What is the Difference Between Software Defined Perimeter and Zero Trust?
Published 11/13/2021
Written by the CSA SDP and Zero Trust Working Group
Summary: After reading this blog you’ll understand what Zero Trust is, the problems it helps solve, and the basics around what implementing Zero Trust looks like using SDP.
What is Zero Trust?
“Zero Trust” changes how network access works; as the name implies, users aren’t allowed access to anything until they authenticate who they are. Zero Trust is a network security architecture that withholds access until a user, device or even an individual packet has been thoroughly inspected and authenticated. Specifically, the least amount of necessary access is granted and there is continuous monitoring of suspicious user activity.
Why Zero Trust?
The first reason is that it helps deal with a changing perimeter, whereas fixed network perimeter is problematic for mobile devices. The second major reason is that it helps solve the IP address conundrum. IP addresses simply provide connectivity without any user context, which means they are inherently open to compromises. Changes to IP addresses can mean extensive configuration and errors creeping into network security groups and network access control lists. Last but not least, implementing integrated controls can be a challenge. An SDP deployment can offer a single point for network layer firewall configuration.
Problems Zero Trust Addresses
#1 Access Control Vulnerabilities - Access control mechanisms with current authentication and authorization protocols have weaknesses that are being exploited or bypassed.
#2 Endpoint Monitoring Weaknesses - Vulnerabilities exist at the network layer prior to transport.
#3 Network Packet Inspection Limitations - Packet analysis happens at the application layer, so incursions can happen prior to detection.
Implementing Zero Trust
There are four key features required in order to implement Zero Trust.
- It requires authentication before access. This means it implicitly requires separate control and data planes and immediate authentication.
- It requires the ability to limit network connectivity and exposure, which means it will drop network connections if authentication fails.
- It requires a granular trust mechanism. This is unlike VPNs that do not have fine-grained access control. It also means that it implicitly requires authorization as well as authentication and access.
- It requires monitoring for suspicious activity, which means it implicitly requires instant knowledge of connectivity and use of services.
How SDP Implements Zero Trust
How does Software Defined Perimeter (SDP) enable you to implement Zero Trust?
The first way is that SDP provides the ability to hide assets, which then enables deny-all gateway until users/devices are proven. It also provides single packet authorization which enables integrated controls for authentication and authorization. Lastly it provides the ability to authenticate before access. SDP does this by implementing a separate control and data channel. It also validates prior to TLS/TCP handshakes. Fine-grained access control is implicit in this design and two-way mutually encrypted communications are enforced.
Benefits of SDP
One of the main benefits of SDP is the fact that it reduces the attack surface, which means enhanced protection for cloud applications. Reducing the attack surface gives more centralized control to business/system owners as well. It also helps give visibility to all authorized connections. Everything is monitored instantly because controls are integrated.
Another benefit is that it reduces the cost of ownership. It does this by reducing costs for endpoint prevention/detection and incident response while also reducing complexity for integrating controls.
Read More About SDP and Zero Trust
Software-Defined Perimeter (SDP) and Zero Trust
This paper will show how SDP can be used to implement ZTNs and why SDP is applied to network connectivity, meaning it is agnostic of the underlying IP-based infrastructure and hones in on securing all connections using said infrastructure - it is the best architecture for achieving Zero Trust.
Coming Soon: NEW Zero Trust Architecture Training
CSA is currently working on developing a training course for Zero Trust Architecture. Stay tuned for more information! If you have any questions or want to get involved please reach out to [email protected].
Acknowledgements
This blog is based off of the information written by the SDP Working Group for their presentation on SDP. We’d like to especially thank the following individuals: Bob Flores, Jason Garbis, Junaid Islam, Juanita Koilpillai, and Shamun Mahmud.Learn more about Zero Trust by visiting CSA’s Zero Trust Advancement Center.
Related Articles:
What 2024’s SaaS Breaches Mean for 2025 Cybersecurity
Published: 12/03/2024
A Wednesday in the Life of a Threat Hunter
Published: 11/27/2024
Bringing the Security vs. Usability Pendulum to a Stop
Published: 11/26/2024