What is a software-defined perimeter and how does SDP work?

January 5, 2021  |  Ericka Chickowski

This blog was written by a third party author.

What is a software-defined perimeter?

A software defined perimeter (SDP) establishes virtual boundaries around Internet-connected assets and user activity through an integrated security architecture approach. SDP works regardless of whether assets reside on-premises or in the cloud, or whether users are on-site or working remote. Rather than relying on hardware like firewalls or VPNs at the network boundary, SDP leverages software to prevent any access to or even visibility into resources within the virtual perimeter by default.

This deny-all approach only grants access through robust, mutual authentication of authorized users and validated devices attempting connection. Internet-connected resources protected by the SDP architecture remain otherwise hidden to everyone (and everything) else.

Organizations have historically used firewalls not only at the boundary of the network but also to segment off a limited number of sensitive areas for higher levels of protection. But those segments are typically very broad. SDP makes it possible to take the principle of least privilege to its logical conclusion through much more tightly defined micro segmentation of resources. SDP gates access on a 1-to-1 connection basis rather than an IP basis to account for the broad distribution of assets in cloud environments. This means that SDP access is granted to specific resources rather than a network at large. While it might still be wise to use firewalls for internal segmentation to limit the reach of malware, SDP technology supplants many of its traditional protection benefits.

What security technologies are considered SDP?

While there are standalone SDP platforms on the market, SDP is more of an architectural model than a single security product, as it wraps in technology like multi-factor authentication, encryption, network gateways and more. As the Cloud Security Alliance recently explained in its Software-Defined Perimeter Architecture Guide, SDP architectures are designed to build in five layers of security at a minimum:

  • Authentication and validation of devices
  • Authentication and authorization of users
  • Two-way encrypted communications
  • Dynamic provisioning of connections
  • Control over connections to services while keeping them hidden

The hallmark of the SDP architecture is that it separates the access control plane from the data plane, typically through user-aware applications, client-aware devices, and network-aware firewalls and gateways.

The nerve center of the SDP technical stack is the software-based SDP controller, which supports authorization and authentication services, encryption technology, context-aware technology like geolocation, centralizes policies, and handles communication with SDP clients and gateways. Connection attempts are not made directly from an initiating host (typically the client) to the controller, but instead is routed through to an accepting host (typically the gateway), which interfaces with the controller to determine if the accepting host can establish two-way encrypted connection with the initiating host. Both the controller and the accepting host are protected by single-packet authorization (SPA), which is what keeps them hidden to unauthorized users and devices.

Comparing SDP to traditional VPN

One of the big advantages of SDP is that it offers the same user experience for those accessing resources remotely as it does for users within the confines of the office. And usually, it does it more securely than VPN in the process.

VPNs are designed to provide an encrypted communication tunnel through traditionally firewalled network boundaries to access on-premises resources. But they're a notorious performance chokepoint for remote users, especially when tapping into cloud-based resources, and they usually provide very broad access to large swaths of the corporate network.

Some other key differences include the following:

How VPN works How SDP works
VPN authorizes access based on IP address SDP grants access based on identity
VPN typically provides access to all of the applications and data within a broad network segment SDP only provides access to specific assets that users have been authorized to use to do their jobs
VPNs connect by listening for incoming connections SDP responds to outgoing connection requests, meaning the user never access the network itself, which remains hidden from attackers

Whereas the SDP operates the same regardless of the location of the user or the resource, and connections are made on a very granular basis so that users and devices only get limited access to a very specific set of network resources.

How SDP supports SD-WAN

Software-defined wide area networking (SD-WAN) is a distributed networking approach that builds out a mesh of network links that have the flexibility to connect directly to the Internet, to other branches, or to the data center, based on the application being used. SD-WAN provides organizations a sustainable alternative to high latency hub-and-spoke network topologies and provides cost and performance benefits for remote users that want to connect directly to cloud and Internet-connected resources when the situation warrants it.

The security conundrum is that this distributed approach renders centralized security inspection mechanisms ineffective and requires security controls to move to the network edge to work appropriately. SDP provides a security architecture that can protect resources in a distributed connection model. The infrastructure- and location-agnostic capabilities of SDP sync well with SD-WAN architecture, allowing organizations to build valuable layers of security controls into the SD-WAN topology.


SDP is increasingly being referred to by market players and analysts interchangeably with zero-trust network access (ZTNA) technology. Starting in 2020, Gartner lumped SDP technologies in with ZTNA, defining technologies in the category as those that "create individualized “virtual perimeters” that encompass only the user, the device and the application. ZTNA normalizes the user experience, removing the access distinctions that exist when on, versus off, the corporate network."

Whether you call it SDP or ZTNA, experts peg that function as a component of the broader push toward a secure access service edge (SASE) model. SASE combines together the capabilities of secure web gateways, (SWGs), cloud access broker (CASB) technology, SD-WAN, cloud firewalls, ZTNA/SDP and more to create a mesh of security functionality that works in distributed, hybrid-cloud environments.

Share this with others


Get price Free trial