Smart, Soft, Wary: Software Defined Perimeter to Achieve Deep Segmentation

Smart, Soft, Wary: Software Defined Perimeter to Achieve Deep Segmentation

The ultimate end state of software-defined network security is what we at Nemertes Research call deep segmentation. The term refers to the ability to finely control what entities can see, who they communicate with and how they do this, end to end across the enterprise network. With deep segmentation, every physical or virtual switch can enforce security policies and deliver full software-defined network perimeter security and zero-trust architecture.

Formally, a software-defined perimeter (SDP) relies on controllers outside the network to serve as ingress points. An entity that wants to talk on the network has to authenticate with the controller. If it receives authentication, the traffic is redirected to a network gateway, which receives information about who the entity is allowed to talk to.

On the other end, entities already inside the network are only allowed to see traffic from, or send traffic to, entities that have permission to talk to them. SDP merges quite seamlessly with the principles of zero-trust security; combined, they effectively achieve network perimeter security.

You can find the rest of the article at SearchNetworking, here.

(In addition to fitting so well with zero-trust, an SDP is a natural ally of a SCAPE architecture, which we’ll dig into next…)

Share this post