One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2145100 |
| Date de publication | 2021-01-05 06:01:00 (vue: 2021-01-05 06:38:06) |
| Titre | What is a software-defined perimeter and how does SDP work? |
| Texte | This blog was written by a third party author. What is a software-defined perimeter? A software defined perimeter (SDP) establishes virtual boundaries around Internet-connected assets and user activity through an integrated security architecture approach. SDP works regardless of whether assets reside on-premises or in the cloud, or whether users are on-site or working remote. Rather than relying on hardware like firewalls or VPNs at the network boundary, SDP leverages software to prevent any access to or even visibility into resources within the virtual perimeter by default. This deny-all approach only grants access through robust, mutual authentication of authorized users and validated devices attempting connection. Internet-connected resources protected by the SDP architecture remain otherwise hidden to everyone (and everything) else. Organizations have historically used firewalls not only at the boundary of the network but also to segment off a limited number of sensitive areas for higher levels of protection. But those segments are typically very broad. SDP makes it possible to take the principle of least privilege to its logical conclusion through much more tightly defined micro segmentation of resources. SDP gates access on a 1-to-1 connection basis rather than an IP basis to account for the broad distribution of assets in cloud environments. This means that SDP access is granted to specific resources rather than a network at large. While it might still be wise to use firewalls for internal segmentation to limit the reach of malware, SDP technology supplants many of its traditional protection benefits. What security technologies are considered SDP? While there are standalone SDP platforms on the market, SDP is more of an architectural model than a single security product, as it wraps in technology like multi-factor authentication, encryption, network gateways and more. As the Cloud Security Alliance recently explained in its Software-Defined Perimeter Architecture Guide, SDP architectures are designed to build in five layers of security at a minimum: Authentication and validation of devices Authentication and authorization of users Two-way encrypted communications Dynamic provisioning of connections Control over connections to services while keeping them hidden The hallmark of the SDP architecture is that it separates the access control plane from the data plane, typically through user-aware applications, client-aware devices, and network-aware firewalls and gateways. The nerve center of the SDP technical stack is the software-based SDP controller, which supports authorization and authentication services, encryption technology, context-aware technology like geolocation, centralizes policies, and handles communication with SDP clients and gateways. Connection attempts are not made directly from an initiating host (typically the client) to the controller, but instead is routed through to an accepting host (typically the gateway), which interfaces with the controller to determine if the accepting host can establish two-way encrypted connection with the initiating host. Both the controller and the accepting host are protected by single-packet authorization (SPA), which is what keeps them hidden to unauthorized users and devices. Comparing SDP to traditional VPN One of the big advantages of SDP is that it offers the same user experience for those accessing resources remotely as it does for users within the confines of the office. And usually, it does it more securely than VPN in the process. VPNs are designed to provide an encrypted communication tunnel through traditionally firewalled network boundaries to access on-premises resources. But they're a notorious performance chokepoint for remote users, especially when tapping into |
| Envoyé | Oui |
| Condensat | “virtual 2020 accepting access accessing account activity address advantages agnostic all alliance allowing also alternative analysts any application applications approach appropriately architectural architecture architectures are area areas around assets attackers attempting attempts authentication author authorization authorized authorizes aware based basis been being benefits big blog both boundaries boundary branches broad broader broker build builds but call can capabilities casb category center centralized centralizes chokepoint client clients cloud combines communication communications comparing component conclusion confines connect connected connection connections considered context control controller controls conundrum corporate cost create data default defined defining deny designed determine device devices differences directly distinctions distributed distribution does dynamic edge else encompass encrypted encryption environments especially establish establishes even everyone everything exist experience experts explained factor firewalled firewalls five flexibility following: from function functionality gartner gates gateway gateways geolocation get granted grants granular guide hallmark handles hardware have hidden high higher historically host how hub hybrid identity include incoming increasingly individualized ineffective infrastructure initiating inspection instead integrated interchangeably interfaces internal internet its itself jobs keeping keeps key large latency layers least levels leverages like limit limited links listening location logical lumped made makes malware many market meaning means mechanisms mesh micro might minimum: model more move much multi mutual nerve network networking never normalizes not notorious number off offers office one only operates organizations other otherwise out outgoing over packet party peg performance perimeter perimeters” plane platforms players policies possible premises prevent principle privilege process product protect protected protection provide provides provisioning push rather reach recently referred regardless relying remain remains remote remotely removing renders requests requires reside resource resources responds robust routed same sase sdp secure securely security segment segmentation segments sensitive separates service services set single site situation software some spa specific spoke stack standalone starting supplants supports sustainable swaths swgs sync take tapping technical technologies technology than them they're third those through tightly together topologies topology toward traditional traditionally trust tunnel two typically unauthorized use used user users usually validated validation valuable versus very virtual visibility vpn vpns wan want warrants way web well what when whereas whether which wide wise within work working works wraps written zero ztna ztna/sdp |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.