Zero Trust and the Software-Defined Perimeter

The workplace has never been more exposed to security risk than it is today. Even before staff was forced to work from home, employees were on the road, accessing diverse applications from planes, hotel rooms, and coffee shops. 

To ensure productivity and business continuity, IT teams have been tasked with ensuring that these applications are seamlessly available, despite the device or location of a user.

The move from desktops to laptops, locally hosted applications to SaaS applications, and the explosion in communication tools had been building for years, but became mission critical to every business this year.

With every change in environment or user demand, security has played a never ending game of catch up as it seeks to secure sensitive enterprise data. And as that data travels in and out of applications and devices, the network is ground zero for security.

For many organizations, networks operate on a principle of physical perimeter-based security that requires users to be inside the walls of the organization to access internal applications. Whenever an employee needed access to the internal network, administrators ‘solved’ this using VPNs and poked holes in their firewalls to allow users to get coarse-grained access to everything on the internal network. Security was enforced on an application-by-application basis, with tools such as single-sign on (SSO).

The problem is that tunnelling this traffic created bottlenecks at the firewall and gave the organization no insights into what users were doing once inside the network. Once in the network they could access (or attack) large network segments… all without raising any red flags to administrators due to their lack of centralized visibility.

Additionally, with the rise of cloud-hosted applications, VPN solutions struggled to solve even the most basic of tasks such as routing traffic to the appropriate destination.

Zero Trust network architectures have stepped up to solve many of the issues associated with these challenges.

Zero Trust Networks

Zero Trust is a network security model that requires authentication and authorization for access to applications on the network. The term, originated by Forrester almost a decade ago, gets its name from its definition; applications and networks must never trust any entity seeking access. 

Users don’t care (and shouldn’t care) where their applications are located or how they are being secured. They just want fast and convenient access to get their work done. The events of this year have made many IT and security professionals realize that their current architecture not only provides a less than ideal user experience, but is ill-equipped to secure the access that their employees need while working remote. 

Networks were initially designed to create two zones. The internal and the external. The internal network was deemed ‘trustworthy’, while the external environment was treated as hostile. Once anyone was on the internal network they had freedom to move as a ‘trusted’ entity. 

In contrast, Zero Trust networks only deliver apps or services, as needed, to authenticated users and devices. Every new application or user is authenticated before allowing access. This helps to prevent DNS-based breaches as well as lateral attacks from unauthorized users inside the network.

The rise of the software-defined perimeter

The world of perimeters and VPNs is considered site-centric. Everything was designed around the need to protect the site. Today’s architectures are evolving to be user-centric. A user-centric approach incorporates practices such as least privileged (only access to what you need) and Zero Trust (deny access to all resources until a user authenticates).

Software-defined perimeter (SDP) has emerged as the best way to enable this. So what is SDP? SDP can be thought of as VPN 2.0…a software-defined VPN that applies the principles of Zero Trust.

With an SDP, a user or device is authenticated in order to get access to the network. Once authenticated, the user is granted access to applications they have been authorized to use. That access is enabled by the SDPs integration to an identity provider and enforced by the software-defined network. 

To achieve this, access policies in the SDP should be additive, operating from a position of least privilege, and link groups of users to only the applications they require access to. This minimizes each user’s exposure to sensitive applications and data, and limits the risks associated with excessive access.  

And all of this is accomplished without a complete reconfiguration of existing infrastructure by using a software-defined network overlay.

Trustgrid SDP

Trustgrid’s SDP integrates with an organization’s existing identity solutions to apply identity-centric access to the network. Integration with any OpenID and SAML identity provider (Okta, Azure AD, etc) provides company-based user and group identities that are used to determine what applications the user is authorized to see and access. This authentication limits a user’s visibility and connectivity to only authorized applications.

This means that no trace of an application exists to a user (DNS doesn’t even resolve) unless they are explicitly authorized to access that application which helps to ensure that applications are secure from both internal and external threats.

zero trust software defined perimeter

From an administration perspective, delivering this access is as simple as connecting the Trustgrid portal to an identity solution, identifying applications to be connected by the SDP and pushing out the self-service portal for users to register new devices.

Once assembled, users and traffic are visible from a single pane of glass and all traffic history is centrally logged and made available for other security solutions.

With the impact of a suddenly remote workforce still rippling through the enterprise, the exploration and remediation of security gaps has never been more critical. The changes to enterprise IT environments have been slowly building for a while, but the catalyst of this year’s events means that the reason to update the security of the network has become infinitely more pressing.  

Zero Trust network architectures enabled by software-defined perimeter might be the silver bullet today’s IT environments have been looking for.

Learn more about Trustgrid’s Software-Defined Perimeter