Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Emerging Security Concept - Software Defined Perimeter


From time to time, I have taken the opportunity to share a new idea or educate about a concept in the information security space. Today I wanted to talk a bit about a technology that I have been evaluating, and the impacts that it may have on traditional identity management and network security.

Hybrid cloud environments are dynamic and complex, further complicated by multiple end-users accessing multiple environments from multiple locations.HybridCloud.jpg Securing access to these environments is a considerable challenge, which is magnified by the gap between enterprises’ desire to manage security from an identity-centric perspective, and cloud platforms’ access models that are based on IP addresses, and not users.

As a result, security remains a significant concern, often impeding the adoption of cloud. Traditional security tools can’t bridge this gap, so security professionals, who are under tremendous pressure to enable business agility, end up granting users overly broad network access to their cloud environments. This increases the risk of security and compliance issues, especially with dynamically changing cloud environments – something that we’ve unfortunately seen repeatedly as a root enabler of recent data breaches.

Ultimately, enterprises are demanding cloud security controls and policies that are identity-centric, and define how information, systems, applications and infrastructure can be better protected when using a cloud environment.

When it comes to cloud security, what is the responsibility of the cloud provider versus the cloud user? One of the security principles we advocate and one that providers generally follow is a Shared Responsibility model – clearly denoting that enterprises are responsible for securing user access to the cloud. Unfortunately, cloud infrastructures’ network security approach often results in over-privileged, wide-open network access.

This is where a Software-Defined Perimeter complements traditional security solutions like identity and access management. A new security model, a Software-Defined Perimeter, wraps network permissions around each unique user.

Because people are not IP addresses, cloud security demands an identity-centric network solution that works alongside single sign-on solutions, analytics platforms and identity management systems. Using a Software-Defined Perimeter approach ensures that all endpoints attempting to access a given resource (whether in the cloud or on-premises) are authenticated and authorized prior to accessing any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users. And, the Software-Defined Perimeter approach dynamically adjusts access based on changes in the environment – such as the creation of new server instance, or on changes to user attributes such as network location.

To summarize, a Software-Defined Perimeter overcomes the constraints of traditional tools by effectively creating a dynamic, individualized perimeter for each user – a network ‘segment of one’.

HPE has been working with a leader in the software defined perimeter space, called Cryptzone. They have a product that provides user control, operational agility and compliance, offers an identity-centric Software-Defined Perimeter solution. It ensures the benefits of network security are aligned to IAM solutions.

One interesting and relatively simple way to do this is to tie together an organization’s authentication system, using an industry standard mechanism such as Security Assertion Markup Language (SAML), with its SDP-based network access control. Specifically, the SDP system can consume SAML assertions as a trusted form of authentication for users, and grant corresponding network access. By doing so, security teams can begin to bridge the gap between identity and network security, while delivering a consistent and business user-friendly experience.

HPE will continue to provide the best security solutions possible for our customers – though HPE products and a best in class partnership program that integrates the best solutions in the industry as part of HPE solutions.  Software-Defined Perimeter may be a new term in the industry, but it is not the last that you will hear about it!

For more information about the Software-Defined Perimeter, take a look at this recent blog about the topic. To learn more about hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.  Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.