/ What’s the Difference Between SDP and VPN?
What’s the Difference Between SDP and VPN?
The difference between a software-defined perimeter (SDP) and a virtual private network (VPN) is that where a traditional VPN places a barrier around an entire corporate network, an SDP effectively negates a network perimeter by placing security policies and controls around software, reducing permissions to a workload-to-workload or app-to-app basis rather than a typical perimeter-based architecture.
What Is a Software-Defined Perimeter (SDP)?
Software-defined perimeter (SDP) is a security approach that distributes access to internal applications based on a user’s identity, with trust that adapts based on context. Where traditional security is centralized in the data center, SDP is everywhere, delivered by the cloud. It uses business policy to determine end user authentication to resources, making it an important part of securing cloud- and mobile-first organizations.
First conceptualized by the Defense Information Systems Agency (DISA) in 2007, SDPs are built on a need-to-know model with trust that is constantly monitored and adapted based on a range of criteria. They make application infrastructure invisible to the internet, reducing the attack surface from network-based cyberattacks (DDoS, ransomware, malware, server scanning, etc.).
The Cloud Security Alliance (CSA) took interest in the concept and began developing the SDP framework in its early stages. In 2011, while SDP was still a new concept, Google became an early adopter with the development of its own SDP solution, Google BeyondCorp. Today, organizations adopting SDP are modernizing their endpoint, cloud, and application security—especially amid the shift to work-from-anywhere.
How Does an SDP Work?
- Trust is never implicit: Traditional network security offers users excessive trust. With an SDP, trust must be earned. SDPs only grant application access to users who are authenticated and specifically authorized to use that app. Furthermore, authorized users are only granted access to the application, not the network.
- No inbound connections: Unlike a virtual private network (VPN), which listens for inbound connections, SDPs receive no inbound connections. By responding with outbound-only connections, SDPs keep network and application infrastructure invisible or cloaked to the internet and therefore impossible to attack.
- Application segmentation, not network segmentation: In the past, organizations had to perform complex network segmentation to prevent a user (or an infection) from moving laterally across the network. This worked well enough, but it was never granular and required constant maintenance. SDP provides native application segmentation—that narrows access controls down to a one-to-one basis, resulting in far more granular segmentation that’s much easier for your IT team to manage.
- Secure internet usage: With users everywhere and applications moving outside your data center, your organization needs to shift away from a network-centric focus. You need to shift security to where your users are, and this means leveraging the internet as your new corporate network. SDP is focused on securing user-to-application connections over the internet rather than securing users’ access to your network.
From an architectural standpoint, SDP differs fundamentally from network-centric solutions. SDPs eliminate the enterprise overhead of deploying and managing appliances. Adopting an SDP architecture also simplifies your inbound stack by cutting reliance on VPNs, DDoS protection, global load balancing, and firewall appliances.
SDP Use Cases
While SDP has many use cases, many organizations choose to start in one of the following four areas:
Securing Multicloud Access
Many organizations leverage a multicloud model by, for example, combining Workday and Microsoft 365 as well as infrastructure services from AWS and Azure. They may also use a cloud platform for development, cloud storage, and more. The need to secure these environments leads organizations to SDP because of its ability to secure connections based on policy, no matter where users connect from or where applications are hosted.
Reducing Third-Party Risk
Most third-party users receive overprivileged access, which creates a security gap for the enterprise. SDPs significantly reduce third-party risk by ensuring external users never gain access to the network and that authorized users only have access to applications they’re permitted to use.
Accelerating M&A Integration
With traditional mergers and acquisitions, IT integration can span years as organizations converge networks and deal with overlapping IP addresses—incredibly complex processes. An SDP simplifies the process, slashing the time required to ensure a successful M&A and providing immediate value to the business.
VPN Replacement
Organizations are looking to reduce or eliminate usage of VPNs because they hamper user experience, introduce security risk, and are difficult to manage. SDPs directly address these notorious VPN issues by improving remote access capability.
In fact, Cybersecurity Insiders says that 41% of organizations are looking to reevaluate their secure access infrastructure and consider SDP, with the majority of those requiring a hybrid IT deployment and a quarter implementing SaaS.
Now that we’ve covered the inner workings and use cases for SDP, let’s take a look at a virtual private network, or VPN.
What Is a Virtual Private Network (VPN)?
A virtual private network (VPN) is an encrypted tunnel that allows a client to establish an internet connection to a server without coming into contact with internet traffic. Through this VPN connection, a user’s IP address is hidden, offering online privacy as they access the internet or corporate network resources—even on public Wi-Fi networks or mobile hotspots and on public browsers such as Chrome or Firefox.
Before VPN’s original iteration, known as point-to-point tunneling protocol (PPTP), securely exchanging information between two computers required a hardwired connection, which was inefficient and impractical on a large scale.
With the development of encryption standards and the evolution of the bespoke hardware requirements to build out a secure wireless tunnel, PPTP eventually evolved into what it is today: the VPN server. Able to be applied wirelessly, it saved hassle and costs for businesses in need of secure wireless information transfer. From here, many companies, including Cisco, Intel, and Microsoft, went on to build their own physical and software/cloud-basedl VPN services.
How Does a VPN Work?
A VPN works by taking a standard user-to-internet connection and creating a virtual, encrypted tunnel that links the user to an appliance in a data center. This tunnel protects the traffic in transit so that bad actors using web crawlers and deploying malware can’t steal any of the user’s or entity’s information. One of the most common encryption algorithms used for VPNs is Advanced Encryption Standard (AES), a symmetric block (single-key) cipher designed to protect data in transit.
Most often, only authenticated users can send their traffic through the VPN tunnel. Depending on the type of VPN or its vendor, users may have to reauthenticate to keep their traffic traveling through the tunnel and safe from hackers.
How Businesses Use VPNs
Organizations use VPNs as a means of securing users who are working remotely and using mobile devices or other endpoints that may not be deemed secure. For example, organizations may issue Windows or Mac laptops to enable their employees to work from home when necessary. Of course, this notion is now widespread in the wake of the COVID-19 pandemic.
Organizations deploy VPNs to let remote users securely access corporate resources through unprotected networks—whether it be at home, a coffee shop, a hotel, or elsewhere. Most internet service providers (ISPs) have good security protocols in place to protect non-sensitive data flowing through home networks. However, when it comes to sensitive data, home Wi-Fi security measures aren’t strong enough to protect it on their own, leading organizations to layer on VPN protocols for added security.
VPNs enable organizations to shut off the default flow of traffic from router to data center and instead send it through an encrypted tunnel, which protects data and secures internet access from users working remotely, reducing (but not eliminating) an organization’s attack surface.
SDP vs. VPN: What Are the Differences?
Where SDP and VPN truly differ is in their method of connectivity. VPNs are IP- and network-centric, connecting user devices to networks; SDP instead provides secure connections between authorized users and authorized applications, not the network.
With SDP solutions, inside-out connections are established between user and application, rather than receiving inbound connections from the device and onto the network. These inside-out connections ensure that application IPs are never exposed to the internet while decoupling application access from the network. Since users receive no network access, the attack surface is minimized while users enjoy fast, direct access to applications with no network-related latency—a user experience that’s far superior to VPN.
Organizations are looking to reduce or eliminate usage of VPNs because they hamper user experience, introduce security risk, and are difficult to manage. SDPs directly address these notorious VPN issues by improving secure remote access capability.
SDP and Zero Trust Network Access (ZTNA)
The ZTNA model has become a well-known security framework, but many people don’t realize it’s based on the same principles as SDP. In fact, ZTNA uses SDP principles and functionality. With both methods, there’s no internal network, and users are only allowed to access resources if the context behind the request (user, device, identity, etc.) can be validated.
To help organizations achieve such a high level of security, vendors are promising a ZTNA framework that can keep your organization’s network, data, and cloud resources secure. But many of these frameworks are simply a cloud security platform force-fit on top of legacy appliances—or worse, they’re designed by networking vendors who glue on a security module in an effort to enter the security space.
These platforms don’t offer the scalability, flexibility, and—above all—security that a platform built in the cloud, for the cloud, can offer.
Zscaler, SDP, and ZTNA
The Zscaler Zero Trust Exchange™ includes Zscaler Private Access™ (ZPA), the industry’s only next-generation ZTNA platform, built on the principles of a SDP. ZPA redefines private app connectivity and security for today’s hybrid workforce by applying the principle of least privilege, which gives users secure, direct connectivity to private applications running on-premises or in the public cloud while eliminating unauthorized access and lateral movement.
Zscaler Private Access gives your organization the power to:
- Boost hybrid workforce productivity with fast, seamless access to private apps whether your users are at home, in the office, or anywhere else
- Mitigate the risk of a data breaches by making applications invisible to attackers while enforcing least-privileged access, effectively minimizing your attack surface and eliminating lateral movement
- Stop the most advanced adversaries with first-of-its-kind private app protection that minimizes the risk of compromised users and active attackers
- Extend zero trust security across apps, workloads, and IoT with the world’s most complete ZTNA platform that brings least-privileged access to private apps, workloads, and OT/IIoT devices
Reduce operational complexity with a cloud native platform that eliminates legacy VPNs that are difficult to scale, manage, and configure in a cloud-first world