Software-defined perimeter solutions: Why this is the future of security

Recently our own Twain Taylor here at TechGenix described some recent acquisitions happening in the IT security space and why they’re important for customers to know about. One of the acquisitions he talked about was how Symantec had recently snapped up Luminate, a leader in the software-defined perimeter technology space. For the benefit of those of our readers who are unfamiliar with software-defined perimeter technologies and why many companies are now transitioning away from virtual private networking (VPN) to SDP as a better solution for secure remote connectivity for their workforce, I recently had a chat with Don Boxley, CEO and co-founder of DH2i, a company that makes multiplatform software-defined perimeter software for Windows and Linux that enables enterprise applications to connect securely and move freely among bare-metal, virtual, and cloud environments. With more and more businesses leveraging the power of cloud computing, and with their employees working more frequently from home or at coffee shops, the traditional approach of using perimeter-based VPNs to grant authenticated users access to remote corpnet resources is beginning to give way to the newer SDP approach that utilizes policies to grant user access to specific resources such as applications instead of the entire internal network.

Risks of VPNs


I began my conversation with Don by pointing out that while VPNs are often seen as a way to safeguard anonymity for users on the Internet, they’re also commonly used in corporate environments for secure remote access. When I asked Don about the risks involved when using the VPN approach, he agreed that the most common way to “securely” access networks for many years now has been via a VPN. “While the main business advantage of using a VPN is generally thought to be improved security via the technology’s end-to-end encryption capabilities,” Don said, “the fact is that VPNs not only expose sensitive data to increased security risks but in today’s cloud-based environment, they actually multiply those risks exponentially.”

I asked him to elaborate a bit about the nature of these risks associated with using VPNs in corporate environments. “One of the primary ways VPNs endanger data security," Don said, “is that enterprises usually end up needing to manage multiple types of VPN connections to accommodate the networking technology of each third party (vs. requiring vendors to use just one VPN, which can be ridiculously expensive). Not only does this become a painful administrative headache, it also generates much more room for lateral movement attacks since it vastly expands the network surface area that is exposed and vulnerable since users gain access to a ‘slice of the network’ so to speak. Not only do inbound connections create attack surfaces, but without application-level segmentation, it’s impossible to reduce attack surfaces, leaving networks vulnerable.”

Don continued: “You may be asking yourself, ‘Why is this happening now?’ as VPNs have been the venerable ‘go-to solution’ for secure endpoint connections that safeguard data from hackers?” That’s exactly what I was going to ask Don next. He replied that “The answer is that VPN technology was not engineered or intended for a world of mobile devices, virtual teams, and third-party vendors tapping into the network; it was created with traditional on-premises security in mind. The VPN model originated in a different era — when an on-premises, non-cloud environment was king, with physical servers and virtual machines. In such a world, VPNs were appropriate. But today, IT is much more likely to incorporate hybrid cloud settings, blending on-premises with public/private cloud environments. Each time you layer on another IT scenario, your chances for data exposure and security breaches increase.”

And it gets even worse. “This opens another can of worms when someone is continuing to buy into the myth of VPN security,” Don said. “It is now much more difficult for organizations across various industries/markets to enable business partners and other third-party organizations with secure access to internal data and infrastructure in today’s digital economy. Enterprises can’t underestimate this challenge and just go with what’s worked in the past, since granting access to any third party represents a huge security risk that can lead to a number of technical and business threats that weren’t in playback in the days when the only concern was on-premises security.”

Software-defined perimeter vs. VPNs

I next asked Don how the software-defined perimeter model is different from the VPN approach and how does software-defined perimeter circumvent VPN’s security issues? “Basically, in three ways,” he said. “One, it creates greater security by granting connectivity across multiple clouds, sites, and domains to distributed apps and clients; two, it gives users access at the application level, moving beyond network-level access; and three, it decreases lateral attacks, creating an environment I like to describe as ‘secure by default,’ which is achieved by giving remote users access only to specific services. The software allows you to shift workloads as needed from cloud to cloud, leading to the ability to avoid the threat of cloud vendor lock-in. A software-defined perimeter solution also eliminates chaos by allowing for installation on any host, without network reconfiguration or appliance hassles. In short, innovative networking software such as software-defined perimeter can help organizations navigate today’s security challenges, including hybrid and multicloud deployments, reducing attack surface as well as the vulnerability of their key data."

I pointed out next to Don that users living in countries with oppressive governments often use VPNs to hide their Internet activities from authorities and communicate with people beyond their country’s borders. I asked him then if software-defined perimeter software should be utilized similarly in such situations or whether SDPs were only workable when they’re deployed inside trusted borders of a country or group of countries. Don simply answered, “Yes. Policy-based, secure access and network segmentation create one-to-one network connections between the user and the resources they access. Everything else is completely invisible and untraceable, even the system itself. This not only applies the principle of least privilege to the network but also reduces the attack surface area by hiding network resources from unauthorized lookers and potential users. To enable total privacy, data security, and classification,” Don said, "software-defined perimeters provide client and endpoint protection, identity and access management, OS and application-level security — all while encrypting traffic with mutual TLS and DTLS encryption.”

To close our discussion, I asked Don if he could pull everything together on this subject in a few succinct words. “The age-old management proverb that says ‘what got you here won’t get you there’ is equally true for IT,” he said. “As a traditional perimeter security solution, VPNs worked in the old world of physical servers and virtual machines, but they don’t have what it takes to protect data in today’s heterogeneous, hybrid, multicloud environment. It’s time to let go of the VPN security myth and embrace today’s new realities with a progressive security solution that’s specifically designed to accommodate the cloud and today’s digital transformation reality.”

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Published by
Mitch Tulloch

Recent Posts

Docker, Microsoft unveil easier way to deploy Azure containers

Docker and Microsoft have rolled out a new and easier way for developers to deploy…

2 hours ago

Improvements on the verify domain error in Office 365

The verify domain error when registering the same domain in Office 365 to a different…

6 hours ago

Using VMM to run scripts to manage remote Hyper-V hosts

When it comes to the bulk management of Hyper-V hosts (or of any Windows server,…

9 hours ago

Shiny Hunters hacking group breach Home Chef database

The Shiny Hunters hacking group has struck again. This time they hit meal-prep delivery company…

1 day ago

Review: Specops uReset Active Directory self-service password reset

Specops uReset is an Active Directory password reset solution to handle the problem of forgotten…

1 day ago

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

4 days ago