SDP stands for the software-defined perimeter. SDP is a new set of specifications for next generation access control promoted by the Cloud Security Alliance (CSA).

The SDP core concept is pre-authentication of connection requests and pre-authorization of access approval.

Conceptually, SDP creates protected networked devices that are “black”, or undiscoverable, to unknown users,

providing visibility and access only on a need-to-know basis. The new architecture significantly reduces the attack surface by first isolating target assets (often servers) from all users and devices —including both potential attackers and legitimate users. Then, secure connectivity is made available to only users who are membersof the virtual community of interest, running on trusted devices. This trusted connectivity is achieved via a 3-step process.

What is SDP?

SDP ComponentsThe SDP architecture consists of three components: the SDP Controller, SDP Gateway, and SDP Client.

SDP Controllers communicate over a secure control channel to both SDP clients and SDP Gateways. The Controllers act as the connection and policy manager of the system. Clients cannot connect directly to Gateways or

applications protected by the SDP (protected apps). Instead, the clients must be verified by a Controller in regards to device, user, and software trust. Upon successful verification, Controllers dynamically provision mutually trusted and encrypted connections between clients and gateways.

1. Device Authentication & Authorization

2. User Authentication & Authorization

3. Dynamically Provisioned Connections

Gartner: Predicts 2016: Security Solutions, Ruggero Contu, Deborah Kish, Petty Carpenter, et. al, December 2015. The Gartner Cool Vendor logo is a trademark and service mark of Gartner, Inc. and/or affiliates, and is used herein with permission. All rights reserved.

The Controller verifies the authenticity and trust of the device desiring to connect to the protected application.

The Controller requests user authentication and authorization verification from the enterprise identity management system and matches that to device ownership.

The Controller dynamically provisions an encrypted connection to allow application data to pass between the client and the server.

“SDP technology enables organizations to provide people-centric, manageable, ubiquitous, secure and agile access to networked systems, services and applications. It does this by solving a core design flaw in the unsecure manner in which TCP/IP was developed.”

Gartner

SDP ValueSDP defeats the attacks that are the foundational tools used by cyberattackers.

• Device assessment and user authentication prior to providing connectivity to eliminate unauthorized network paths to protected services.

• Dynamic provisioning of all endpoint connectivity to create a need-to-know network.

• Obfuscation of the Controller from unauthorized devices to mitigate denial of service (DoS) attacks and many other types of attacks on the Controller.

• Real-time control over the overall system topology to react to changing networking environments and to maintain a high level of availability and performance.

SDP Gateways act as a connection layer barrier, allowing connections to protected applications only from authorized users who successfully prove their trust to the Controllers, and then present proper cryptographic tokens and certificates to the Gateways. The traffic to the protect-ed server is delivered by a separate secure TCP connection that cannot be re-purposed by any user or attacker. Thus servers behind the Gateways are isolated from all but authorized users.

The SDP Controller enables:

The SDP Gateway enables:

• The complete rejection of connections to the protected applications from all unauthorized devices and users to mitigate resource-starvation DoS attacks and TLS/SSL attacks.

• The complete obfuscation of protected applications from all unauthorized devices and users to mitigate exploitation attacks.

• The complete removal of applications from DNS discovery, eliminating DNS poisoning attacks.

SDP Clients provides the method for users to establish an encrypted path to protected applications.

The Client enables:

• A cryptographically secure communication channel to connect to an obfuscated Controller such that all connections from unauthenticated devices are cryptographically rejected.

• Communication of device and user authentication to the Controller over encrypted tunnels to ensure that only authorized devices and users receive access.

• Dynamically generated, mutually authenticated, short-lived, encrypted tunnels to authorized services that are cryptographically secure from unauthorized users.

Want to know more?

910 E Hamilton Avenue STE 410Campbell, CA 95008precisionaccess@vidder.com408.418.0440

www.vidder.com

Much more information about SDP can be found on the Cloud Security Alliance (CSA) webiste https://cloudsecurityalliance.org/group/software-defined-perimeter/ or on the Vidder website https://www.vidder.com//precisionaccess/precisionaccess-architecture.html