Home Features Software-defined perimeters challenge the corporate VPN on security

Software-defined perimeters challenge the corporate VPN on security

By Etay Bogner, CEO of Meta Networks

When it comes to network security, interest is heating up around software-defined perimeter solutions (SDP)—and for good reason.

The traditional approach that organizations have used for connection and protection, the perimeter-based VPN, has well-known shortcomings. These issues are leading to alternative solutions to the conventional VPN – especially as organizations migrate to the cloud amid growing concern for cloud security.

Let’s review several ways that VPN solutions have become the less effective options for business:

  • Security issues. Enterprises have become more vulnerable in this era of worker mobility and cloud migration, making it harder to effectively secure the perimeter. Traditional VPN access is overly permissive, granting remote workers access to more of the network than is required to complete their tasks. As a result, network resources are unnecessarily visible, overly vulnerable, and open to attack.
    Unreliable end-user experience. For anyone who has used a VPN, slow and unreliable performance is common. If you use applications in multiple locations, then you’ll face the aggravation of needing to repeatedly connect and disconnect—and of course you have to keep track of where you are connecting to, based on the app you need.
  • Administrative headaches. Whenever cloud migration is involved, VPN management balloons in complexity, leaving IT administrators to configure and sync VPN and firewall policies across multiple locations. This makes it even more difficult to eliminate unwarranted access.
  • Lack of affordable scaling. As organizations require additional user connections and deployments across multiple cloud instances, VPN/firewall costs escalate rapidly due to the need for additional licenses and more powerful appliances.
  • Flexibility, at a cost. VPNs do offer flexibility since they can be used to connect multiple sites, datacenters, and virtual private clouds (VPCs). However, these connection options can be resource-intensive and drive up costs.


You have likely already noticed the limitations of VPNs based on your organization’s own experience. Either way, the time has come to seek alternative solutions that are better suited to today’s mobile workers and hybrid environments.

With these realities in mind, it is no wonder that a growing number of innovative organizations are embracing software-defined perimeter solutions, which focus on the user and overcome the security and operational problems inherent in perimeter-based remote access.

A Comparison

Gartner notes that a Software-Defined Perimeter “defines a logical set of disparate, network-connected participants within a secure computing enclave. The resources are typically hidden from public discovery, and access is restricted via a trust broker to the specified participants of the enclave, removing the assets from public visibility and reducing the surface area for attack.” A key component of an SDP platform is that it securely enables remote access. Part of the power of SDP solutions—and what allows them to be more effective than traditional solutions—is that they are designed around user identity-based policies, which restrict access only to specified applications.

In other words, an SDP solution can enforce a customized policy for each user device. Any resource on the network that is unauthorized to a specific user is invisible to that individual, significantly reducing the potential surface for attackers. As Gartner has said, “SDP technology enables organizations to provide people-centric, manageable, ubiquitous, secure and agile access to networked systems, services, and applications.”

Let’s go head-to-head with SDP and VPN to better understand the advantages:

  • Better experience for end users. VPNs have a reputation for being slow and unreliable. In contrast, the new generation of SDP solutions offer a more transparent user experience. To assure high performance, the solution should be based on a dense network of PoPs around the world, for global user connectivity. Keep in mind that different types of users have different needs. For managed employee devices, an agent-based connection enables the user to work normally, while delivering always-on security, for the Internet as well as corporate applications. Alternatively, for unmanaged personal devices, and for contractors, partners and customers, a browser-based solution that requires no client or agent installation is ideal. With an SDP solution, end users can also be freed from the need for repeated, multiple VPN connections when they want to access apps located in different locations. One connection provides access to the applications you need, wherever they are.
  • Zero-trust remote access for users, isolation for the network. SDP solutions have several security advantages over VPNs. First, there are no trusted zones. The IT administrator must grant users explicit permission to access specific applications. Beyond these designated one-to-one connections that are created for user devices, all other network resources remain isolated from view and completely invisible. Some SDP solutions allow continuous authentication and verification of the user and/or device at the packet level using identity-based networking technology. Security isn’t left to chance; all network traffic is logged for audit and investigation.
  • Simple, as-a-service, solution. Compared to configuring and syncing VPN policies, you can onboard each network resource to an SDP platform once and manage all policies centrally in the cloud, avoiding the need to configure and sync across different locations. An advantage of a fully-cloud based SDP solution is that there is little to setup or maintain and upgrade in the data center or VPC that you are enabling access to. All of the intelligence as well as the security enforcement is done in the cloud.
  • Unlimited, cost-effective With cloud-native SDP solution, capacity is never an issue. Regardless of the number of users that need to connect or the number of applications that they need to access, the solution should scale automatically. There’s no need to sink additional time and funds into installing more powerful appliances.
  • Connect anything, without complexity. While VPNs are satisfactory at connecting clouds and datacenters, it can be complex and costly to do so. On the other hand, software-defined perimeters enable more efficient connectivity without the hardware and management resource requirements.

As you can see, there are substantial advantages to using SDP solutions over perimeter-based VPNs, with one of the biggest positives being improved security. VPNs and firewalls were designed for a site-centric world and are thus overly permissive in granting access to the corporate network. They also create vulnerability by exposing services to the Internet. In contrast, the innovative SDP network security model creates IT-assigned network connections between each user and only the specific resources that he or she needs to access. SDPs can also provide an integrated internet security stack so that users who work offsite need not sacrifice Internet security.

In the modern era where the common usage patterns include cloud applications, remote workers and insecure locations, trust-based network designs put the organization at risk. In contrast, the user-centric SDP approach provides assurance that any endpoint attempting to access an application gets properly authorized and authenticated before it even gets visibility to enterprise services.

In addition to improving security, SDP solutions also help address compliance and regulatory requirements by providing a comprehensive record of network usage and application access. With a world-wide, cloud-native platform, some SDP solutions are distributed and infinitely scalable, with the ability to leverage their advantages across all applications. At the same time, management costs and complexities are significantly reduced. All of this adds up to a true transformation—and a welcome alternative to VPNs and firewalls.

We, at CISO MAG, are set to publish the Power List, a comprehensive publication which will explore critical areas of cloud security while elucidating best practices to adopt for securing the cloud space. Ahead of it, we are discussing several trends and vendors in the space while we tell you what differentiates each product from the rest.

The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.