It is now clear that VPNs do not always provide the visibility and control threat inspection needed for companies. In fact, it’s estimated that 60% of enterprises will phase out network VPNs in favor of software-defined perimeters called SDP by 2021.
Thankfully, these critical pain points can be easily addressed with a consolidated network access solution that provides secure, segmented and audited access to cloud environments, applications and local services – the Software-Defined Perimeter (SDP).
The Modern Business Environment
It’s critical for cybersecurity to evolve alongside technological advancements and increasingly sophisticated cyber threats.
In today’s modern working environment, there are many endpoints and processes that must be secured, including:
- Remote employees, mobile users, and cloud computing solutions
- Wireless technologies and third-party pathways into the network
- Malicious outside and inside security threats
- Weak perimeter defenses that allow intruders to gain access and move laterally within the internal network
Legacy VPNs Provide Inadequate Capabilities
Today’s threats are no longer isolated to on-premises applications and devices. When the average organization uses 1,427 cloud services, of which 90% are unknown to IT, it is clear that legacy technology, such as VPNs, do not provide the visibility, control and threat inspection capabilities needed to effectively secure your network.
Reason #1: Lack of Network Segmentation
Internal networks are rarely homogeneous, which is why different users should have different levels of access and trust to sensitive resources. For example, a remote worker would not have the same access to the network as you would. Which is why network segmentation and user access control is critically important to limit resource access and mitigate cyber attacks. However, traditional VPNs are not able to provide coarse-grained network segmentation with different levels of access for different users.
Reason #2: Lack of Traffic Visibility
Unfortunately, legacy devices and technologies commonly used to build network perimeters let too much unwanted traffic through. For example, legacy VPN technology is unable to distinguish between good and bad applications which means IT is responsible for building and maintaining extensive permissive access controls. They also fail to adequately account for encrypted application traffic and are unable to accurately identify and control users.
Reason #3: Not Suited for Dynamic Networks
Traditional VPNs require tedious hardware, constant management and cannot easily adjust to network or server changes. These VPNs make it more complicated to scale and rapidly adjust for new users and network locations, making it increasingly difficult to effectively manage hybrid and cloud-based computing models.
Reason #4: Lack of On-Premises User Security
VPNs are often used to enable remote connections to the network, but as a siloed solution, do not secure on-premises users. This lack of on-site security allows bad actors to exploit weaknesses in the office by gaining access to user accounts and moving laterally across the network.
Reason #5: Lacking Wi-Fi Security
Many remote and traveling employees often can’t tell whether Wi-Fi networks are secure, have devices that automatically join unsecured public Wi-Fi hotspots without their knowledge, or utilize VPN services that simply disconnect when a device is in locked or sleep mode. While many VPN providers offer this function, hardware-based legacy appliances and open-source VPN solutions require hours of manual configuration, lack unified network visibility and do not integrate well with the cloud.
Introducing the Software-Defined Perimeter
It’s clear that organizations need an entirely different set of technologies and policies to provide secure network access to both on-site and remote users. The Software-Defined Perimeter (SDP) is an emerging technology that is changing cloud networking. In fact, 60% of enterprises will phase out network VPNs in favor of software-defined perimeters by 2021.
The emergence of SDP has provided a holistic solution to remove the reliance on hardware across the entire security stack and to deploy, manage, and visualize network connections using only software. This enables the integration of powerful APIs, as well as the ability to analyze and visualize network traffic.
Implementing SDP allows organizations to restrict network access and provide customized, manageable and secure access to networked systems. Connectivity is based on the need-to-know-model, meaning each device and identity must be verified before being granted access to the network. This significantly reduces the attack surface area, hiding system and application vulnerabilities from unauthorized users.
How It Works
An SDP solution allows IT Managers to deploy gateways on-premise or over the cloud, securing employees’ remote access to cloud and on-premise applications, all while keeping sensitive data within the organizational network. It has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) and Advanced Persistent Threat.
A Software-Defined Perimeter (SDP) architecture has three important components: a Client, a Controller, and a Set of Gateways.
- Client: The client runs on each user’s device while the controller is required to authenticate the users and their devices.
- Controller: Each user is evaluated by the controller and issues tokens granting each user individual network entitlements.
- Gateways: The set of gateways is where access is granted to the previously private resources. Network traffic is encrypted and tunneled between the user’s device and the corresponding SDP Gateway. This access point is logged, allowing compliance and auditing to track and record.
Twice as Many Reasons to Use SDP
Without SDP, a single user can do a lot of damage to your organization’s network. While some legacy solutions might be able to provide some of the following benefits with additional customization and integration, the SDP has been found to do it much faster and better.
With an SDP, you can implement automated policies that dictate which device, user or service is able to access the network.
- Global Access
Using an SDP, you can deploy unified gateways, giving access to any resources, from any location. This provides connectivity for remote and on-premise users.
- Precise Segmentation
SDPs integrate with any Identity Provider, including Active Directory and SAML services, allowing you to utilize precise segmentation.
- Secured & Encrypted
To ensure total privacy, data security and classification, SDPs provide client and endpoint protection, identity and access management, OS and application level security, all while encrypting traffic with mutual TLS encryption.
- Policies Based on Users
Because SDP systems are user-centric (i.e. they validate the user and the device before permitting any access), they permit organizations to create access policies based on user attributes. This enables automated compliance reporting based on these details.
- Seamless Audit and Report
Exporting of logs and connection data to SIEM (security information and event management software products) or analytics platforms (such as Sumo Logic) via API is simple.
- Account Hijacking
Session cookie-based account hijacking is completely mitigated by SDP. Since all access is pre-authenticated and pre-authorized, incoming requests from malicious end-points are rejected.
- Denial of Service
Single Packet Authorization (SPA) makes SDP architecture much more resilient towards DoS attacks. Since SPA takes significantly fewer resources than a typical TCP handshake, servers are able to drop unsolicited network packets at scale.
- Reduced Costs
Automation reduces the need for manual firewall updates, reducing workload and labor costs and increasing productivity.
- Least Privilege Access
Secure, policy-based access and network segmentation create one-to-one network connections between the user and the resources they access. Everything else is invisible – including the system itself. This not only applies the principle of least privilege to the network but also reduces the attack surface area by hiding network resources from unauthorized users.
Cost-Effective SDP Network Access and Security
The bottom line is that legacy, perimeter-centric technologies are no longer effective against sophisticated cyber threats, growing endpoints and increased mobility, hyper interconnectivity and globalization.
Perimeter 81 is a technology built to replace traditional VPN technology and provide secure on-premise and remote access for the modern and distributed workforce. It offers a hardware-free, highly-scalable, cost-effective solution that ensures simplified secure network access to protect IP assets from end-point to data-center to the cloud. With a “Dropbox-like” intuitive user-interface, Perimeter 81 is the ideal solution for SMB-sized organizations not currently using a VPN due to cost and complexity.
With Perimeter 81, businesses can monitor and manage their network all in one place and easily secure and segment resource access. Our service provides greater network visibility, seamless onboarding and full integration with major cloud providers, giving companies of all industries and sizes the power to be truly mobile and enjoy complete confidence in the cloud.
We hope you found this post helpful! Feel free to let us know if you have any questions and follow us on social media if you’d like to continue receiving all the latest business security news. To learn more about the many advantages new SDP technology has over legacy VPN solutions, we invite you to schedule a complimentary demo.