Many recent headlines have highlighted the fact that the traditional perimeter-based approach to network security has failed to adequately protect organizations, and that a new approach is needed. Traditional security tools like VPNs, firewalls, and NACs are labor-intensive to manage, don’t leverage user context to make access decisions, and can’t keep up with the pace to of the business. As a result, organizations typically use them to control access in an all-or-nothing fashion. The implication? Authenticated users have overly-broad network access, increasing the attack surface area and enabling the types of wide-reaching breaches that we see far too often.

Perimeter based network security like VPNs and firewalls are not workingPerimeter based network security like VPNs and firewalls are not working

This is why, increasingly, forward-looking organizations are considering a new approach to network security – a Software-Defined Perimeter model.

What is a Software-Defined Perimeter?

Based on work done within the U.S. Department of Defense, the Software-Defined Perimeter is a security framework designed to provide on-demand, dynamically provisioned secure network segmentation. A Software-Defined Perimeter is a network security model that dynamically creates one-to-one network connections between the user and the resources they access. Everything else is invisible including the system itself.

It ensures that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.

Image that depicts what three different users can access via a software-defined perimeter architecture model.


The Software-Defined Perimeter model has gained considerable momentum across the security community. Industry analysts are touting this new approach based on its ability to increase your security, while at the same time easing the operational burdens associated with traditional network security and simplifying your environment.  

  • Gartner says that SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems. It is easier and less costly to deploy than firewalls, VPN concentrators and other bolt-in technologies.”
  • Forrester says that “Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”
  • The Cloud Security Alliance says that “The SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat.” 

As enterprise organizations come to the realization that traditional network security is failing them, a Software-Defined Perimeter solution needs to be considered to secure not only on-premises environments, but just as important, cloud-based IaaS environments like Amazon Web Services (AWS) and Microsoft Azure. The good news is that the SDP model works well across heterogeneous and hybrid environments.


Learn more about Cyxtera’s Software-Defined Perimeter solution, AppGate SDP.


Adaptive, Identity-Centric Security for Hybrid IT - Cyxtera AppGate SDP