Let’s start our conversation by remembering the truth that the development of new and innovative ways of protection and the search for ways to overcome this protection always go hand in hand. In other words, the competition between armor and projectile arose long before both armor and projectiles appeared, and will continue for many centuries after no one remembers what these words mean.
Concerning the topic of the article, this means that VPN (virtual private network) technology today is still, if not the most reliable way to secure and anonymize your Internet traffic, then certainly one of the most reliable solutions.
But the more insurmountable the defense seems, the more sophisticated the attempts (sometimes very successful) to overcome it turn out to be. Genghis Khan, who lived in the XIII century, said not in vain: “Any fortress cannot be considered impregnable if there is a hole in it, into which a donkey laden with gold will pass”. He knew what he was talking about. When in 1213 he approached the Chinese wall, then he did not assault the mighty fortifications about ten meters high and nearly seven meters thick. No, he just bribed the guards and comfortably walked through the gate along with his huge army.
These evergreen principles and practices are still more than relevant today. One of the most famous hackers of our time, Kevin Mitnick, wrote a whole book about this – “The Art of Deception”, where he claims that he carried out most of his hacks not with the help of complex techniques, but thanks to the so-called “social engineering”: people simply were falling for his psychological tricks and opened the gates of their digital fortresses for him themselves.
Continuing the fortification analogies, let’s answer to ourselves, which fortress is easier to capture: the one in which it is enough to break through (or even calmly go through) the gate, or the one where at every step you have to overcome more and more dangerous and ingenious traps and barricades? And maybe the most impregnable will be the one under whose walls an invincible army, hardened in numerous victorious battles comes… but does not find any fortress at all?
This “ghost fortress” is what we are talking about when we pronounce the abbreviation SDP or the phrase “software-defined perimeter”.
The Two Towers
No, no, J.R.R. Tolkien has nothing to do with it. And we do not mean the International Trade Center, despite the total damage to the world economy from hacks of supposedly insurmountable data protection due to experts from the Center for Strategic and International Studies in 2020 amounted to more than a trillion dollars, which equals 1% of the whole-world GDP.
Our Two Towers are two strongholds of digital security: the VPN system, which for a quarter of a century has been holding back hordes of hackers scouring around in search of our data, and the very young SDP, whose first bastions grew on the field of an endless computer battle, only in 2013.
I want to articulate loudly and clearly: VPN is still a reliable up-to-date system for protecting Internet traffic from any external encroachments. Of course, we are talking about the best programs on the market.
Let’s just recall – very schematically – on what principle the work of any application that creates a virtual private network for you is organized. Once connected to a VPN, you are entering a digital tunnel that leads you through the chain of servers right from your device to your exact destination.
On the way, for greater security, your data is crushed into small fragments, each of them is encrypted separately, so that even if some intruder manages to punch a hole in this tunnel (which is quite unlikely), and violate your privacy there, he, all the same, will not be able to get from this heap of unreadable scraps not a byte of meaningful information.
At the endpoint, all this scattered mess gathers together, checking your digital prints against the key you entered at the start.
Nice, high-tech, and absolutely invulnerable system, right?
The matter of trust
Yes, of course, but on one condition. By entrusting your identity and your valuable data to a secure VPN tunnel, you trust its reliability by default, assuming that only the one who has the password – the key from the only gates – can get into this secure hideout.
In other words, you can trust (pay attention to the word “trust”, it is very important in this context) the provider of your anonymity and security of your data as long as the key from the single entrance to this secure tunnel, built especially for you, stays only in your hands.
Now imagine that your digital key somehow (no matter how exactly: stolen, spied on, intercepted through a keylogger, bought, obtained under torture) got to the attacker. Yes, in fact, there is no need to fantasize about anything else. Getting inside your “underground railroad”, the spy turns into you. That is, he gets unlimited access to all of your data. By the way, similar stories are documented in the shameful history of some VPN services, which opened access to the data of their users for government forces.
At the same time, while continuing to trust the security of your VPN service, you can continue to transfer data that is highly sensitive for your freedom and security for a long time, and they will stream straight to those interested “men in black” from whom you are trying to hide it.
If you remember the story of the hacking of the Nazi encryption machine “Enigma”, you will understand that my extrapolation of the possible destructive consequences is by no means an idle fruit of my momentary imagination.
In GOD we trust. Others pay cash
Surely you have seen this ironic inscription more than once in bars and small private shops. It’s such a polite way of saying, “Let’s get it right off the bat: you are good guys, but – just in case – we don’t trust you very much. Now we all know about this, and it will be easier for all of us to do business”.
There is a special, short, and succinct name for this approach: “Zero Trust”. This is the foundation of our second tower – SDP.
Do you remember that we talked about the “ghost fortress” and the importance of the word “Trust” in talking about SDP’s approach to security?
So, it is the Zero Trust principle that allows a system protected by software-defined perimeter algorithms to literally disappear from the screens of any radar.
Have you heard this saying: “If you are not paranoid, it does not mean that you are not being followed”? This is just about SDP. Here, it is initially believed that at the time of the first power-up, no one believes anyone – neither a single piece of hardware in your system nor a single application or process.
Your main device and all the peripherals connected to it are, as it were, packed in an impenetrable container and, although all systems and mechanisms, just like on a spacecraft (no, no, not Apollo 13!) Are operating normally, but for the outside world you simply do not exist, you can neither be identified in any way and moreover, your presence cannot be detected at all.
For any connection, for any access to the Internet of a local network, your separate permission is required.
Initial login can be done in several ways. Of course, the easiest way, as in the case of a VPN, is to get by with a login-password pair, but we have already discussed the bottlenecks of this exact method of ensuring that you, and only you control all levels of your privacy.
In order not to leave a spot for doubt your complete control over the security system, the software-defined perimeter provides two-factor (or, if this is not enough for you, multi-factor) authentication, including verifying your identity using an external token. Moreover, you are free to apply the Single Sign-On (SSO) approach, which allows you to log into the whole system with one set of identifiers, and no longer enter your credentials when switching to other connected devices. Or, if you think that security measures are never excessive, no one prevents you from identifying yourself in each case when you run an application or peripheral device.
What is especially important – for SDP it makes no difference whether you work with a real, hardware, system, or it is located on your cloud. As the realities of today dictate new solutions: most of the offices, for which entire skyscrapers were previously built and rented, are now moving into the virtual space. This way, the new ways to ensure the security of communications are becoming more and more in demand. Therefore, the SDP concept was developed precisely by the Cloud Security Alliance, that is, an organization that sets as its main task the provision of absolute protection when using (as much corporate as personal) cloud technologies.
The uniqueness of SDP lies in the fact that, on the one hand, a system protected by software-defined perimeter algorithms is completely invisible to outsiders, so even if someone wanted to hack it, it would turn out that he had nothing to apply his hacking skills to. On the other hand, the system is fully functional both for its owner and for any user who has been granted access to it and who is appropriately authorized.
Moreover, an additional level of security is provided by the fact that everyone who gains access to your system from the outside does not become a full-fledged owner in it, as happens in the case of entering a login and password when using a VPN, but has only those rights that you, the owner, give him at this particular moment. Haven’t you forgotten about the “Zero trust” principle yet? This is how it works.
Equally important that SDP allows any connection to the Internet or a local network (which, by the way, can also be organized via the Internet) only after a two-step verification, which includes, firstly, user authentication, and secondly, automatic audit of a connected device. A device scan, which is a prerequisite for gaining access, is a comprehensive analysis: what software is installed there, how new it is, whether it meets security requirements, whether there are malware or other potential threats among these applications. SDP can also automatically create blacklists, automatically blocking access to certain devices according to previous data collection.
Another security frontier (yes, yes, we were talking about traps and barricades!) is the so-called mutual Transport Layer Security (TLS). This is a specially developed protocol that, each time when the connection to a particular server is going on, checks whether the server is what it claims to be, checking its database, whether any unauthorized changes have been made there. The client is checked at the same time. And only in the case of two-way “recognition” does the connection takes place.
Connecting in this way, any user does not enter the entire network, but rather receives a pass that allows him to follow a strictly defined route, which is limited by the framework of the access granted to him.
Let’s go back to the fortress analogy from the very beginning of this article. Imagine that someone drives up under its walls, wanting to be inside. The owner examines him through the embrasure and, if he considers this visit acceptable, lowers the bridge in front of him only to let this (and only this!) guest pass, immediately closing the entrance to everyone else. And then, already inside the locked gates, the guest is escorted only by those corridors, only to those rooms that the owner decides to show him. If under the fortress walls, a new visitor blows the horn, and he is also allowed to enter, then it is quite possible that he will be led inside in a completely different route, and he also will not see the whole castle. And even more, he won’t even meet a previous visitor. Why “will not meet” there, he will not even know that there is someone else here, right behind the wall.
The article is called “SDP vs VPN”. So who won?
In this case, the question has no clear answer. It is unlikely that any of the serious experts’ mouths would like to call a VPN an unreliable or outdated solution for ensuring security and anonymity on the Internet.
Numerous tests of the best VPN applications, including regular independent audits that check them for backdoors, leaks, and other vulnerabilities, provide more than convincing evidence of the viability of such protection.
Another thing is that technologies are in constant rapid development and hacking methods, as well as methods of protection against it, are endlessly improved.
Therefore, the answer to the question “What to choose in 2021 to protect your online presence” should be preceded by another question and another answer. Namely: “Why do I need such protection?” If the main purpose of directing your traffic through special servers in other countries is access to Netflix, which is inaccessible in your country, then right, a budget VPN will be enough for you about right.
If you are seriously thinking about deploying a large corporate network, the members of which are scattered across different cities, countries, and even, perhaps, continents, then it is likely that you should at least take a closer look at the capabilities of SDP. In any case, the software-defined perimeter is by far the most advanced end-to-end solution for providing multi-layered security for serious users.