SDP vs. VPN: Why It’s Time to Move to Software-Defined Perimeters
Software-Defined Perimeters (SDPs) apply a modern approach to network security that avoids the inherent weaknesses of traditional castle-and-moat fixed perimeter security technologies such as Virtual Private Networks (VPNs). Unlike the hardware-centric approaches of the past, SDP’s software-based approach works with today’s hybrid workforces and cloud infrastructures.
After a brief definition of software-defined perimeters and VPNs, we will explain why SDPs are a better solution for today’s network security challenges and how SDP solutions such as Twingate simplify the implementation of Zero Trust security principles to secure your company’s most sensitive resources.
What is a software-defined perimeter (SDP)?
A software-defined perimeter is a modern approach to network security first developed by the US Department of Defense to address the weaknesses inherent to traditional approaches. The castle-and-moat paradigm tries to protect networked resources by creating a secure perimeter around the network. Hardware or virtualized appliances such as firewalls and gateways are used to secure entry points into the physical network. However, the resulting infrastructure is brittle, expensive, and presents a visible, large attack surface.
Adopting SDP security approaches eliminates the costs and vulnerabilities of the traditional appliance-based approach to network security. Rather than trying to defend a physical network, SDP focuses on protecting the logical network connecting a company’s resources to its users. The SDP model further separates the control layer from the data layer, so data connections are not created until the authentication and authorization process is complete.
Network security systems based on software-defined perimeters enjoy several advantages over traditional approaches:
Virtualizing the logical network through SDP gives security administrators more control over their networks. Segmenting the network resource by resource does not require investments in hardware infrastructure or changes to network architecture. Creating perimeters around each resource allows the creation of granular access control policies. With modern SDP solutions, security administrators can set policies based on user identity, device state, user location, and more.
Being software, SDPs are much less rigid than traditional fixed perimeters. This is particularly important for today’s businesses, where cloud computing, mobile computing, and pandemic trends have resulted in IT resources and people being rarely confined to the same physical building or company-operated datacenter. This dynamic environment demands the flexibility that only a software approach can provide. SDPs enable a tightly fitting perimeter that can encompass each of a company’s resources individually, wherever they may be - and, better still, the perimeter for each employee can be different and confined to only the resources they are authorized to access.
As a software-based security solution, SDP does not require large investments in hardware infrastructure. Companies can avoid the ongoing costs needed to keep that infrastructure both secure and performant. Thanks to standards-based implementations, SDP solutions can integrate with a company’s existing identity providers and other security systems. This makes phased SDP deployments easier to manage with less impact on operations.
Since SDP solutions are network-agnostic, companies can use the same systems to protect on-premises resources, hosted resources, and cloud services. In addition, companies no longer have to manage separate access control systems for on-site workers and remote workers.
Minimized attack surface
Most importantly, SDP reduces a company’s exposure to external threats. Unlike the publicly visible gateways that typically guard entryways into traditional network perimeters, an SDP can hide entry points, creating a “dark network” that masks a company’s resources from the public internet. Separation of the control and data layers, granular access control policies, and micro-segmentation mitigate denial of service attacks and limit a bad actor’s ability to move laterally between resources.
What is a virtual private network (VPN)?
Virtual private networks lie at the heart of the traditional castle-and-moat security paradigm. VPN gateways serve as the gatehouses through which trusted users and devices may pass through the secure perimeter and access the protected network. But the way this technology was originally developed has made VPN-based security vulnerable to modern cybercriminals.
At first, virtual private networks solved real business problems. As companies adopted information technology in the 1990s, they needed more affordable network-to-network connections than traditional leased lines.
Internet-based VPNs met that need, yet simply connecting two locations in a “virtual network” over the internet was not enough. Administrators could trust data on their managed networks, but the public internet was another matter. VPNs supplied the needed security by encrypting the data flowing between the networks. In other words, making the connection a virtual “private” network.
At the same time, mobile computing created a demand for remote access solutions. VPN vendors responded by turning their technologies into access control solutions. Upon user authentication, an encrypted connection between the device and the VPN gateway would give users access to the protected network.
Unfortunately, the way VPN security developed created inherent weaknesses that make the technology less suitable for today’s network environment.
VPNs impact modern network performance
VPN technology was designed to connect physical networks in specific locations. As a result, VPNs default to managing remote users’ traffic poorly. Network paths become longer than necessary — often with significant backhaul — and latency suffers. Bandwidth also suffers as VPN gateways become chokepoints through which all remote traffic passes.
VPNs are expensive to deploy and manage
VPN-based security adds to the financial and administrative burden of managing a corporate network. Upgrading a VPN system to support more users is a protracted process that takes resources from other priorities. Over time, the company’s VPN infrastructure becomes a mix of models that require constant attention to keep patched for the latest security risks.
VPNs are inherently insecure
As portals through secure perimeters, VPN gateways are popular targets for bad actors. VPN gateways are readily visible to the public internet, along with their model numbers, and other specifications. This visibility, made worse by the slow application of security patches, makes VPN gateways susceptible to attacks from cybercriminals scanning the internet for vulnerable gateways.
Most importantly, as a network-to-network solution VPN security rests on a foundation of trust. Cybercriminals that successfully compromise a device or VPN gateway gain full access to the network.
Why is SDP a better solution than a VPN?
Even if businesses operated in the computing environment of decades past, software-defined perimeters would be a better solution for network security than VPN technologies. The advantages SDP holds over VPN include:
- Network agnostic: Unlike VPN, SDP is not tied to physical infrastructure, so it can protect resources from any private network or public internet connection.
- Resource focused: VPN grants access to a protected network and all of the resources on that network. SDP defends each resource.
- Small attack surface: Rather than publishing its presence as VPN does, SDP can render a company’s resources invisible to the public internet.
- Low overhead: Without the need to deploy, manage, patch, and upgrade physical infrastructure, SDP is more cost-effective and consumes fewer resources than VPN.
Of course, the modern computing environment is nothing like the past. Today’s businesses operate in more dynamic, heterogeneous conditions than ever before.
Decentralization of the corporate network
The “managed” network is no longer a physical on-premises system. The network encompasses hosted applications, hybrid clouds, cloud-hosted systems, and X-as-a-Service solutions. Another company’s vulnerabilities can create attack vectors through API integrations.
Amorphous user populations
In the past, companies managed employees’ access to resources. Today’s user base is a mix of employees, consultants, contractors, and other third parties. Project-based work teams result in constantly shifting user roles and access requirements.
Users no longer access resources from carefully managed, company-owned computers. The growing adoption of Bring Your Own Device (BYOD) policies and the Industrial Internet of Things (IIOT) require flexible access control policies while maintaining security standards.
The new remote workforce
Although already well underway, the adoption of remote work policies accelerated during the COVID-19 pandemic. Literally overnight, the entire workforce hit VPN gateways designed to support relatively few traveling employees.
Chasing cyber threats
The threat environment constantly changes as cybercriminals quickly adopt new technologies. Cheap, automated systems let bottom-feeders operate indiscriminate, large-scale phishing attacks. Ransomware-as-a-service gives less sophisticated criminals access to the most advanced technologies. Targeted attacks from state-sponsored cybercriminals can leverage vulnerabilities nobody has heard of.
SDP offers a modern approach to protecting company resources in the face of trends such as these. VPN technologies simply cannot keep up. At the same time, SDP is only one part of the security puzzle.
How do SDPs fit into Zero Trust?
Companies gain the most security benefits by pairing SDP with Zero Trust. Software-defined perimeters define the methods for creating, managing, and securing connections between users and resources. Zero Trust establishes the principles that determine whether — and to what degree — those connections should be created in the first place:
- Trust nothing and nobody: All policies should deny access by default and require both authentication and authorization for every connection attempt.
- Authorize on a need-to-know basis: Also known as the principle of least privilege, role-based policies limit users’ access to the resources they need for their jobs.
- Context defines permissions: Going beyond identity verification, Zero Trust requires evaluation of everything from device posture to the user’s location before authorizing access.
- Make permissions ephemeral: Changes to the context, session limits, inactivity windows, and other measures should ensure that connections to resources never last without reauthentication and reauthorization.
The Cloud Security Alliance, which extended the DoD’s work on SDP to the commercial sector, recently found that “SDP is the most effective architecture for adopting a Zero Trust strategy”. As a software-based approach, SDP provides a low-cost, low-overhead way to implement fine-grained, context-sensitive Zero Trust policies.
Twingate’s SDP solution makes ZTNA easier to integrate into your organization’s security strategy. Without changing your existing infrastructure or replacing your current security system, you can deploy Twingate to protect any on-premises or cloud resources. Simple administrative consoles let you easily manage role-based access control policies and define device posture criteria.
Now is the time to move to software-defined perimeters
Zero Trust principles implemented through software-defined perimeter solutions are the best way to secure company resources in the face of today’s dynamic computing environment. Old technologies, such as VPNs, require expensive, brittle infrastructure that increasingly fails to secure the networks they are meant to protect.
Twingate’s SDP security solution opens an easy path to deploying ZTNA security within your organization. Contact us to learn more.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Announcing WebAuthn for Twingate Universal MFA
Twingate is excited to announce support for WebAuthn MFA, enabling customers to use biometrics and security keys for MFA.