeter as a cloud service. It’s like having your own private island isolated from the treacherous waters of the public internet where only you and those you trust can enter.
The built-in Branch and Cloud Connector enables multiple private clouds, datacenters, and entire office buildings to connect to the GoodAccess network via a secure tunnel. The technology is based on IPsec, IKEv2, or OpenVPN, depending on your preference.
It allows you to interconnect all your geographical locations into a single software-defined perimeter and securely access your local resources from anywhere in the world.
If you need highly available remote access to your on-prem or cloud systems, you can set up a redundant IPsec or IKEv2 tunnel as a failsafe.
You’ll need to add a backup gateway and create a tunnel between your branch or cloud to each gateway. In this setup, if your primary gateway fails, you can still access your systems via the second.
GoodAccess segments your private network using the least-privilege system of access cards; an easy to use zero-trust mechanism that allows you to assign role-based access to systems on the network level. More on this topic in this blog article.
In addition, you can tighten your access control with SSO and two-factor authentication (2FA).
You don't need any extra concentrators or servers. GoodAccess offers pre-built global infrastructure, so you can connect from anywhere in the world with convenient access to your cloud and branch assets.
Go to the GoodAccess Control Panel and look for the Clouds & Branches section.
To create a new connector, click on Add New in the upper right corner and choose whether you’re adding a branch or cloud, type in the subnet IP address, select your gateway, and choose protocol.
For a step-by-step guide on how to connect your branch routers, see this article.
Note that IPsec setup may require more detailed information about your cloud environment. If you need any assistance, contact your GoodAccess reseller or our support.
If you are not a GoodAccess user yet and would like to test it out, check our free trial.