NordLayer - Network Security

SDP vs. VPN: what are they & which one to choose?

By NordLayer
17 Feb 2022
10 min read

Compulsory office working is rapidly becoming a thing of the past. As we transition to hybrid working, network security becomes ever more complex.

As of December 2021, 42.4% of workdays in the USA took place entirely at home, and experts predict between 30-40% of workers will be home-based over the next few years. At the same time, the resources these workers rely on have migrated to the Cloud in huge quantities. In 2021, around 50% of corporate data was Cloud stored, up from 30% in 2015.

This combination of remote working and Cloud storage poses severe problems for security managers. Data leaks are the primary threat, with malware attacks close behind. So how can you achieve secure remote working and minimize those dangers?

We’ll look at how Software Defined Perimeters (SDPs) are an effective alternative to popular VPN systems and how they could be exactly what your security setup requires.

What are SDPs?

Software-Defined Perimeter tools provide a flexible way to secure network perimeters that avoid the pitfalls of popular network security solutions like VPNs. 

The technology behind SDP was initially developed in 2007 by the US Defense Information Systems Agency (DISA) and is a secure option for managing user access to complex cloud-based systems.

SDP tools hide connected assets from external observers and are almost impossible to spot by unauthorized actors — making SDPs close relatives of VPNs. Although, there are some significant differences that network security managers need to know.

How does SDP work?

SDP-based systems use software to secure networks. This software works with existing assets such as client databases, accounting tools, communication apps, and more. Configurations vary, but SDP systems generally include the following elements:

Controllers – Controllers govern the access setup of the system and act as intermediaries between those seeking access, authentication providers, and the resources to be secured. They feature tools to scan external devices, ensuring they are suitable for connection to central resources.

Gateways – Generally comprising central data centers, servers, or Cloud resources requiring protection from unauthorized users. These resources can be micro-segmented in SDP implementations to ensure that clients only access data on a “need to know” basis.

Clients – Clients are actors who seek remote access to network gateways. They make access requests and provide authentication information to controllers, setting up a secure network connection via VPN-style tunnels to access gateways.

Authentication providers – Provide user authentication information when Multi-Factor Authentication is in use. They will tend to be third-party actors who liaise with the SDP controller and govern whether users have permission to access gateways.

All communications within this system are encrypted, ensuring that they are invisible to outsiders and virtually impossible to infiltrate. The network agnostic software can apply to various devices and settings. It can scale up rapidly and smoothly and offers numerous advantages compared with alternatives — like traditional VPNs. 

How does SDP secure devices?

Software-Defined Perimeter tools have a range of capabilities that help to secure devices:

  • Authentication — SDP tools allow network security managers to set access requirements for every user to ensure that network assets are locked down, and only authorized users can log on. Multi-Factor Authentication (MFA) services generally add an extra element of protection.

  • Connectivity — When authentication has been achieved, SDP tools create secure connections between users and central or Cloud-based assets. Each user has a separate encrypted network connection, and their ability to roam around other network assets is strictly limited. This network connection essentially acts like a “private VPN,” hiding users and assets from external view.

  • Device analysis Software Defined Perimeter software also analyzes devices that connect to network assets, ensuring that applications are appropriately updated, scanning for malware infections, and applying blocklists if these are deemed necessary. Managers can immediately analyze every user identity and benefit from increased visibility of network activity.

When a Software-Defined Perimeter is applied, it hides potential entry points from attackers — making them far more challenging targets. If attackers gain access to an SDP-secured connection, the system restricts lateral movement within networks. Authentication of user devices also makes it harder to mount attacks via stolen credentials.

Because of this, SDP-secured networks will be better protected against Man-in-the-Middle attacks, brute-forcing, port scanning, SQL injection, and Denial of Service (DoS) attacks. More secure databases, less forced downtime, and more efficient, safer remote access will result in more secure databases.

How do SDPs relate to Zero Trust security?

Zero Trust Security is an approach to network design that applies the principle “never trust, always verify.” It’s not interchangeable with SDP, but the two concepts are intrinsically similar.

Zero Trust Security takes nothing for granted. Nothing is trusted, whether it lies inside or outside network perimeters. There are no free passes or privileged remote users in a ZTS setup, which recognizes that threats can emerge anywhere, at any time. 

In practice, this means securing all network connections, scanning every device, and monitoring the links between central and Cloud-based assets closely. Watertight forms of authentication are also essential, regardless of location.

SDP systems offer the technology required to achieve these demanding goals.

With a Software-Defined Perimeter, security managers can distribute authentication and encryption tools across networks without worrying about physical locations. Managers benefit from a high degree of granularity governing user access and can easily monitor and control user freedom within the network perimeter.

SDP: real world applications

The capabilities listed above make SDP a viable tool when implementing Zero Trust models in situations as diverse as healthcare insurance databases or eCommerce portals. There are various use cases for the deployment of Software Defined Perimeter tools that stretch across many corporate contexts:

  • Supporting multiple devices — A Software Defined Perimeter is the ideal security solution for complex networks with many connected devices. SDP tools can authenticate remote workers, contractors, and central office computers while excluding outsiders.

  • Flexible connectivity — SDPs are also capable of connecting to virtually any device. If your hardware configuration changes, there is no need to update or add extra devices. The network perimeter can be redefined and protected instantly.

  • Comprehensive risk management — SDPs are well-suited to broad-based risk management strategies. Their authorization processes can consider malware infections, user identities, software versions, physical locations, and many other factors.

  • Clear access strategies — Unlike VPNs, SDPs allow technicians to calibrate precisely who can access network resources and which resources each user can access. Authorization is only granted to specific resources, making it harder to mount network-wide attacks like port scanning.

  • Application management — Similarly, SDP tools can control how applications behave, making it more difficult for malware to spread across networks by keeping the threat surface as small as possible.

  • Flexible Cloud systems — SDPs like those operated by NordLayer cater for all popular corporate Cloud solutions, including PaaS, SaaS, and IaaS. Secure public and private Cloud resources of all varieties.

  • Isolate critical applications — SDP can also isolate resources from wider networks, making them extremely hard for intruders to detect. If you need to conceal sensitive client databases, you can do so without compromising access for authorized users.

What is a virtual private network (VPN)?

Virtual private networks are software tools that create encrypted barriers around the data passing across networks.

The “virtual” refers to the fact that no physical networking infrastructure is involved. The “private” refers to the application of encryption and anonymity, while the “network” element describes the use of VPNs in connecting devices to internal and external networks.

VPNs are popular among private users when bypassing geo-blockers and enhancing protections against surveillance, but they are also a vital part of network security for many companies. 

How do VPNs work?

Users typically connect to VPN servers via their domestic or professional router. The VPN server then provides them with an anonymized IP address and creates an encrypted “tunnel.” Data from the user is packaged into this tunnel and sent to its final destination.

This architecture has several consequences. Firstly, it obscures the user identity, providing a new online persona. It conceals their location and device type and makes the content of their data unreadable to outsiders, providing the VPN uses watertight encrypted connections.

In some cases, this type of encryption can result in access issues to online services when IP addresses appear on blocklists. Slow-down can occur in some cases, while VPNs can also be associated with privacy issues — potential drawbacks to bear in mind.

SDP vs. VPN: what are the differences?

Network access

VPN-based security systems tend to adopt a “moat and castle” approach to network security. They create a strong barrier around the network perimeter, applying encryption and anonymizing traffic across the network.

SDP systems use a different model. Instead of moats, software-defined perimeters place an armed “guard” around everyone who enters the castle. That guard stops them from going where they shouldn’t and excludes them if necessary.

 Users are generally free to roam with a VPN once they gain access. The perimeter is secured, but what happens inside the network is not. 

Simplicity and security

VPNs struggle to balance security against simplicity. For instance, a company may need VPNs for accounting, customer management, and human resources departments to ensure total protection. That’s a recipe for unnecessary complexity.

Alternatively, the IT team could put multiple departments under the same umbrella VPN. That may be simpler and faster to use, but it compromises security as successful attackers can access much more information.

IT teams can achieve more control with an SDP while not compromising security. The system will authenticate each user via their VPN-style connection, and the system can scan connecting devices to double-check that credential theft isn’t happening. 

Remote working

SDP solutions are better suited to safeguarding remote workers than traditional VPNs.

In modern work environments, perimeters change by the hour. Remote and on-site workers, partners, and contractors interact in unpredictable ways, vastly expanding the threat surface available for attackers.

VPNs create encrypted tunnels between remote devices and Cloud or data center resources. But if these tunnels are compromised, this can allow intrusions. Users need to be trusted to use the latest Virtual Private Network tools every time they connect and to guard against phishers stealing their VPN credentials.

The combination of Zero Trust Approaches and Software Defined Perimeters offers no security guarantees but can deliver the right blend of network security and convenience for remote workers.

Integrating your current VPN with SDP and ZTNA

SDP solutions and VPNs don’t need to compete. You can create a more comprehensive and secure network connection between users and devices by incorporating SDP and ZTNA with your current VPN. 

VPNs have become the dominant security solution for corporate networks in recent years. As NetMotion reports, 54% of companies surveyed in 2021 relied on VPNs alone for secure remote working.

With that kind of dominance, it makes sense to integrate VPN and ZTNA/SDP approaches.

Not all VPNs can work within an SDP and ZTNA solution, but advanced products do. Choose a provider with the skills and experience in creating Zero Trust security solutions, and benefit from adapting your existing systems while profiting from the many advantages of SDP. 

Work with NordLayer to create effective Zero Trust configurations

At NordLayer, we create Zero Trust systems based on the most secure VPN and SDP technology. Clients can assemble customized setups to facilitate safe remote working, lockdown centralized data servers, and secure access to Cloud infrastructure.

Our security packages can provide security and stability in a world where network perimeters are constantly in flux. Give your staff the freedom to work anywhere they wish while protecting data from cyberattacks and data leaks. 

Get in touch with our team and discover more about how Software Defined Perimeters and Zero Trust approaches could revolutionize your security setup.

Share article

Related Articles

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.