AppGate SDP at work
A Software-Defined Perimeter (SDP) architecture is made up of three primary components: a client, controller and gateway. The controller is where the brains of the system resides, acting as a trust broker for the system. The Controller checks context and grants entitlements. The controller and gateway are completely cloaked.
- Using Single-Packet Authorization (SPA), Client device makes access request to and authenticates to the Controller. Controller evaluates credentials, and applies access policies based on the user, environment and infrastructure.
- Controller checks context, passes live entitlement to Client. The Controller returns a cryptographically signed token back to the Client, which contains the authorized set of network resources.
- Using SPA, Client uploads live entitlement, which the Gateway uses to discover applications matching the user’s context. When the user attempts to access a resource – for example by opening a web page on a protected server – the network driver forwards the token to the appropriate cloaked Gateway. The Gateway then applies additional policies in real time – network location, device attributes, time of day and more. It may permit or deny access, or require an additional action from the user, such as prompting for a one-time password.
- A dynamic Segment of One network is built for this session. Once granted, all access to the resource travels from the Client across a secure, encrypted network tunnel, and through the Gateway to the server. Access is logged through the LogServer, ensuring there’s a permanent, auditable record of user access.
- Controller continuously monitors for any context changes, adapts Segment of One accordingly.