SDP Is The New NAC
Network World recently published an article on why Software Defined Perimeter (SDP) will replace network access control (NAC) products. To understand why this makes sense it’s useful to look at the changes happening in the enterprise today.
NAC adoption was driven by the emergence of enterprise WiFi a decade ago. NAC products combined Active Directory authentication with posture checking to determine if employees should get to access to the data center. However, enterprises have changed considerably since NAC products first came out.
When NAC first emerged application servers sat in data centers while today we see the growth of private and public clouds. Another important change is that enterprises now have mix of employees and contractors working at multiple locations thus simple “yes/no access control” that NAC offers isn’t granular enough. And finally, malware has become very sophisticated in the last few years thus remote posture checking that NAC offers isn’t thorough enough.
SDP supports all the capabilities of NAC yet brings a host of new features that are aligned with today’s enterprise reality.
Similar to NAC, SDP functions as a gateway between the user and application resources. However the distributed design of SDP allows it to be deployed inside the enterprise and in public clouds. SDP provisions connectivity is real time thus ensuring access matches policy. And most important, the SDP control channel can be combined with advanced malware detection software, tamper-proof RAM and micro-virtualization technologies to ensure the endpoint is truly trusted.
The use of SDP to replace NAC is not as futuristic as it sounds. At Vidder we use SDP as our NAC solution today.
Inside Indecium’s office SDP ensures only employees get access to the enterprise LAN/WiFi. We’re able to achieve this by deploying a SDP gateway behind the Ethernet switch and disabling port-to-port routing (this makes sure rogue devices don’t get any lateral access). The same SDP client that identifies users inside the office functions as a VPN client when outside the office. More important, policy based access is enforced to internal servers and cloud instances irrespective of the users location. And finally to support our security teams endless experimentation of new endpoint malware and encryption solutions, we have a separate SDP connection to support the management channel to third party products.