SD-WAN (Secure Defined Wide Area Network) vs SDP (Secure Defined Perimeter)

Zero Trust using SD-WAN versus a Real Zero Trust solution with SDP? What do I see?

Except for some of the cloud-based security functionality, the SD-WAN approach does not provide any new security functionality. As a result, if network organizations adopt an SD-WAN solution that relies on these approaches they will not achieve their goal of providing increased security.

Requirement to Support Remote Workers

Another significant limitation of SD-WAN solutions is their limited scope. Because of Covit-10 90% of workers are working remotely putting the VPN under a security microscope. As a result, any major upgrade that an organization makes to its WAN must address this large and growing population. However, most SD-WAN solutions do not provide either connectivity or full zero trust security for remote workers because pushing authentication to the edge just is not architected with SD-WAN solutions..

Evaluating Security Solutions

When evaluating solutions to enhance the security of SD-WANs, there are two critical objectives to consider.  One objective is adding functionality that eliminates the deficiencies of the current WAN. The other objective is minimizing the complexity of the security solution because complexity results in gaps in security and new attack vectors.

The Lack of a Well-Defined Perimeter

One of the major deficiencies of the current approach to security is that it assumes that the enterprise has a well-defined perimeter. The fact that most enterprise’s employees are remote combined with the overwhelming use of cloud computing means that this assumption is no longer valid.  To overcome this deficiency, network organizations must SDP solution that follows the user device, regardless of their location.

The Failure of Trust

Another major deficiency of the current approach to security is that it assumes that everything inside of an organization’s network can be trusted. One implication of this assumption is that once threats get inside the network they are left unseen, uninspected, and free to morph and move wherever they choose to attack the organization. 

To overcome this deficiency, organizations must adopt a zero-trust model that can be deployed outside the perimeter with the same level of authentication that currently exists using tools authentication inside the perimeter. Whereby, all access is denied (Trust nothing) unless it is explicitly granted and the right to have access is continuously verified. An effective zero trust model also must support a range of access functionality including active directory, single sign-on, multifactor authentication and correlation between access and users.

The Advantage of a Software-Defined Perimeter

Some Software-Defined Perimeter solutions leverage the cloud to deliver secure access to applications and network resources. This approach leverages the huge operational and technological advantages that are associated with the movement to provide all forms of IT functionality as a service. Since it is provided by a third party, part of the value is that it frees network organizations from the complexity of configuring and managing the enabling infrastructure.

Software Defined Access introduces an evolution in the way organizations grant secure external access to their services. Built on Software Defined Perimeter technology and Integrated Data Security Platform, it offers true secure and transparent access for all entities to internal applications and data. By deploying Software Defined Perimeter architecture organizations can now design and deploy the On-Demand Perimeter. The On-Demand perimeter creates access rules for authenticated users into applications and data, in a fully automated and dynamic fashion.  

Why? A couple of the reasons were previously mentioned: It provides critical security functionality that SD-WANs do not provide, and it reduces complexity. Another reason is that in addition to providing enhanced security functionality to an organization’s branch office employees, a cloud-delivered SDP solution can provide both security and connectivity to an organization’s remote workers. In addition, over time such a solution can mitigate the need for a separate SD-WAN solution.

Finally

One of the most important goals that IT organizations are looking to achieve when they upgrade their WAN is increased security. Unfortunately, SD-WAN solutions on their own do not enable IT organizations to achieve this goal in part because they do not increase security and in part because their scope is typically focused just on providing connectivity to branch offices. As a result, organizations that are evaluating SD-WAN offerings need to also evaluate additional solutions that provide enhanced security functionality to all users, whether they reside in a branch office or work remotely.

When they evaluate security solutions, IT organizations should look for two key characteristics.  First, to respond effectively to their lack of a well-defined perimeter, the security solution that IT organizations adopt must feature an SDP. Second, to eliminate the vulnerabilities that are created by a security model that is based on trust, the security solution must be based on a zero-trust security model.