Oct 15 2019

Embracing Zero-Trust: How to Choose Between Software-Defined Perimeters and Virtual Private Networks

Find out how your federal agency can enhance its cybersecurity as it moves toward a zero-trust model.

As federal agencies consider adopting zero-trust security models, one of the considerations IT security leaders will need to consider is how much they want to evolve their remote access technology.

Traditionally, agencies have relied upon virtual private networks to grant remote access to users operating outside of the agency’s enterprise network. However, more cybersecurity experts are pointing to the limitations of VPNs; namely, that once access is granted, users generally have a great deal of leeway to access files and data on the enterprise network.

Software-defined perimeters, or SDPs, are an essential element of zero-trust architectures and are starting to change the equation. SDPs give agencies the ability to extend more granular remote access to users than VPNs can provide.

Camilla Ahlquist, a product marketing specialist at cloud cybersecurity software firm Zscaler, notes in a blog post that SDPs enable enterprises and agencies “to extend nimble, secure, precision access — access that’s just what users need, just when they need it, nothing more.”

With a zero-trust architecture that uses SDPs, employee devices and users are differentiated and may be able to access appropriate enterprise resources, according to a National Institute of Standards and Technology draft publication on zero trust.

“Visitors to the campus can have internet access but cannot access enterprise resources,” the document notes. “They cannot even conduct network scans to look for enterprise services that may be visible (i.e., prevent active network reconnaissance).”

What Is a Virtual Private Network?

As Cisco Systems notes in a post on its site, a VPN is a private network created within a public network infrastructure, such as the internet. Organizations can use a VPN to “securely connect remote offices and remote users using cost-effective, third-party internet access, instead of expensive, dedicated WAN links or long-distance remote dial links.”

VPNs create an encrypted connection over the internet from a device to a network. “The encrypted connection helps ensure that sensitive data is safely transmitted,” Cisco notes in a separate post. “It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely.”

VPNs provide secure remote access and a safe, secure way to connect users and devices remotely to an enterprise network.

The technology uses “strong ways to authenticate the user or device,” Cisco notes. “VPN technology is available to check whether a device meets certain requirements, also called a device’s posture, before it is allowed to connect remotely.”

MORE FROM FEDTECH: Find out how the NIST Risk Management Framework helps boost agencies’ cybersecurity. 

What Is a Software-Defined Perimeter?

According to a white paper from the Cloud Security Alliance, the traditional, fixed perimeter nature of cybersecurity is rapidly becoming obsolete due to BYOD policies and phishing attacks, which can grant untrusted access inside an agency’s perimeter. Additionally, Software as a Service and Infrastructure as a Service cloud environments are changing the location of the perimeter.

SDPs address these issues “by giving application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to ‘outsiders,’ but can be deployed anywhere — on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations,” the white paper notes.

SDPs aim to give application owners the ability to set up perimeter functionality where needed, the Cloud Security Alliance notes, and “provide access to application infrastructure only after device attestation and identity verification.” 

With SDPs, users, “regardless of whether they are inside or outside the network, connect directly to resources, whether they reside in the cloud, in the data center, or on the internet; all without connecting to the corporate network,” according to an April 2019 white paper on zero trust by the American Council for Technology–Industry Advisory Council (ACT-IAC). Each user’s network traffic becomes encased in a secure perimeter. This is especially useful as more agencies adopt mobile technologies and users connect to networks that are not owned and operated by the government.

“Users (or an SDP host) cannot initiate or accept communication with another SDP host until after connecting to an SDP Controller that authorizes the transaction,” notes the white paper. The SDP Controller obviates the need for Domain Name Server information and port visibility to the outside world, which then effectively cloaks the network to outside users. Software-defined perimeters create a protective casing around critical apps and data access, which enhances an agency’s cybersecurity.

“For example, existing attacks such as credential theft and server exploitation are blocked dynamically as these technologies only allow access from devices registered to authenticated users, which is a key Zero Trust element,” the white paper states.

MORE FROM FEDTECH: See where the DHS CDM program is headed next.

What Is Microsegmentation Networking?

Microsegmentation networking is a concept that is related to software-defined perimeters. While zero-trust networks do have perimeters, the model attempts to shift the perimeter away from the network edge and toward the actual data. Then, that data is segmented and isolated from other data, according to the ACT-IAC white paper. 

“It is critical to (a) control privileged network access, (b) manage internal and external data flows, (c) prevent lateral movement in the network, and (d) have visibility to make dynamic policy and trust decision on network and data traffic,” the white paper states. “The ability to segment, isolate, and control the network continues to be a pivotal point of security and essential for a Zero Trust Network.” 

Microsegmentation allows agency security teams to put in place granular data security policies. These can be “assigned to data center applications, down to the workload level as well as devices,” according to the white paper.

Microsegmentation can help guard against lateral movement in the network. The technique “dissociates segmentation security policy by IP address, and instead associates defined-access policy by that authorized user and app,” the white paper adds.

MORE FROM FEDTECH: Find out how to stay ahead of supply chain security concerns. 

Software-Defined Perimeters vs. Virtual Private Networks

Connectivity to SDP is “based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted,” the Cloud Security Alliance states.

The CSA notes that multiple organizations within the Defense Department and intelligence community have implemented network architecture similar to SDP “based on authentication and authorization prior to network access.”

This is typically used in classified or high-side networks (as defined by the DOD), according to the CSA, and “every server is hidden behind a remote access gateway appliance to which a user must authenticate before visibility of authorized services is available and access is provided.”

As Ahlquist writes in the Zscaler blog post, SDPs hold several advantages over VPNs. One is a better user experience. VPNs typically require users to log in and out repeatedly and can be slow because user traffic is backhauled to data centers, creating latency and lag time.

In contrast, SDPs are built for cloud architectures. “Users no longer have to deal with the constant disruption of entering their VPN credentials or having to think about whether the app is located in the data center or the cloud,” she says. “And with ZTNA [zero-trust network access] and SDP solutions, users are no longer bogged down with latency — faster connections mean happier users.”

SDPs also provide more granular security because they decouple application access from network access. “A good way to think of this is that VPNs are like a castle-and-moat approach to network security, creating a (not so) tough perimeter on the outside but leaving the interior vulnerable to anyone within the castle,” Ahlquist says. “That makes it difficult to minimize security risk. ZTNA and SDPs create a secure, isolated environment around each private application, and provide least-privilege access only to specific authorized users.”

SDPs also provide IT security teams with a higher level of visibility and control over networks, applications and users.

With a VPN, admins can only see a device’s IP address, port data and protocols, meaning they do not have visibility into what the user was actually doing while on the network. SDPs, however, give administrators comprehensive information about all activity between users and apps.

Not only is each transaction tracked in real time, but beyond just listing the IP and port data, SDP solutions “capture data around the user identity, named application, latency, locations, and more,” Ahlquist writes. That makes it easy for IT admins to consume and analyze the information, and the data can then be automatically streamed to a security information and event management provider in real time.

DKosig/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT