Network-as-a-Service (NaaS) is growing in popularity and availability for those organizations that don\u2019t want to host their own LAN or WAN, or that want to complement or replace their traditional network with something far easier to manage.\nWith NaaS, a service provider creates a multi-tenant wide area network comprised of geographically dispersed points of presence (PoPs) connected via high-speed Tier 1 carrier links that create the network backbone. The PoPs peer with cloud services to facilitate customer access to cloud applications such as SaaS offerings, as well as to infrastructure services from the likes of Amazon, Google and Microsoft. User organizations connect to the network from whatever facilities they have \u2014 data centers, branch offices, or even individual client devices \u2014 typically via SD-WAN appliances and\/or VPNs.\nNumerous service providers now offer Network-as-a-Service. As the network backbone and the PoPs become more of a commodity, the providers are distinguishing themselves on other value-added services, such as integrated security or WAN optimization.\n\nEver since its launch about a year ago, Meta Networks has staked security as its primary value-add. What\u2019s different about the Meta NaaS is the philosophy that the network is built around users, not around specific sites or offices. Meta Networks does this by building a software-defined perimeter (SDP) for each user, giving workers micro-segmented access to only the applications and network resources they need. The vendor was a little ahead of its time with SDP, but the market is starting to catch up. Companies are beginning to show interest in SDP as a VPN replacement or VPN alternative.\nMeta NaaS has a zero-trust architecture where each user is bound by an SDP. Each user has a unique, fixed identity no matter from where they connect to this network. The SDP security framework allows one-to-one network connections that are dynamically created on demand between the user and the specific resources they need to access. Everything else on the NaaS is invisible to the user. No access is possible unless it is explicitly granted, and it\u2019s continuously verified at the packet level. This model effectively provides dynamically provisioned secure network segmentation.\nSDP tightly controls access to specific resources\nThis approach works very well when a company wants to securely connect employees, contractors, and external partners to specific resources on the network. For example, one of Meta Networks\u2019 customers is Via Transportation, a New York-based company that has a ride-sharing platform. The company operates its own ride-sharing services in various cities in North America and Europe, and it licenses its technology to other transit systems around the world.\nVia\u2019s operations are completely cloud-native, and so it has no legacy-style site-based WAN to connect its 400-plus employees and contractors to their cloud-based applications. Via\u2019s partners, primarily transportation operators in different cities and countries, also need controlled access to specific portions of Via\u2019s software platform to manage rideshares. Giving each group of users access to the applications they need \u2014 and onlyto the ones they specifically need \u2013 was a challenge using a VPN. Using the Meta NaaS instead gives Via more granular control over who has what access.\nVia\u2019s employees with managed devices connect to the Meta NaaS using client software on the device, and they are authenticated using Okta and a certificate. Contractors and customers with unmanaged devices use a browser-based access solution from Meta that doesn\u2019t require installation or setup. New users can be on-boarded quickly and assigned granular access policies based on their role. Integration with Okta provides information that facilitates identity-based access policies. Once users connect to the network, they can see only the applications and network resources that their policy allows; everything else is invisible to them under the SDP architecture.\nFor Via, there are several benefits to the Meta NaaS approach. First and foremost, the company doesn\u2019t have to own or operate its own WAN infrastructure. Everything is a managed service located in the cloud \u2014 the same business model that Via itself espouses. Next, this solution scales easily to support the company\u2019s growth. Meta\u2019s security integrates with Via\u2019s existing identity management system, so identities and access policies can be centrally managed. And finally, the software-defined perimeter hides resources from unauthorized users, creating security by obscurity.\nTightening security even further\nMeta Networks further tightens the security around the user by doing device posture checks \u2014 \u201cNAC lite,\u201d if you will. A customer can define the criteria that devices have to meet before they are allowed to connect to the NaaS. For example, the check could be whether a security certificate is installed, if a registry key is set to a specific value, or if anti-virus software is installed and running. It\u2019s one more way to enforce company policies on network access.\nWhen end users use the browser-based method to connect to the Meta NaaS, all activity is recorded in a rich log so that everything can be audited, but also to set alerts and look for anomalies. This data can be exported to a SIEM if desired, but Meta has its own notification and alert system for security incidents.\nMeta Networks recently implemented some new features around management, including smart groups and support for the System for Cross-Domain Identity Management (SCIM) protocol. The smart groups feature provides the means to add an extra notation or tag to elements such as devices, services, network subnets or segments, and basically everything that\u2019s in the system. These tags can then be applied to policy. For example, a customer could label some of their services as a production, staging, or development environment. Then a policy could be implemented to say that only sales people can access the production environment. Smart groups are just one more way to get even more granular about policy.\nThe SCIM support makes on-boarding new users simple. SCIM is a protocol that is used to synchronize and provision users and identities from a third-party identity provider such as Okta, Azure AD, or OneLogin. A customer can use SCIM to provision all the users from the IdP into the Meta system, synchronize in real time the groups and attributes, and then use that information to build the access policies inside Meta NaaS.\nThese and other security features fit into Meta Networks\u2019 vision that the security perimeter goes with you no matter where you are, and the perimeter includes everything that was formerly delivered through the data center. It is delivered through the cloud to your client device with always-on security. It\u2019s a broad approach to SDP and a unique approach to NaaS.