How Software Defined Perimeter Solutions Can Improve Data Security Over Traditional VPNs


By Don Boxley, CEO and Co-Founder, DH2i (www.dh2i.com) 

Regardless of where it originates – commercial, nonprofit, or government agency – data is moving into the cloud at breakneck speed.  One important reason for this is to support today’s increasingly decentralized workforce and its accessibility requirements.  And, not only are workforces increasingly spread-out geographically, accessing data from their laptop or favorite smart device – likewise, customers are located in all corners of the globe.  This, combined with the additional wide array of cloud benefits — inexpensive storage, pay-per-use pricing, disaster recovery (DR), and on demand resources — will certainly continue to drive cloud adoption rates into the foreseeable future (and likely beyond).

Similarly, undeniable is the fact that security breaches are increasing in regularity and severity with each new assault.  Unfortunately, an increasing number of these data breaches are occurring in the cloud, endangering the benefit of possibly the most innovative technology advancement of our times.

As with many of today’s challenges, the best solution will be found in innovative technology. In this case, what is needed to fortify the cloud’s value proposition is a security paradigm as flexible and as low latent as the very opportunities cloud computing affords. It should minimize the attack surface area while escaping the notice of intruders; it should be deeply embedded within an organization to safeguard its applications and information as the enterprise “family jewels” that they are.

Software defined perimeter (SDP) is an advanced security model delivering these benefits and many others. When well implemented, it ensures secure gateways at the application layer both to and between clouds for impenetrable security with cloaked micro-tunnels hackers and other cyber-criminals cannot see or detect.

The best of these implementations depend on proprietary protocols seldom used, offer micro-tunnel failovers for continuous application connectivity between clouds and on-premises settings, and are dynamically positioned wherever resources are located.

With encryption capabilities to guarantee even third-party software providers aren’t privy to transmissions, they’re the most fortified deep segmentation perimeter methodology specifically designed for hybrid and multi-cloud deployments.

Traditional Limitations

Hybrid and multi-cloud deployments are becoming more and more necessary to decrease organizational costs and increase productivity. In fact, according to 451 Research’s Voice of the Enterprise: Cloud Hosting and Managed Services, Budgets and Outlook survey of 644 enterprise IT decision-makers, 58% of organizations are pursuing a hybrid strategy, involving integrated on-premises systems and off-premises cloud/hosted resources. Migrating datacenters or individual applications to the cloud to enable uniform access for distributed locations is a common use case.  Establishing different nodes in the major public cloud providers for various pricing options, failovers, or burst performance needs is another. Historical perimeter security measures in these examples and others have involved creating Virtual Private Networks (VPNs), which in actuality – multiplies risk in numerous ways. VPNs were designed for traditional on-premises security; they’re less effective in the cloud because they expand the network surface area, creating more room for lateral movement attacks. This credential-based security method is also challenging to manage with messy access control lists and the frequent reconfiguration of firewalls.

Software defined perimeter solutions overcome these limitations in several ways. They effectively implement segmented micro-tunnels between applications or services — in multiple/various clouds and on-premises systems — creating micro-perimeters to virtually eliminate network attack surface, as opposed to expanding it as VPNs do. The lack of network expansion means users are simply connected at the application layer via a micro-tunnel gateway that effectively cloaks this conduit so intruders have nothing to scan. In contrast, VPNs leave ports open and vulnerable for hackers to detect. All the access control lists, firewall concerns, costs and vulnerabilities of standard VPN measures are obsolete with software defined perimeter security.

Fine-Grained Security

Due to the fact that software defined perimeter options facilitate the described invisible security ports directly between applications or servers, they’re highly transferable between settings. They result in a dynamic deployment of perimeter security wherever needed, isolating specific services for engrained user accessibility. Certain implementations of these solutions, however, offer more protection than others. Most platforms create micro-tunnels with Transmission Control Protocol (TCP), which is widely used and well known to malignant actors. More competitive approaches involve User Datagram Protocol (UDP), which is much less often used and therefore less familiar to potential hackers. One reason TCP is more commonly used than UDP is because it has innate error correction capabilities that keeps data orderly. By supplementing UDP with similar data correction capabilities found in TCP, competitive software defined perimeter solutions keep data packets in order while relying on a lesser known protocol for improved security and lower data transmission latencies.

Therefore, when distributed, on-premises Oracle client applications are employing such a solution to concurrently talk to an application server in the Azure cloud for a financial services use case, for example, one of the first things to transpire is the opening of randomly generated UDP ports between the on-premises micro-tunnel gateway and the Azure micro-tunnel gateway. Security is augmented by the random generation of the port — whereas many applications depend on standard ports known to all users — and the fact that most algorithms are trained to hone in on TCP, not UDP ports. Once the micro-tunnels are in place the client application and cloud server application hosts only communicate via their respective micro-tunnel gateways. Their ports are never exposed to the internet, successfully cloaking them from everyone.

Software Defined Perimeter Advantages

The most robust software defined perimeter implementations offer a pair of advantages competitors don’t. The first is application level encryption and Public Key Authentication. Even if attackers did manage to locate and access these invisible ports, they’d only get encrypted data. Usually, providers of this form of security don’t encrypt data, making them privy to this information. Impenetrable implementations of this paradigm involve software connecting the micro-tunnels between applications without further involvement with the data — because they’re encrypted.

The second boon is unique to this implementation as the actual gateways are highly available (HA). All users have to do is implement multiple gateways between settings. If the micro-tunnel between an on-premises application and AWS, for example, failed for any reason, the data could automatically failover to an Azure cloud, for instance, for HA. Another use case for multi-cloud deployments involves burst performance. For example, if users had a three-node cluster on premises, in Azure and in AWS for OLTP, they could rely on this implementation of software defined perimeter to burst to large nodes in the cloud for end of the week or month tallying, which would otherwise tax their on-premises resources. If one provider failed for any reason, users could securely go to the other to continue operating.

And, That’s Not All

Not only do such software defined perimeter implementations exceed traditional security measures for hybrid and multi-cloud access, but their protocols, encryption, and high availability surpass those of other implementations. And, that’s not all.  They’re also cloud agnostic for complete flexibility between clouds, enabling users to eschew vendor lock-in with the most effective security for multi-cloud and hybrid usage.

About Don Boxley, CEO and Co-Founder, DH2i (www.dh2i.com)

Don Boxley Jr. is a DH2i co-founder and CEO. Prior to DH2i, Don held senior marketing roles at Hewlett-Packard where he was instrumental in sales and marketing strategies that resulted in significant revenue growth in the scale-out NAS business. Don spent more than 20 years in management positions for leading technology companies, including Hewlett-Packard, CoCreate Software, Iomega, TapeWorks Data Storage Systems and Colorado Memory Systems.  Don earned his MBA from the Johnson School of Management, Cornell University.