Software-defined perimeter (SDP) is a security framework developed by the Cloud Security Alliance.
The framework is based on the Department of Defense's "need-to-know" model; all endpoints attempting to access a given infrastructure must be authenticated and authorized prior to entrance. Once authorization -- which takes place in the cloud -- is complete, trusted devices are given a unique, temporary cryptographic connection to the target infrastructure. Until then, the infrastructure being protected by an SDP is "black." This means that IP addresses for the target infrastructure are only revealed to authorized devices.
The five layers of the SDP framework's security controls are:
- Device validation
- Single packet authorization
- Mutual transport layer security
- Dynamic firewalls
- Application binding
SDPs lower the chances of successful network-based attacks such as denial-of-serviceattacks, man-in-the-middle attacks, server vulnerabilities and lateral movement attacks such as SQL injection or cross-site scripting. SDP does not have any new protocols, rather it incorporates standards from NIST and OASIS (including PKI, TLS, IPsec and SAML).