What Is a Software Defined Perimeter (SDP)?

Woman with projected code.

What Is a Software Defined Perimeter (SDP)?

Here at Zentry, we often get asked “What is a Software Defined Perimeter?”  And that’s usually followed by “What’s the difference between SDP and Zero Trust Network Access (ZTNA)?”  The answer is somewhat subtle, but both are primarily concerned with protecting users and resources from an increasingly sophisticated threat landscape.

SDP is an architecture that separates data transmission from data control. In doing so, it offers a significantly enhanced level of security over traditional networks.  Resources and applications are hidden from unauthorized access and it is possible to deploy services on traditional networks that are assumed to be compromised.

How Does An SDP Work?

SDP’s central tenet is “trust no one”.  Traditional, legacy networks assume a certain level of trust between users and the resources they access.  In effect, they are based on a “connect first, authenticate second” model.  

On the other hand, SDP establishes trust before a connection is made.  Once trust is established, connections are made to individual applications, not entire networks (unlike VPNs).  The result is “least privileged” access, where the user is only granted sufficient access to resources they need and nothing more.

SDP vs. ZTNA: What Are The Differences?

The Cloud Security Alliance initially published the SDP architecture in 2013.  Version 2.0 came out in March, 2022.  Zero Trust Network Access (ZTNA) is a similar framework developed by Gartner based on SDP, Google’s BeyondCorp, and other resources.  It approaches security from a broader “zero trust” perspective, but its central tenet is the same, too: “trust no one.”


Both frameworks are concerned with securing an increasingly porous and amorphous perimeter.  Both draw logical boundaries around applications and require prior authorization before enabling a connection.  But, while SDP is more concerned about establishing a secure connection between clients and applications, ZTNA is more concerned with establishing trusted identities and ensuring least privileged access to applications.

To learn more about Zero Trust, please see my other blog on how to implement zero trust here

SDPs vs. VPNs: What Are The Differences?

In the “SDP vs VPN” debate, the difference is one of flexibility and modernity.  VPNs were designed many years ago to enable a few trusted remote or traveling employees to gain access to applications and resources in a corporate-owned data center.  They require thick clients installed on endpoints, physical or virtual appliances deployed throughout the network, and often complex policies to enable access.  When coupled with firewalls, performance can suffer since firewall functionality typically comes first.

VPNs suffer other problems, too.  Once authenticated, VPN users are “on the network” because VPNs establish connections at a network level (OSI layer 3-4) instead of at the application level (OSI layer 7).  That means users can easily traverse the network and potentially gain access to systems and resources they are not authorized for.

SDP and ZTNA frameworks are software-based and focus on enabling trusted access to individual applications, not entire networks.  This makes them much more granular than VPNs.  And because they’re software-based, SDP and ZTNA architectures can enable secure connectivity to applications in the cloud and data center.  This makes them perfect for managing remote teams or modern workforces consisting of employees, contractors, and third parties.


How Do SDPs Relate To Zero Trust security?

Zero Trust security is a methodology of ensuring that trust is granted only to authorized users and devices.  In other words, trust is not implied but explicit.  It requires identity verification through multi-factor authentication (MFA) and often device validation.

An SDP or ZTNA deployment enables an organization to realize Zero Trust security.  By restricting access to individual applications, every user is limited only to the applications they need to do their work.  Unauthorized users are prevented from obtaining access, significantly enhancing an organization’s security profile.


How Does A User Gain Access Over An SDP?

SDP starts with an organization subscribing to an SDP or ZTNA service like Zentry Trusted Access that leverages a cloud-based Controller, or by deploying a cloud-based Controller.

The Controller authenticates users prior to granting access to one or more applications.  It then governs, or brokers, access to those resources from users and manages their resulting traffic flows.  It acts as a “policy decision point” and is responsible for making connections from the applications to the users or devices; “inbound” connections from devices directly to applications are not allowed.  A simplified workflow is this:

  1. Access request

    1. A user requests access to an application from the Controller via a device

  2. Authorization

    1. The Controller decides if the user is authorized for that application

  3. Initial connection

    1. If the user is authorized, the Controller initiates a connection from the Controller to the application.  If not, the connection request is ignored.

  4. Session established

    1. The application and the device initiate a mutually secure connection.

Diagram – SDP Architecture


The result is that SDP constructs a logical boundary around applications, preventing unauthorized users from accessing them.  This is how SDP architectures offer several advantages over traditional networks.

  • Applications can’t be discovered by unauthorized users.

  • Authorized users can securely access applications regardless of the user’s – or the application’s – location.

  • All connections are encrypted end-to-end increasing security of data-in-motion.

  • Lateral movement is restricted in the unlikely event a threat actor penetrates the network.

  • Numerous types of threats are mitigated including denial of service, SQL injection, and man-in-the-middle, among many others.

What Are The Uses Of SDP?

SDP and ZTNA architectures are far more secure than traditional networks.  Organizations reduce risk, encourage and streamline productivity and collaboration, and reduce complexity with the heterogeneous networks they’ve already deployed.  Benefits of using SDP include:

User identity verification

  • All users are vetted before any connection is established.  This prevents unauthorized users from accessing sensitive resources in the cloud and data center.

Device verification

  • If a client is required, devices are queried for OS and browser version, patch levels, firewall status, and other parameters to ensure the device is at an appropriate security level prior to establishing a connection.

Establishing secure network connection

  • All connections established by an SDP or ZTNA architecture are encrypted end-to-end, by default.  This ensures that sensitive data-in-motion is kept secure.

SDP controller approval

  • The SDP controller governs all sessions between devices and applications.  Extensive logs are kept of all activity that offer insights into user and applications behavior and usage.

User access

  • All user access is limited to individual applications.  Unlike VPNs, SDP and ZTNA architectures ensure that only authorized users obtain access to applications, not entire networks.  This reduces an organization’s attack surface and prevents lateral movement within a network.

Need More Information On SDP For Businesses? 

To learn more about SDP, ZTNA, and zero trust, please check out our Resources page.  While there, you’ll discover why Zentry Trusted Access is the best SDP- or ZTNA-based solution for small and medium businesses.  It’s safer, more secure, and faster than a VPN.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Subscribe To Our Blog

Get updates and learn from Zentry Security

LET’S Get Started

Learn how to Zentrify your Applications