Technology is rapidly changing work as we know it. Work is no longer bound by a physical place or specific time. Organizations must adapt to a multigenerational labor force and one that is more task oriented, target focused, and gig based. To ensure the productivity of remote workers, access to business applications, including email, video conferencing, customer databases, and company files additional network resources are required. This has historically been achieved using a Virtual Private Network (VPN) which most commonly provides trust-based access to the business network over the Internet.
Today, larger enterprises have one or more virtual private network (VPN) solutions deployed and they remain one of the most important technologies in IT today. In fact, VPNs are absolutely crucial for cloud migration, supporting mobile employees and contractors, and for delivering security products like UTM, Secure Web Gateway, and Network Access Control – all very common in the enterprise network security stack.
However, the demands on VPNs are changing as new IT requirements continue to evolve over the years. As a result, some experts are predicting their demise and while others are saying they should be replaced by more advanced technologies. The bottom line is that even if the VPN is replaced with a different acronym, the need for an enterprise-grade secure communications channel is as real now as it was 20 years ago.
Enter Software-Defined Perimeters: The Next Generation VPN
It is clear that now is the time for a new generation of secure, remote access solutions…preferably, solutions that are designed for the era of cloud applications and mobile connectivity. Software-Defined Perimeter (SDP) solutions have entered the market and are now taking on this challenge. Work on SDPs began around 2007 within the Department of Defense and has evolved into a mainstream solution. The Cloud Security Alliance created a working group that published a specification in April 2014. The goal of SDPs is to prevent network attacks on the application infrastructure. The unique capability of SDPs is they consider the perimeter as a solution that follows the user device wherever it is, rather than trying to protect a specific location like an office or data center.
Connectivity in an SPD is based on granting specific access upon verification that the device, identity, and role are authorized. In addition to the “need-to-know” access model the system requires cryptographic verification to ensure compliance. In theory the use of SDPs, which conceals the Application infrastructure should mitigates the most common network-based attacks, including server scanning, denial of service, SQL injection, man-in-the-middle, and cross-site scripting (XSS).
When considering SDP solutions as an alternative to VPNs, look for ones that address all of the key business needs discussed above. Many solutions focus exclusively on remote access. This is an acute need today for many organizations, but it’s best to invest in a solution that can upgrade all of your VPN requirements and manage them centrally, to significantly reduce the operational overhead.
Key considerations when selecting a software defined perimeter include:
Software-Defined Access
All SDP solutions provide software-defined access. Rather than the old approach of connecting users to the network, SDPs connect them to specific applications or network resources such as servers. Everything else is invisible to the user, and therefore isolated from threats on the endpoint. This kind of dynamic micro-segmentation is the core of Software-Defined Access, and when combined with advanced multi-factor authentication and continuous verification, it dramatically improves the security posture of the network.
SDP solutions simplify the process of defining access policies for IT, and for the end user, they make it easier to access all of the applications they need, without knowing which data center or cloud they are located in. There are generally two ways for users to connect – through a browser by simply clicking a link, and through an agent-based solution. Agentless solutions have a clear advantage when it comes to personal devices or contractors. But agents enable support for the full range of applications, secure internet traffic, and device posture-checks. Many organizations will need a combination of both approaches to meet all of their secure remote access scenarios.
Many basic SDP solutions are built on a proxy architecture, so they cannot replace the remaining functions of the VPN.
Cloud-Delivered Network Security
In addition to remote access, SDP solutions should address the second function of VPN – delivering internet security. With the majority of users working off-site and from unsecured locations, securing their internet traffic is more important than ever. In the broad sense, a “Software-Defined Perimeter” means that security is user-centric rather than site-centric, and includes all of the essential network security functions that IT delivers today, regardless of where the user device is located.
Leveraging the cloud, SDP solutions can deliver network security via a large network of Points of Presence (PoPs), and eliminate the latency issues and costs associated with backhauling internet traffic to the data center. When an SDP solution is implemented over a global cloud network, it’s possible to service-chain best-of-breed security products. For global organizations, this model simplifies network security without compromising on quality. At the same time, it offers a faster, more transparent user experience.
Cloud and Hybrid Cloud Networking
In the era of cloud migration, SDP solutions also have an important role to play in cloud networking. Just as site-to-site VPNs traditionally connected branches, today clouds must be connected to the data center, to branch offices, and to each other. An SDP solution based on a cloud network (NaaS) provides the connectivity that is often required for complex applications and services.
As-a-Service Management and Delivery
First-generation VPN solutions combined physical WAN infrastructure with the virtual private network. The new generation of SDP solutions make a clean break, delivering a software-defined network that is completely independent of the physical network topology. While SD-WAN solutions have also made strides in this direction, they still connect branches to the datacenter. In contrast, full SDP solutions abstract the enterprise network as a set of users and resources. IT onboards them once, and then defines policies for connectivity and security. For example, policies can determine that an AWS cloud connects to an Azure cloud, or that a group of software developers can access a production environment in the datacenter, or that the sales team accesses the internet through a Secure Web Gateway. This is a far simpler approach than managing and synchronizing VPN policies for every location.
VPN vs SDP
VPN may be a legacy technology, but its role in the organization is fundamentally unchallenged. In the years ahead, we will not see the end of life of VPNs, but rather their rebirth in the guise of SDP solutions that will deliver the same core capabilities in a way that is better designed for the era of cloud migration and mobile working.
About the Author:
Etay Bogner is the CEO and co-founder of Meta Networks, a technology leader focused on helping organizations rapidly provide secure remote access for employees, contractors and partners to corporate applications and the internet.