Enabling the Software Defined Perimeter - Pulse Secure

Few concepts in cyber security are as uniformly accepted as the on-going dissolution of the traditional perimeter. A myriad of justifications and arguments support this architectural shift, including the problem of compromised insiders operating inside a perimeter, the expansion of work done by third-party organizations located outside a perimeter, and the increasingly complex service protocols that must operate across a perimeter.

An issue that arises with this change in perimeters involves secure access. Where enterprise teams previously relied on LAN-based controls to protect access from corporate-owned endpoints to organizational assets, modern workers demand more flexibility, mobility, and freedom. To that end, new means for extending secure access, such as from Pulse Secure, have emerged, resulting in the modern notion of a software defined perimeter (SDP).

This note outlines the salient aspects of SDP in the context of Pulse Secure’s platform. Secure access, as implemented by Pulse Secure, is shown to provide an effective foundation for implementing an SDP in the modern enterprise, because enabling and automating access security decisions become, collectively, the new perimeter. Stated otherwise: Any place where an adaptive secure access control is applied becomes part of the new SDP edge.

Pulse SDP Overview

It is easier to describe an SDP than to properly deploy one. The transition required to an SDP begins with the traditional notion of secure access from an authorized entity either across a trusted LAN or via deployed virtual private network (VPN) capabilities that might traverse a perimeter. Even in organizations where such access methods work reasonably well, the dissolution of the perimeter forces a new SDP-based solution.

A key aspect of Pulse Secure Access is its dual-mode simultaneous VPN and SDP support for multi-cloud application and workload access. Enterprise teams activate an embedded SDP capability and then apply secure access to hybrid IT apps. The software authenticates user, device, and security posture against policy before granting requested access. This removes dependence on a perimeter gateway. The SDP architecture includes the following:

SDP Controller – Since the Pulse SDP architecture separates data and control planes, functional support for control plane activities is done by the SDP controller. It serves as a network traffic manager between the SDP client and any relevant identity brokers. It offers extensive device security posture assessment, along with centralized policy support for authorization and coordination between SDP Clients and SDP Gateways.

SDP Client – The Pulse SDP client is tasked with identity and device verification. User, role, and device are accessed to determine access for applications and workloads, which can be virtually anywhere, including both premise and cloud. Upon granting a Client request for access by the SDP Controller, a protected data plane is established directly between the SDP Client and Gateway. This is the essence of the enterprise SDP.

SDP Gateway – As the Controller orchestrates control plane and data plane activities, the Pulse SDP gateway operates the data plane. This provides transport layer security (TLS) protection between the endpoint and targeted applications. It receives access grants from the Controller for all entities in the secure access data path. These components form a coherent enterprise SDP arrangement that is easy to enable from existing conventional infrastructure (see diagram at top of this article).

The Pulse Secure platform also includes capabilities that fortify an enterprise SDP. The Pulse Profiler detects and profiles devices that connect within a network, including mobile and laptops used to access local applications and cloud services such as Office 365 and Salesforce. It enables dynamic device discovery, classification, and inventory, including IoT, for known and unmanaged devices.

Pulse Policy Secure also offers automated guest and BYOD management, behavioral tracking, and real time enforcement. The resulting secure access controls and threat response are integrated with the network, cloud, and security tools such as next-generation firewalls, security event and information management (SIEM), enterprise mobility management (EMM), multi-factor authentication (MFA) and endpoint security tools.

Analyst Guidance for Enterprise Teams

The first advantage of the Pulse SDP solution is that it directly supports the increasingly important concept of zero trust security. Zero trust network access requires verification and then access granting. The platform integrates user and device visibility, authentication, authorization, and other secure access parameters. Access is orchestrated for users with whatever devices they require, from any location.

A second advantage is VPN and SDP integration offered by the Secure Access Suite. Most organizations have data center and conventional applications that are migrating to the cloud. With Pulse, there is no need to operate separate VPN and SDP appliances, services, clients, policies, and integrations. One system handles a broad range of multi-cloud uses. This is an important factor in deciding to deploy an SDP while preserving an existing VPN.

A third advantage is the practicality of usage modes for employees, contractors, and other users desiring secure access. These modes include many permutations of thin and thick client, internal and external access, browser versus other type of access client, and so on. This is important because the modern enterprise is complex and desirous of support for known and unknown access use-cases to cloud and premise apps.

A fourth advantage is that the Pulse SDP solution supports segmentation, which is powerful because many enterprise teams desire the high assurance that comes with segmented workloads, but have no idea how to implement. The granularity of access policy and available controls inherent in the Pulse SDP, as well as the means for dynamic gateway provisioning makes workload protection and availability possible.

The bottom-line recommendation is that the Pulse SDP provides enterprise teams with an effective means to take advantage of software defined perimeter-based secure access for all types of business use cases in cloud and on premise. This is the essence of a Zero Trust model and will help to reduce risk of cyber threats and unauthorized access while also enabling many new forms of flexible, mobile computing in the enterprise.