Software-defined perimeter: What it is and how it works

A growing number of organizations are drawing an invisible line around their internet-connected resources in an effort to keep attackers at bay. Called software-defined perimeter (SDP), it is based on the relatively simple idea of throwing a virtual barrier around servers, routers, printers, and other enterprise network components.

The goal of SDP is to protect networks behind a flexible, software-based perimeter. “Advantages include stronger security and greater flexibility and consistency,” says Ron Howell, principal SD-WAN and SASE architect at IT and business consulting firm Capgemini Americas.

It can address security challenges that have become more complex with the advent of applications built out of microservices that may be housed on more than one server rather than traditional, monolithic apps that generally resided on a dedicated server. “More recently, applications have been further modularized—they are now composed of multiple workload types and microservices in the organization’s data center or the public cloud,” says Chad Skipper, global security technologist for VMware.

What is an SDP?

The SDP framework obfuscates servers or nodes, typically on an internal network, says Chalan Aras, managing director, cyber and strategic risk, at business advisory firm Deloitte. “SDP uses identity and other substantiation methods to permit visibility and connectivity to network nodes or servers on a least-privilege or need-to-access basis.”

An SDP is specifically designed to prevent infrastructure elements from being viewed externally. Hardware, such as routers, servers, printers, and virtually anything else connected to the enterprise network that are also linked to the internet are hidden from all unauthenticated and unauthorized users, regardless of whether the infrastructure is in the cloud or on-premises. “This keeps illegitimate users from accessing the network itself by authenticating first and allowing access second,” says John Henley, principal consultant, cybersecurity, with technology research advisory firm ISG. “SDP not only authenticates the user, but also the device being used.

Benefits of SDPs

When compared with traditional fixed-perimeter approaches such as firewalls, SDP provides greatly enhanced security. Because SDPs automatically limit authenticated users’ access to narrowly defined network segments, the rest of the network is protected should an authorized identity be compromised by an attacker. “This also offers protection against lateral attacks, since even if an attacker gained access, they would not be able to scan to locate other services,” Skipper says.

SDP’s central benefit is simple: creating a higher level of network protection. “SDP has been instrumental in protecting enterprises against many different attack vectors, including denial-of-service, brute force, credential theft, man-in-the-middle, server exploitation, and session hijacking,” Henley says. Other SDP benefits include strengthened and simplified access controls, reduced attack surfaces, simplified policy management, and a generally improved end-user experience.

Since SDP can be dynamically rconfigured, it’s well suited to protect rapidly changing environments such as enterprise users accessing applications, or application environments with many micro-services that are spawned, scaled, or terminated on a real-time basis, Aras says.

How an SDP works

An SDP validates users and apps by authenticating them before it connects them to granularly limited portions of the network. This microsegmentation, created by remapping DNS and IP address spaces, provides authorized users with the access they need while denying them access to resources they don’t require. This essentially creates individual networks, each with a limited number of nodes so if bad actors do manage to gain access, the damage they cause can be confined.

Central to SDP architecture is the controller, software that facilitates connecting users and devices that are seeking access (initiating hosts) with the resources they seek, such as apps and servers (accepting hosts). The controller authenticates the initiating host and determines the list of accepting hosts it is permitted to connect with. The controller instructs all the authorized accepting hosts to accept communications from the initiating host and shares the list with the initiating host. The initiating hosts can then create direct VPN connections with the accepting hosts.

In some cases, the accepting host is a gateway that acts as a proxy between the initiating host and multiple resources it seeks to connect with. In other cases, an SDP can be set up between two servers that need to communicate as with modern applications built around microservices.

Connectors and proxies, terms often used interchangeably, may sit in front of servers to gate access to them. They connect two network domains together and perform networking functions such as routing, network-address translation, and load balancing to direct traffic from one user or application to another, Arras says.

In micro-service contexts, the proxy may be integrated into the micro-service fabric, such as in the case of the envoy proxy, an open-source edge proxy used in micro-services. In an Istio service mesh, for example, the envoy proxy can be used to connect micro-services so that mini-apps can securely communicate with each other in an open-source service mesh that layers transparently onto existing distributed applications, Aras says.

Zero Trust Network Access

Because of its strict authentication and tightly restricted network access, SDP is a vital part of Zero Trust Network Access (ZTNA), which is based on the premise that no device is ever really secure. “There’s no safe perimeter anymore due to workforce changes, microservices-based applications that can scatter components virtually anywhere, and the increasingly collaborative nature of business processes,” Skipper says, “There is no device that’s safe: no smartphone, no desktop—period.”

Addressing ZTNA requires tightly controlled network access and limited authorization, and SDP is a good place to start. “SDP helps users to properly authenticate before access is provided, and only to applications to which those users have been granted access,” Henley says.

Henley estimates that there over 20 vendors currently offering SDP products, including Akamai (Enterprise Application Access),, Cisco (Duo Beyond), Ivanti (Ivanti Neurons for Secure Access), McAfee (MVISION Private Access), Netmotion (NetMotion SDP), Verizon (Verizon Software Defined Perimeter), and Versa (Versa Secure Access Client).

Deploying SDP also doesn’t free enterprises from the responsibility of maintaining existing security practices. “No matter which security technologies your organization implements, or what it may be called, knowing what your important data is, and where it’s located, is the key for knowing how to protect it,” says Steve Jaworski, supervisor with audit, tax, and consulting firm RSM US.

Remember, too, that deploying SDP is not a once-and-done deal. “It’s important that organizations actively monitor and upgrade SDP software as required,” Jaworski advises. “In addition, tests should be conducted to ensure the software is not leaking and permitting access to the protected resources.”