A growing number of organizations are drawing an invisible line around their internet-connected resources in an effort to keep attackers at bay. Called software-defined perimeter (SDP), it is based on the relatively simple idea of throwing a virtual barrier around servers, routers, printers, and other enterprise network components.\nThe goal of SDP is to protect networks behind a flexible, software-based perimeter. "Advantages include stronger security and greater flexibility and consistency," says Ron Howell, principal SD-WAN and SASE architect at IT and business consulting firm Capgemini Americas.\nIt can address security challenges that have become more complex with the advent of applications built out of microservices that may be housed on more than one server rather than traditional, monolithic apps that generally resided on a dedicated server. "More recently, applications have been further modularized\u2014they are now composed of multiple workload types and microservices in the organization\u2019s data center or the public cloud,\u201d says Chad Skipper, global security technologist for VMware.\nWhat is an SDP?\nThe SDP framework obfuscates servers or nodes, typically on an internal network, says Chalan Aras, managing director, cyber and strategic risk, at business advisory firm Deloitte. "SDP uses identity and other substantiation methods to permit visibility and connectivity to network nodes or servers on a least-privilege or need-to-access basis."\nAn SDP is specifically designed to prevent infrastructure elements from being viewed externally. Hardware, such as routers, servers, printers, and virtually anything else connected to the enterprise network that are also linked to the internet are hidden from all unauthenticated and unauthorized users, regardless of whether the infrastructure is in the cloud or on-premises. "This keeps illegitimate users from accessing the network itself by authenticating first and allowing access second," says John Henley, principal consultant, cybersecurity, with technology research advisory firm ISG. "SDP not only authenticates the user, but also the device being used.\nBenefits of SDPs\nWhen compared with traditional fixed-perimeter approaches such as firewalls, SDP provides greatly enhanced security. Because SDPs automatically limit authenticated users\u2019 access to narrowly defined network segments, the rest of the network is protected should an authorized identity be compromised by an attacker. "This also offers protection against lateral attacks, since even if an attacker gained access, they would not be able to scan to locate other services," Skipper says.\nSDP's central benefit is simple: creating a higher level of network protection. "SDP has been instrumental in protecting enterprises against many different attack vectors, including denial-of-service, brute force, credential theft, man-in-the-middle, server exploitation, and session hijacking," Henley says. Other SDP benefits include strengthened and simplified access controls, reduced attack surfaces, simplified policy management, and a generally improved end-user experience.\nSince SDP can be dynamically rconfigured, it's well suited to protect rapidly changing environments such as enterprise users accessing applications, or application environments with many micro-services that are spawned, scaled, or terminated on a real-time basis, Aras says.\nHow an SDP works\nAn SDP validates users and apps by authenticating them before it connects them to granularly limited portions of the network. This microsegmentation, created by remapping DNS and IP address spaces, provides authorized users with the access they need while denying them access to resources they don\u2019t require. This essentially creates individual networks, each with a limited number of nodes so if bad actors do manage to gain access, the damage they cause can be confined.\nCentral to SDP architecture is the controller, software that facilitates connecting users and devices that are seeking access (initiating hosts) with the resources they seek, such as apps and servers (accepting hosts). The controller authenticates the initiating host and determines the list of accepting hosts it is permitted to connect with. The controller instructs all the authorized accepting hosts to accept communications from the initiating host and shares the list with the initiating host. The initiating hosts can then create direct VPN connections with the accepting hosts.\nIn some cases, the accepting host is a gateway that acts as a proxy between the initiating host and multiple resources it seeks to connect with. In other cases, an SDP can be set up between two servers that need to communicate as with modern applications built around microservices.\nConnectors and proxies, terms often used interchangeably, may sit in front of servers to gate access to them. They connect two network domains together and perform networking functions such as routing, network-address translation, and load balancing to direct traffic from one user or application to another, Arras says.\nIn micro-service contexts, the proxy may be\u00a0integrated into the micro-service fabric, such as in the case of the envoy\u00a0proxy, an\u00a0open-source edge\u00a0proxy used in micro-services.\u00a0In an\u00a0Istio\u00a0service mesh, for example, the envoy proxy can be used\u00a0to connect micro-services so that mini-apps can securely communicate with each\u00a0other in an open-source service mesh that layers transparently onto\u00a0existing\u00a0distributed applications, Aras says.\nZero Trust Network Access\nBecause of its strict authentication and tightly restricted network access, SDP is a vital part of Zero Trust Network Access (ZTNA), which is based on the premise that no device is ever really secure. "There's no safe perimeter anymore due to workforce changes, microservices-based applications that can scatter components virtually anywhere, and the increasingly collaborative nature of business processes," Skipper says, "There is no device that's safe: no smartphone, no desktop\u2014period."\nAddressing ZTNA requires tightly controlled network access and limited authorization, and SDP is a good place to start. "SDP helps users to properly authenticate before access is provided, and only to applications to which those users have been granted access," Henley says.\nHenley estimates that there over 20 vendors currently offering SDP products, including Akamai (Enterprise Application Access),, Cisco (Duo Beyond), Ivanti (Ivanti Neurons for Secure Access), McAfee (MVISION Private Access), Netmotion (NetMotion SDP), Verizon (Verizon Software Defined Perimeter), and Versa (Versa Secure Access Client).\nDeploying SDP also doesn't free enterprises from the responsibility of maintaining existing security practices. "No matter which security technologies your organization implements, or what it may be called, knowing what your important data is, and where it's located, is the key for knowing how to protect it," says Steve Jaworski, supervisor with audit, tax, and consulting firm RSM US.\nRemember, too, that deploying SDP is not a once-and-done deal. "It's important that organizations actively monitor and upgrade SDP software as required," Jaworski advises. "In addition, tests should be conducted to ensure the software is not leaking and permitting access to the protected resources."