Circle
Events
Blog

What is the Difference Between Software Defined Perimeter and Zero Trust?

What is the Difference Between Software Defined Perimeter and Zero Trust?

Blog Article Published: 11/13/2021

Written by the CSA SDP and Zero Trust Working Group

Summary: After reading this blog you’ll understand what Zero Trust is, the problems it helps solve, and the basics around what implementing Zero Trust looks like using SDP.

What is Zero Trust?

“Zero Trust” changes how network access works; as the name implies, users aren’t allowed access to anything until they authenticate who they are. Zero Trust is a network security architecture that withholds access until a user, device or even an individual packet has been thoroughly inspected and authenticated. Specifically, the least amount of necessary access is granted and there is continuous monitoring of suspicious user activity.

Why Zero Trust?

The first reason is that it helps deal with a changing perimeter, whereas fixed network perimeter is problematic for mobile devices. The second major reason is that it helps solve the IP address conundrum. IP addresses simply provide connectivity without any user context, which means they are inherently open to compromises. Changes to IP addresses can mean extensive configuration and errors creeping into network security groups and network access control lists. Last but not least, implementing integrated controls can be a challenge. An SDP deployment can offer a single point for network layer firewall configuration.

Problems Zero Trust Addresses

#1 Access Control Vulnerabilities - Access control mechanisms with current authentication and authorization protocols have weaknesses that are being exploited or bypassed.

#2 Endpoint Monitoring Weaknesses - Vulnerabilities exist at the network layer prior to transport.

#3 Network Packet Inspection Limitations - Packet analysis happens at the application layer, so incursions can happen prior to detection.

Implementing Zero Trust

There are four key features required in order to implement Zero Trust.

  1. It requires authentication before access. This means it implicitly requires separate control and data planes and immediate authentication.
  2. It requires the ability to limit network connectivity and exposure, which means it will drop network connections if authentication fails.
  3. It requires a granular trust mechanism. This is unlike VPNs that do not have fine-grained access control. It also means that it implicitly requires authorization as well as authentication and access.
  4. It requires monitoring for suspicious activity, which means it implicitly requires instant knowledge of connectivity and use of services.

How SDP Implements Zero Trust

How does Software Defined Perimeter (SDP) enable you to implement Zero Trust?

The first way is that SDP provides the ability to hide assets, which then enables deny-all gateway until users/devices are proven. It also provides single packet authorization which enables integrated controls for authentication and authorization. Lastly it provides the ability to authenticate before access. SDP does this by implementing a separate control and data channel. It also validates prior to TLS/TCP handshakes. Fine-grained access control is implicit in this design and two-way mutually encrypted communications are enforced.

Benefits of SDP

One of the main benefits of SDP is the fact that it reduces the attack surface, which means enhanced protection for cloud applications. Reducing the attack surface gives more centralized control to business/system owners as well. It also helps give visibility to all authorized connections. Everything is monitored instantly because controls are integrated.

Another benefit is that it reduces the cost of ownership. It does this by reducing costs for endpoint prevention/detection and incident response while also reducing complexity for integrating controls.

Read More About SDP and Zero TrustSoftware-Defined Perimeter (SDP) and Zero Trust

Software-Defined Perimeter (SDP) and Zero Trust

This paper will show how SDP can be used to implement ZTNs and why SDP is applied to network connectivity, meaning it is agnostic of the underlying IP-based infrastructure and hones in on securing all connections using said infrastructure - it is the best architecture for achieving Zero Trust.

View this publication →

Coming Soon: NEW Zero Trust Architecture Training

CSA is currently working on developing a training course for Zero Trust Architecture. The first two modules of the course are expected to be released by Q1, 2022. Stay tuned for more information! If you have any questions or want to get involved please reach out to [email protected].

Acknowledgements

This blog is based off of the information written by the SDP Working Group for their presentation on SDP. We’d like to especially thank the following individuals: Bob Flores, Jason Garbis, Junaid Islam, Juanita Koilpillai, and Shamun Mahmud.

Share this content on your favorite social network today!