Significant changes have transpired in the way global business gets done and what comprises IT infrastructure today. It’s a world without perimeters where users can be anywhere and resources are located everywhere across hybrid ecosystems. Add in unrelenting threat actors ... and it’s clear that the remote-only access controls of insecure VPNs create risk, expand attack surfaces and hinder productivity.
SDP vs. VPN: The deficiencies of VPN technology
VPNs weren’t designed to be used to secure hybrid IT infrastructure or a hybrid workforce and are well past their prime. In fact, several U.S. government agencies, including the National Security Agency (NSA), have issued warnings about VPN deficiencies. Then there’s the administration headaches because VPNs can only scale with more hardware (physical or virtual), which means a major investment of capital and time.
Additional VPN deficiencies include:
- Exposed ports: Threat actors can get in using common hacking tools to easily find and query VPNs to discover the manufacturer and version
- Over-privileged access: VPNs are dependent on overly complex rules to prevent lateral movement
- Inability to dynamically scale: VPNs must be architected to accommodate a certain volume of remote users and can’t dynamically scale to handle user fluctuations
- Limited throughput: a typical VPN maxes out below 1Gbps adding extra cost and complexity
- Centralized architecture: users accessing VPNs are routed to backend destinations over a wide area network (WAN) … which adds latency and performance issue, frustrates users and creates complicated routing dependencies
What’s the answer? Software-defined perimeter (SDP), a term used interchangeably with Zero Trust Network Access (ZTNA). Not only does SDP simplify and strengthen remote access security, but it can also be applied across all enterprise secure access use cases, including any user-to-resource and resource-to-resource connections.
Let’s dive into the SDP vs. VPN discussion.
SDP vs. VPN: An introduction
Organizations use a VPN, or virtual private network, to connect employees working remotely to the company's private, internal network via an encrypted “tunnel” between employee devices and the network. With a VPN, remote users can access resources just as if they were in the office. However, VPN is built on the outdated security model of “connect first, authenticate second.” This requires open ports listening for inbound connections that can be easily found during an attackers’ reconnaissance phase. VPNs rely on lackluster authentication measures such as passwords that are often weak, reused and easily exploited via social engineering, brute force or available for purchase. Furthermore, segmentation using a VPN is overly complex and often leads to wide-open, overprivileged access ripe for unsanctioned lateral movement. And finally, VPN technology is hardware-bound and static, making it a siloed headache in fast-paced and dynamic IT environments.
SDP decentralizes security controls and moves them from the network layer to the application layer, dynamically creating one-to-one connections between users and the resources they access. Software-defined perimeter and ZTNA are built on a proven, more secure “authenticate first, connect second” Zero Trust model that creates individualized perimeters for each user, allowing for more fine-grained access control. The software-defined architecture and API-driven approach unlocks major potential for automation and scalability within today’s dynamic IT environments.
SDP vs. VPN: How does SDP work?
First, let’s get familiar with core components of software-defined perimeter (SDP) architecture. It’s important to note that the best SDP solutions can be deployed via a cloud-based delivery model or self-hosted, depending on the preference of the enterprise.
- Controllers: The controller is the brain of the system. It defines security policies by verifying trust using identity, context and risk data, which then grants the right entitlements.
- Gateways: This is where policies from the controller get enforced and are located wherever resources need to be protect.
- Clients: Clients are what the end users interact with to first establish trust via the controller and then connect to their trusted resources with the right entitlements.
It's important to note that the controller and the gateway are completely cloaked from prying eyes using a technology called single packet authorization (SPA). This means there are no visible ports until a user has been authenticated, trusted and granted an entitlement.
Using SPA, the controller authenticates a user or device with an identity provider to validate entitlements and additionally checks context surrounding the request using risk scoring as criteria for establishing, limiting, or revoking access.
Once trust is established, and using SPA, the controller delivers a live entitlement to the client and then the gateway for access to the right resources. It’s called a live entitlement, because if context or risk change the entitlements can adjust in real-time.
The gateway then validates that the assigned token has not been tampered with and generates a segment of one, which means the user/device to the specific resources it has been granted trusted access. Everything else remains invisible.
SDP vs. VPN: Zero Trust security and its relationship to SDP
In recent years, Zero Trust security has become a popular approach to data security, for good reason. Traditional security solutions like VPNs assume all devices on a network can be trusted. However, this can no longer be the case in today's connected world. Zero Trust security built on the principle of least privilege access takes a “default, deny” stance and assumes all devices are untrustworthy until verified otherwise. Zero Trust Network Access and an SDP architecture are purpose-built to enforce the principles of Zero Trust, affording enterprises the following security benefits:
- All resources are invisible to unauthenticated and unauthorized individuals
- Identity, context, device risk posture and risk telemetry from integrated systems like Threat Intelligence Platforms and Endpoint Protection solutions ensure the right users and devices are entering your network.
- Just-in-time secure access is delivered when trust is verified and is limited to segmented resources based on fine-grain entitlements
Why Appgate SDP is a leader in secure Zero Trust Network Access (ZTNA)
Appgate SDP delivers industry-leading Zero Trust Network Access to anything from anywhere by anyone. It requires users to be authenticated across identity-centric and context-based parameters, such as role, time, date, location and device posture, before allowing access to enterprise resources … to prevent unsanctioned lateral movement. In addition, Appgate SDP’s patented SPA technology hides your most valuable resources using cryptographic techniques to further protect your network from a range of potential attacks.
Working with your existing security ecosystem to enforce Zero Trust principles, Appgate SDP features a single policy decision point that controls access across your organization’s entire IT ecosystem. In addition, exceptional strategic technology and API integrations mean less rip and replace and more augment and optimize to strengthen and simplify access controls by putting existing systems and data to work. This includes the ability to augment existing investments in VPN technology.
Appgate SDP offers most feature-rich and comprehensive solution available on the market today to strengthen and simplify network security. Learn more about Appgate SDP by signing up for a live demo, which occurs every other Wednesday.
Additional SDP vs. VPN resources:
SDP vs. VPN Live Hack
Five Steps for Successful VPN to ZTNA Migration eBook
eBook: Securing the Hybrid Enterprise
Case study: Jellyvision enables secure access across hybrid environments