Terminology can often be confusing, particularly in the cyber security landscape. Here’s a quick overview for SDP and ZTNA to give you the basics
The world doesn’t need another acronym, yet we’ve been blessed with several in the remote access space. As well as the widely known VPN term, there are also CASBs, SDPs and ZTNAs. It’s not always clear what these terms mean, let alone how they relate to concepts like CARTA and SASE. Let’s try and unpick a few of them at least.
SDP or ZTNA?
In short, a software defined perimeter (SDP) is a more intelligent way of managing secure remote access than more traditional approaches like VPN. Gartner have published several research documents on the subject, including Fact or Fiction: Are Software-Defined Perimeters Really the Next-Generation VPNs? by Joerg Fritsch and Mark Judd, and Emerging Technologies: Adoption Growth Insights for Software-Defined Perimeter by Nat Smith. Its Market Guide for the category, however, instead opts for another term. First published in 2019, and refreshed in 2020, the Market Guide for Zero Trust Network Access covers the same marketplace, opting for ZTNA as what it sees as a more relevant term for SDP. So, in effect, they are largely two terms for the same thing.
What is an SDP?
A software-defined perimeter is a technology designed to create 1-1 connections between users and the resources that they need. It applies the principles of zero trust at its core. This is the idea that by default, users are denied access until they can prove they are a legitimate user for that resource. It also embraces the concept of ‘least privilege’, meaning users only get access to the application they requested and nothing more – preventing any kind of lateral movement, because connections are to the resource and not the whole network.
SDP solutions also go far beyond checking credentials too. SDP products vary in their architecture, but they will all make use of some kind of controller. This controller acts a bit like a context-aware decision maker. It gathers a variety of data, such as the application begin used, the location of the device, the network it is connected to and much more. It then uses this realtime data to build a risk profile of each request, determining whether the user can access the resource based on the context of the moment. If that changes, access can be revoked.
It’s an elegant, conditional way of ensuring users get what they need while reducing the attack surface of an organization. The compelling driver for adoption is that it allows organizations to treat all of their resources equally, even for those resources hosted in the public cloud. With 84% of organizations migrating to the cloud according to the Verizon Mobile Security Index, SDP offers an innovative way of providing secure remote access in an increasingly cloud – and remote – workspace.
What about other acronyms like CASB, CARTA and SASE?
What about other acronyms like CASB, CARTA and SASE?
CASB stands for Cloud Access Security Broker. They are designed to help IT administrators manage applications and data in the cloud. They monitor cloud service usage within an enterprise. As an extension of that monitoring capability, CASBs can be used to implement policy controls that ensure those cloud services are being used securely. These tools are basically a hub for the authentication and encryption of data that goes to the enterprise’s endpoint devices (typically laptops, tablets and smartphones). This article goes into much more detail about CASBs.
For a simple decision tree based on the guidance published in the Gartner document Solving the Challenges of Modern Remote Access by By Rob Smith, Steve Riley, Nathan Hill, Jeremy D’Hoinne can help you navigate between which solution you might need.
CARTA and SASE are frameworks created by Gartner, rather than product categories. CARTA stands for Continuous Adaptive Risk and Trust Assessment. Just like zero trust, it is aimed at building upon simple allow/deny gating to more agile, context-aware and adaptive methods. Gartner outlines that it must include: continuous discovery, monitoring, assessment and risk prioritization Includes both adaptive attack and access protection. It’s a more complex model than zero trust but is concerned with similar concepts.
SASE is another Gartner term, referring to Secure Access Service Edge. SASE bring together the functions of WAN with those from network security, including SDP/ZTNA and CASBs, as well as secure web gateways and other technologies. In general, these solutions are aimed at a better way of addressing the challenges of managing the edge – much less than ever before is taking place inside the perimeter.
