Software-Defined Perimeter: The (New) Dominant Design of Network Security
The network security marketplace has changed over the past couple years, with new types of products, new vendors, and many overlapping claims and capabilities. It’s no longer an orderly or well-segmented marketplace; in fact, it’s begun to exhibit characteristics of a noisy, crowded, and confusing bazaar. These are symptoms of a sea change in network security, as technology capabilities, platforms, and market requirements seem to all be in flux. While this is exciting, it’s also confusing and uncertain for security architects and buyers.
The Dominant Design for Next-Generation Security Architecture
One of the most interesting things about operating amidst such technology change is observing market uncertainty about what the next-generation security architecture will look like, as it becomes broadly accepted. That is, we’re in a period of transition, and organizations are looking for the security architecture that will gel and become the “Dominant Design” for enterprise network security. If you’re unfamiliar with this term, Dominant Design describes the emergence of a single common platform (winning against competing platforms) around which grow an ecosystem of knowledge, tools, and vendors. The most commonly cited examples of Dominant Design are the QWERTY keyboard layout, and (in my lifetime) the battle between the VHS and Betamax videotape formats.
Among the market noise, however, one particular new approach to network security, as personified by the Software-Defined Perimeter (and to some degree, by the similar concepts of Zero-Trust and Google’s BeyondCorp) has gained momentum and awareness in the market. It’s clear to me that we’re right on the cusp of the growth curve for this type of solution, based on buyer awareness, analyst and journalist attention, and market entrants. While this is admittedly largely qualitative rather than quantitative, it’s certainly a different world than even just 12 months ago. As a vendor, we’re excited to be part of this trend, and happy to have the opportunity to help lead it. And we’re doing so, through a combination of leading technical research within the Cloud Security Alliance working group, promotion of the Software-Defined Perimeter approach, and helping our customers succeed.
We believe that an organization with such a security architecture will have the following network characteristics:
- Able to support hybrid infrastructure enabling a cloud transformation
- More secure and more compliant, with reduced effort
- A productive and agile business
Instead of just exploring this as a series of attributes, however, let’s see what such a system might look like for a representative user, Sally, at a fictional organization.
Software-Defined Perimeter Use Case
Sally works in a DevOps team at a large Financial Services organization. Her team is leading a project to build, launch, and operate a new service being developed in partnership with an outside tax preparation firm, to help parents navigate the College Financial Aid process. Together, these firms can help families have a faster, simpler, and financially beneficial outcome, all for a reasonable fee.
From a data security perspective, this is a particularly challenging project. Sally’s team is working with inherently sensitive data, subject to regulatory compliance, with ownership shared across organizational boundaries. And, because her organization has taken a “cloud first” approach, they’re building this on a public cloud platform.
Their cloud environment is highly automated, driven by their DevOps tooling. SDP provides users with secure, encrypted access to the environment across the internet. Because each of the two partner organizations has its own Identity Management system, the SDP platform is connected to both for authentication, and to obtain user attributes on which to make access decisions. This allows users to authenticate with their native credentials, and ensures that when a user departs the organization (or changes roles), that their access to the shared system will no longer be valid.
Of course, users don’t have uniform access to the environment – SDP policies ensure that user access is controlled across two dimensions. First, users in different roles have different access. Sally, who is the lead application developer, is permitted to normally have SSH access into systems that are in development and testing modes, but can only connect directly to the database for system in development. The DBA, on the other hand, can connect directly to databases in the dev and test environments.
Their SDP solution automatically detects changes to the environment – such as the instantiation of new services running in the cloud – and immediately adjusts user access. This keeps the teams fully productive, while maintaining a strong security stance and a high level of compliance. And because SDP policies will rapidly adjust user access, the security team can adopt the principle of least privilege, ensuring that no user has unnecessary access.
Yet, despite the highly controlled environment, people at both organizations have sufficient access to be fully productive. SDP has enabled the collaboration necessary for this innovative and revenue-generating initiative. Using a traditional approach to security, it would have been technically difficult and operationally impossible to achieve this level of cross-organizational collaboration while maintaining such a strict security and compliance stance.
Cyxtera AppGate SDP
While the example above is fictional, it’s based on real-world deployments and real-world benefits that organizations have achieved with Cyxtera’s solution, AppGate SDP. We’re excited about the changes occurring in the security marketplace, and look forward to helping even more enterprises embrace this new security architecture. It’s clearly more effective than traditional security solutions, and is rapidly being embraced as the dominant design for enterprise security architectures.
Learn more about Cyxtera AppGate SDP.