Five Ways a Software Defined Perimeter Is Better Than VPN

Five Ways a Software Defined Perimeter Is Better Than VPN

By Etay Bogner, Founder & CEO, Meta Networks

Can virtual private networks, created over 20 years ago, still provide an adequate solution for secure remote access these days?

The well-defined network perimeter that VPNs were designed to protect, has essentially been dissolved with the wide-spread adoption of cloud-based, virtualized infrastructures. How can an enterprise enforce security for remote users when its network resources are no longer just inside a data center? When employees, partners, and customers are accessing cloud services and Internet apps?

With apps moving to the cloud and users moving off the network, a cloud-based software-defined perimeter (SDP) provides a much more suitable solution that addresses enterprise needs and resolves VPN’s inherent shortcomings.  Gartner defines software-defined perimeters as “a logical set of disparate, network-connected participants within a secure computing enclave. The resources are typically hidden from public discovery, and access is restricted via a trusted broker to the specified participants of the enclave, removing the assets from public visibility and reducing the surface area for attack.”

As organizations begin to weigh the benefits of software-defined perimeters over VPNs, here are five ways SDPs are winning the debate against corporate VPNs.

1 – Tighter Security

The most concerning security flaw with VPNs is the fact that once a remote user is authenticated he or she is considered trusted and is granted excessive access to network resources. Generally, VPN access is overly permissive, granting remote workers access to more of the network than is required to complete their tasks. As a result, network resources are unnecessarily visible, overly vulnerable, and open to attack.

A software-defined perimeter replaces this flawed VPN site-centric security approach with an identity-based approach that enforces a customized policy for each user device. There are no trusted zones and an IT administrator must grant users permission to access specific applications. All other network resources that are unauthorized to a specific user are simply invisible.

Some SDP solutions also provide continuous authentication and verification of the user and/or device at the packet level using identity-based networking technology. Finally, all network traffic is logged for audit and investigation.

2 – Better End-User Experience

Anyone that has used VPNs is familiar with the notoriously slow and unreliable performance. And if one is on the job and involved with multiple applications in different locations, the frustration of repeatedly connecting and disconnecting to remote applications is not an uncommon experience.

With SDPs, the user experience is dramatically different. A global network of points-of-presence (PoPs) provides a network backbone that reduces latency and optimizes the routing of data. Therefore, instead of connecting to a specific site, a remote user connects to the nearest local PoP, which provides better performance and quality of service from anywhere in the world.

The single connection to the overlay network provides access to all the applications needed, regardless of their location.

3 – Reduced Management and Administration

Any enterprise that has expanded a single data center into multiple cloud deployments, has experienced how VPN management balloons in complexity, with IT administrators required to configure and synchronize VPN and firewall policies across multiple locations.

SDPs, on the other hand, offer much simpler management and administration than any number of data centers and cloud deployments. Administrators can onboard each network resource to an SDP platform once and manage all policies centrally in the cloud, avoiding the need to configure and sync across different locations. There is little to set up or maintain and upgrade in the data center or VPC since all logic and security definitions are done in the SDP cloud platform.

4 – Better Scalability

VPN infrastructure is installed to support tens of thousands of user sessions. However, this equipment is primarily in place at very large organizations and is costly to purchase and manage at scale. For many companies, VPNs are installed and expanded as demand requires. As the business grows and adds additional VPN connectivity to provide support for business partners and customers, both the management complexity and costs rise significantly.

With a fixed price per user regardless of how many network resources the user needs to access, an SDP solution with a cloud-native infrastructure can quickly, easily, and affordably scale up to millions of concurrent users leveraging a backbone of global PoPs. There’s no need to sink additional funds into larger appliances each time new connections are added.

5 – Greater Flexibility at a Lower Cost

While VPNs do offer the flexibility to connect multiple sites, data centers, and virtual private clouds (VPCs), adding entities drives up costs due to the need for more powerful appliances and additional licenses. Additionally, the expense and management complexity that increases along with each additional piece of infrastructure rapidly pushes the VPN outside of budgetary limits. Unless your enterprise is a large one with deep pockets and a sizable IT department and budget to match, users are likely to find these connection options more time and financial resource intensive.

An SDP cloud platform will typically not charge by the number of data centers or sites added, but rather by a number of users connected, which results in lower total costs.

Taking the Next Step

Transitioning from VPNs to a software-defined perimeter solution does not require a complete overhaul of your IT infrastructure. In fact, it does not require any overhaul at all.

Next-generation SDPs let you adopt Google’s BeyondCorp approach of a software-defined perimeter without changing any of your network infrastructure or applications. You can provide remote/mobile employees, partners, contractors and customers with convenient, granular access to specific web or legacy applications – with tighter security, and without the need for a conventional VPN.

About the Author

Five Ways a Software Defined Perimeter Is Better Than VPNEtay Bogner is the CEO and co-founder of Meta Networks, a technology leader focused on helping organizations rapidly provide secure remote access for employees, contractors, and partners to corporate applications and the internet.

Global InfoSec Awards 2022

cyber defense awardsWe are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase