Best Software Defined Perimeter Software

Software-Defined Perimeter (SDP) is a security architecture that aims to protect network resources by dynamically creating secure connections between users and resources, rather than relying on traditional perimeters such as network firewalls. It is also known as a Zero Trust Network Access (ZTNA) approach.

Here is our list of the best SDP solutions:

  1. NordLayer (GET DEMO) An internet security service that ties together sites, cloud platforms, and remote workers that can implement software-defined perimeter or a full SASE. This is a cloud-based system with device agents. Access the free demo.
  2. Twingate SDP (FREE TRIAL) Adds zero trust security to any business’s infrastructure without the need for onsite hardware changes or on-premises software. Start a 14-day free trial.
  3. Perimeter 81 SDP (FREE DEMO) Provides protection for all hardware elements on a company’s network from a cloud base.
  4. Absolute Secure Access A virtual network system that provides site-to-site VPNs and a ZTA solution.
  5. Appgate SDP Named a Forrester Zero Trust Wave 2020 leader, this service implements SDP onsite or in the cloud.
  6. Cisco Software Defined Access (SDA) Supplied by the world’s leading network device producer, this SDP is bundled together with other advanced network management facilities.
  7. Jamf Connect A secure access solution for a user community that uses macOS and iOS devices.

What is a Software Defined Perimeter?

In simple terms, a Software-Defined Perimeter (SDP) solution is a security system that creates secure connections between users and the resources they need to access. It does this by individually verifying each user’s identity and granting them access only to the specific resources they are authorized to use.

SDP is a way to conceal internet-connected infrastructure (servers, routers, etc.) so that external entities cannot see it, whether it is hosted on-premises or in the cloud. Rather than focusing on traditional, network-based security, SDP takes a different approach—securing the user, the application, and the connectivity in-between. The goal of the SDP approach is to base the network perimeter on software instead of hardware. An organization that uses SDP is essentially draping a robe of invisibility over its servers and internal resources so that no one can see them from the outside; however, authorized users can still see and access the resources. They must authenticate before visibility and access to authorized services is granted.

SDP is distinct from a VPN system. While VPN is designed to allow users broad access to connect to corporate networks using simple authentication to determine user access, SDP is designed to connect users discreetly to individual resources, using a real-time contextual risk assessment to determine user access. According to Gartner, 60% of enterprises will phase out VPNs in favor of SDP by 2021. An SDP comprises of the following components:

  • The SDP client—An application that runs on user devices
  • The SDP controller—The trust broker between the client and the backend resources
  • The SDP gateway—Grants users access to requested network resources

The Best Software Defined Perimeter Software

Our methodology for selecting software-defined perimeter systems

We reviewed the market for SDP software and analyzed the options based on the following criteria:

  • A cloud-hosted service with an overview of multiple sites
  • An easy-to-use console that can be accessed through a browser
  • An integrated access rights manager
  • Connection privacy between sites and cloud platforms
  • Options for Zero Trust Access (ZTA)
  • A free trial, a demo, or a money-back guarantee for a no-obligation assessment opportunity
  • Value for money from an SDP tool that offers a range of secure network virtualization options

1. NordLayer (GET DEMO)

NordLayer Jun 2024

Apps Available:

  • PC
  • Mac
  • IOS
  • Android
  • Linux

Website:  www.nordlayer.com

Money-back guarantee: 14 DAYS

NordLayer

NordLayer is a new service from Nord Security. This is the business behind NordVPN, which puts the provider in a great position to exploit the new market for hybrid security solutions. Although security concepts such as SDP and SASE and different from VPNs, the underlying connection security procedures are the same, so Nord Security was already halfway there and just needed to add in an identity and access management component to implement a software-defined perimeter service.

Key Features:

  • This is a toolkit that can implement a range of strategies
  • A cloud-based access broker that links to device-based agents
  • Application-level access controls
  • Single sign-no environment
  • Remote device secure connections to network or cloud
  • Site-level internet connection protection

Why do we recommend it?

NordLayer is similar to the Perimeter 81 service. This provider is the company behind NordVPN and the connection security that Nordlayer uses is based around the same VPN technology. The VPN server acts as a hub between users and applications and the addition of a dedicated IP address creates a SASE.

You get a package of systems that you can choose to thread together in different ways. The idea behind this service is that each user gets an app that forges a secure link through to the NordLayer server. Up to this point, the service is exactly like a VPN.

The difference between NordLayer and NordVPN is that the NordLayer management console provides an access rights manager. This is like a cloud-based Active Directory and it lets you define user groups. This is the game-changer and it turns a VPN service into an SDP.

A full implementation of all of the utilities in a NordLayer package will give you a Secure Access Service Edge (SASE) implementation. The basic package gives you a shared IP address VPN service. To get site-to-site connectivity you need to take out the dedicated IP address service.

The NordLayer server acts as a hub. The provider offers a number of servers around the world, to which all users get access. This speeds up internet performance for international remote workers and branch offices. The VPN-style service means that your network access has a shifting IP address. This isn’t a problem for internal business traffic, in fact, it’s an advantage because it creates a moving target that complicates hacker attack strategies.

The service wouldn’t be suitable for Web service hosting. However, separating internal network access from public services is a really good idea, so this restriction shouldn’t put you off.

The management console for the service is cloud-based and users need an app to access the system – this is available for Windows, macOS, Linux, iOS, and Android. You can assess the NordLayer system by accessing a demo.

Who is it recommended for?

The NordLayer system is very easy to set up and run, so it is suitable for use by small businesses. The minimum number of users for an account with this service is five. So, if your business is too small for Perimeter 81, you should consider this package.

Pros:

  • Flexible infrastructure planning
  • Virtualizes business networks across sites and platforms
  • Per-user pricing
  • Global coverage

Cons:

  • The advantage of a dedicated IP address takes time to assess

The plans are:

Price Plan

Cost (billed annually)

Features

Lite

$8 per user/month per gateway

  • All user access security and resource access controls

Core

$11 per user/month per gateway

  • Dedicated server option for site-to-site

Premium

$14 per user/month per gateway

  • Network Access control, network segmentation, interconnected sites and devices

Custom

As negotiated

  • A tailored service plan

EDITOR'S CHOICE

NordLayer is our top pick for a software-defined perimeter solution because it provides the tools to connect together users and applications no matter where those people of systems are located. The package operates a zero trust access system with access rights managed on the NordLayer server. This system allows companies to create a hybrid network, crossing sites and cloud platforms. The network connects users rather than endpoints Access is through an app and authorized users can get onto the corporate network from any device that has the app on it, no matter where they are. The service uses VPNs to connect devices together securely and integrates an access rights management service that controls connections to applications, whether they are hosted on premises or on the cloud.

Official Site: https://nordlayer.com/book-a-demo/

OS: Cloud-based

2. Twingate SDP (FREE TRIAL)

Twingate zero trust SDP architecture overview

Twingate SDP enables organizations to implement a more secure modern zero-trust network without changing existing infrastructure, and centrally manage user access to company digital assets, whether they are on-premises or in the cloud. Twingate is delivered as a cloud-based service, and delegates user authentication to a third-party Identity Provider (IdP).

Key Features:

  • No hardware and application changes are necessary to deploy nodes
  • Scalable controller with over 580 points of access worldwide
  • One-click user/third-party onboarding and offboarding
  • Support for role-based and attribute-based access control
  • Comprehensive audits of employee activities and actions
  • Client agents can be set up by users without IT support
  • Supports least-privilege access and split tunneling

Why do we recommend it?

Twingate SDP is a VPN-based service that creates a virtual network across the internet through VPN connections between users, sites, and SaaS platforms that run through the VPN server. Use this package to create a ZTA environment and add on a dedicated IP address to create a perimeter.

No special technical knowledge is required from end-users other than to download and install the client application and authenticate with an existing identity provider, and they’re good to go. The controller handles the rest, negotiating encrypted connections between clients and resources. Once everything is confirmed, users are routed to the appropriate resources.

A key feature of Twingate SDP is that authorization for user access is always confirmed with a second or third component depending on the sensitivity of the decision being authorized. No single component can independently make a decision to allow traffic to flow to another component or resource in your remote networks.

The Twingate SDP solution relies on four components: Controller, Clients, Connectors, and Relays. These components work in tandem to ensure that only authenticated users gain access to the resources that they have been authorized to access.

Twingate SDP is offered in four flexible price plans: Twingate Starter, Twingate Teams, Twingate Business, and Twingate Enterprise. The table below is a summary of the various plans and their features.

Price Plan

Cost (billed annually)

Target Market

Starter

Free

Individuals or very small teams

Teams

$5 / user / month

Smaller teams that need to replace a VPN for remote access

Business

$10 / user / month

Larger teams that need more advanced access controls

Enterprise

Custom

Companies that need comprehensive access controls, detailed auditing, and deployment automation

Who is it recommended for?

This is a rival system to NordLayer and Perimeter 81 because it is based on VPNs. Most small business owners would be able to set this system up. The Free edition, which is a VPN service, allows up to five users. Higher functions for SDP and ZTA are offered in the paid plans.

Pros:

  • Simple install and management – even for non-technical users
  • Features numerous access controls for teams and individual users
  • Offers layers of step-up authentication
  • Small teams can use the Starter version for free

Cons:

  • Trial period could be longer

Twingate SDP Software Start 14-day FREE Trial

3. Perimeter 81 SDP (GET DEMO)

Perimeter 81 Jun 2024

Apps Available:

  • PC
  • Mac
  • IOS
  • Android
  • Linux

Website:  www.perimeter81.com

Money-back guarantee: 30 DAYS

Perimeter 81 admin interface

Perimeter 81 SDP platform is a scalable hardware-free solution that helps organizations provide secure access to their network infrastructure and digital assets including local and cloud resources from end-point to data-center to the cloud. It offers network visibility, resource access segmentation, and full integration with major cloud providers, giving organizations peace of mind in the cloud. The solution is ideal for SMBs, especially those looking for a modern alternative to traditional business VPN system.

Key Features:

  • Integration with identity providers or directory services such as SAML, LDAP, Active Directory, Touch ID, and more
  • Option to deploy private servers on your premises, in a remote location, or in the cloud, allowing you to restrict access to specific resources
  • Activity reports and analytics, allowing you to monitor logins, app connections, and connections to unsecured WiFi
  • Central cloud management with single-click apps for major platforms
  • Two-factor authentication, automatic WiFi protection, and kill switch
  • 700 servers in 36 countries

Why do we recommend it?

The Perimeter 81 SDP is one solution that you can create with the tools available on the Perimeter 81 platform. The Perimeter 81 system is based around a Zero Trust Architecture, creating secure links between sites, remote workers, and SaaS platforms. This can be interpreted into an SDP virtual network configuration.

The onboarding process is smooth and hitch-free. When you sign up with Perimeter 81, you get a full management platform where you can build, manage, and secure your network. To get started, all you need to do is to sign up, invite your team, install the apps, and create user groups. By clicking on the link in the Downloads section of the platform, you can download the app on your preferred platform and follow the wizard to complete the installation. You can give network access to as many team members as possible, assign them to specific groups, and add or remove user permissions with a single click.

Perimeter 81 offers flexible payment plans with billing occurring on a yearly or monthly basis. Sign up process for all plans are commitment-free and has a 30-day money-back guarantee. The table below is a summary of the various subscription plans and associated features.

Price Plan

Cost (billed annually)

Minimum No. of Users

Features

Essentials

$ 8 per user/month per gateway

5

  • All the basics you need to secure and manage your network.

Premium

$12 per user/month per gateway

10

  • Advanced management network security features for larger businesses.

Enterprise

Custom: + $40/month per gateway

50

  • Enterprise-ready security features to customize and manage your network.

Who is it recommended for?

The Perimeter 81 system is very easy to implement and so it could be managed by the owners of small businesses without any technical skills. The minimum account size is for 10 users. Large multi-site businesses would also benefit from this easy-to-run virtual network system. Other security configurations, synch as ZTA are possible.

Pros:

  • Flexible features and offers that cater to smaller networks as well as enterprises
  • Multi-site management makes this viable for MSPs\
  • Wide variety of integrations (LDAP, SAML, etc)
  • Flexible pricing – great for any size network
  • Easy-to-use object-based configurations

Cons:

  • Would like to see a trial as opposed to a demo

Perimeter 81 SDP Access a Demo

4. Absolute Secure Access

Absolute Secure Access

Absolute Secure Access is part of an endpoint management platform that provides content security, secure connections, mobile application management, and unified endpoint management. The platform is divided into two sections – Secure Access is one of those and the other is called Secure Endpoint. You don’t have to subscribe to both categories of service.

Key Features:

  • Connection security with VPNs
  • Site-to-site VPNs
  • Remote device VPN clients
  • Option to include access rights management
  • Suitable for securing mobile device connections
  • Video and audio transmission optimization
  • Device security scanning
  • Protection on public WiFi systems
  • Geolocation assessment for GDPR

Why do we recommend it?

The Absolute Secure Access Absolute Edge package is a ZTA service that provides you with a secure virtual network across the internet. This is, effectively, an SDP solution. The service will scan devices before allowing a connection, which makes it sake to allow user-owned devices to connect to corporate resources.

The Secure Access service focuses on connection security. This offers two levels of service in its two plans. The first of these is called Absolute Core, which provides a VPN service. The second option is Absolute Edge, which adds in application access rights management to create a Zero Trust Access (ZTA) service. The ZTA system is analogous to a software-defined perimeter solution. The services in the Secure Endpoint service are the types of systems that you would find in a mobile device management (MDM) package – deceive security scanning, tracking, wiping, and locking, secure content delivery, and application containerization.

Absolute doesn’t publish a price list, so it is difficult to assess the service’s suitability for small businesses or startups.

Who is it recommended for?

The Absolute platform has some very large clients that prioritize network security. These include the British Army, American Airlines, and the New York Police Department. The two divisions on the platform are two separate products and you probably wouldn’t need both. The Secure Access service is less complicated than the Secure Endpoint package.

Pros:

  • Secure connections for fleet and user-owned mobile devices
  • Protection for remote workers connecting to the company network
  • Creates a single private corporate network across sites
  • Option to include application access controls to create a ZTA

Cons:

  • No free trial

In order to understand the Absolute Secure Access system, you should request a demo.

5. Appgate SDP

Appgate SDP dashboard

Appgate SDP solution is infrastructure agnostic and can be deployed in all environments: on-premises, multi-cloud (AWS, Azure, GPC), virtualized containerized environments, and legacy networks and infrastructure. Appgate was named a leader in the Forrester Zero Trust Wave 2020 report. The entire Appgate SDP solution is designed to be distributed and to offer high availability, and it can be deployed in physical, cloud, or virtual environments. The Appgate SDP integrates seamlessly with third-party applications such as IdPs, LDAP, MFA, SIEM, among others.

Key Features:

  • Concurrent access: Users gain access to all entitled resources across heterogeneous environments without VPN switching
  • Integration support: Includes a bi-directional API interface to support third-party integrations
  • Invisibility:  Single Packet Authorization (SPA) makes your infrastructure invisible
  • Dynamic policy resolution: User policies remain in-sync with infrastructure
  • Users live outside the protected network

Why do we recommend it?

The Appgate SDP creates a Zero Trust Network Access (ZTNA) solution. This is a solution to the problem of providing secure access to devices that are not directly under the control of the network administrator, such as IoT devices and user-owned devices. The platform also offers ZTA for user access controls to applications.

With Appgate SDP, you can control access from any location and to any enterprise resource in a unified policy engine with centralized policy management for servers, desktops, mobile devices, and cloud infrastructure among others. The Appgate SDP consists of three main components:

  • Controller: The controller manages user authentication and applies access policies assigned to users based on user attributes, roles, and context, and then issues entitlement tokens listing the resources the user is permitted to access.
  • Client: The Apgate SDP client is software that runs on user devices, and connects with Appgate SDP appliances to receive site-based entitlement tokens after successful authentication.
  • Gateway: The gateway evaluates user entitlements and opens connections to resources accordingly.

Who is it recommended for?

This is a solution for large businesses. Appgate doesn’t publish a price list, which makes it difficult to assess its platform’s suitability for small businesses. Companies that use “headless devices” and other IoT systems such as security cameras will benefit from the ZTNA solution.

Pros:

  • Simple and easy-to-use interface
  • Supports on-premise, cloud, and multi-cloud environments
  • Offers different levels of templated access – great for larger deployments

Cons:

  • There are many features that can take time to fully explore and implement

The Appgate SDP is available for a test drive, and the virtual appliances and client software are also available for download.

6. Cisco Software Defined Access (SDA)

Cisco DNA Center Wireless Dashboard

Cisco has over the years maintained its leadership position in the networking industry through innovative tools and applications. The Cisco SDA is one such innovative tools that joined the market in recent times. The Cisco SDA is a software defined perimeter solution that allows organizations to bring together users, applications, and devices and apply the right policies to each to secure the network. It is aimed at making enterprise networks more software-driven and simpler to manage.

Key Features:

  • Zero Trust Access
  • Provides connection security and device security scanning
  • Implements secure access for IoT devices
  • Compliance reporting for all application access events
  • Quarantining for endpoints that display suspicious activity

Why do we recommend it?

Cisco Software Defined Access (SDA) is a robust solution from the leading network device provider. The strategy behind this service is to provide ZTNA of IoT devices, secure connections for BYOD, and controlled application access and connection protection for remote and on-site users alike.

The solution is targeted at medium to large enterprises looking to solve the following business IT challenges:

  • Network segmentation without the need for  MPLS network
  • Flexible LAN or host mobility without additional VLANs
  • Role-based access control without end-to-end TrustSec
  • Common policy for wired and wireless without using multiple tools
  • Consistency across WAN, cloud infrastructures, branch offices, and campuses without using multiple tools

The core components that make up the SDA solution are The Cisco DNA Center (Cisco DNA software that powers the controller appliance including a dashboard), Cisco ISE (that enables zero-trust network access), and wired/wireless network infrastructure (such as routers and switches). When you implement Cisco SDA you are essentially creating an overlay network. The DNA center creates an abstraction layer that allows the entire physical network made of switches, routers, and wireless access points to be treated as a virtual switch, which can be manipulated to create virtual networks. The virtual network makes it possible to segment the network and apply specific policies that are centrally managed.

Traditionally, creating and managing these virtual networks were made possible by technologies such as VPNs, VLANS, and segmentation rules. But to apply that consistently across LAN, WAN, and wireless networks can be daunting. Cisco SDA simplifies that whole process by creating virtual networks, which makes it easy to apply policies consistently.

If you are considering the Cisco SDA solution, the steps below will guide you in the ordering process:

  1. Choose the required Cisco SDA platforms
  2. Choose the required software licenses to enable Cisco SDA functionality in the device and ISE, available either a-la-carte or with the purchase of Cisco DNA Premier
  3. Choose the required appliances—Cisco DNA Center (if applicable) and Cisco ISE
  4. Choose Cisco SDA professional services (optional but recommended)

As with most Cisco products, the setup process is very complex and requires the services of a Cisco expert. Although the product is best suited for the Cisco environment, you don’t need to have an exclusive Cisco network to maximize value. SDA contains multi-vendor support and an API that allows integration with network equipment from other vendors.

Who is it recommended for?

This is a suitable solution for businesses that operate a virtual office, have a lot of remote and mobile users, and allow user-owned devices to connect to the office network. The underlying mechanisms of this package are similar to the straightforward systems of Perimeter 81 and NordLayer but the addition of device security for ZTNA complicates the service.

Pros:

  • Excellent dashboards and data visualization
  • Integrates with Cisco environments seamlessly
  • Supports abstraction and network virtualization
  • Ideal for enterprises looking to sync access rules across multiple networks

Cons:

  • Not the best fit for smaller networks
  • Has a steeper learning curve for non-Cisco users

7. Jamf Connect

Jamf Connect

Jamf Connect is part of a suite of tools for the management of fleet devices supplied by Apple. Those devices could be desktops running macOS or mobile devices running iOS. The Jamf Connect system expands the remit of the device management service because it allows remote users to connect with their own computers and for user-owned devices to connect within the office.

Key Features:

  • Extends the Jamf device management functions to user-owned devices
  • Device security scans
  • User authentication integration
  • Single sign-on
  • Control of access to on-premises and SaaS applications

Why do we recommend it?

Jamf Connect supports businesses that allow telecommuting to let users running a Mac at home to connect through to corporate resources. The administrator sets up an account for a user and that person then installs an access app. That app links the user’s local credentials to the global SSO account.

As with any typical ZTA system, this tool provides connection security and authentication. The core unique feature of this system is that it allows users to link the local credentials that they use to access their device with a corporate single sign-on mechanism.

The Jamf Connect system provides three security features. These begin with connection security, which is provided by a VPN built into the access app. The second is access rights management, and the third is device security scans. So, the device is verified as secure and virus-free before it is allowed to be used by an authorized user to access a specific list of applications.

The user access app for the Jamf Connect system is available for Macs and also for iPads and iPhones. The same user will probably have different local credentials on each device, however, once each app is set up, logging in to that device will ripple through to the corporate SSO. The app verifies the validity of the local credentials for that device.

Who is it recommended for?

The per-device pricing model of Jamf Connect makes the package scaleable and suitable for businesses of all sizes. However, there is a minimum number of devices for an account, which Jamf doesn’t reveal until you are already into the sign-up process. The tool is only suitable for managing Apple devices and won’t work on Windows or Linux.

Pros:

  • Lets users hop between their own devices and company workstations
  • Ensures that only virus-free devices can connect
  • Will work for BYOD as well, although Jamf also offers a separate BYOD package
  • Reduces logon fatigue

Cons:

  • Doesn’t work on Windows or Linux

Jamf Connect is priced per device and you can assess it by accessing a demo.

Choosing the right SDP software solution for your business

With a variety of SDP products out there, choosing the right one for your business and budget can be challenging. Like most network security solutions, not all SDP solutions are created equal. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another. You need to consider a variety of factors, some of which include: What deployment model best suits your environment—cloud or on-premises? How does the SDP solution implement zero-trust network access? Does the SDP solution integrate with your existing network infrastructure? Does the SDP solution require a dedicated appliance for cloud connectivity? Is vendor support available in your region, and to what extent? What is the total cost of ownership?

Hopefully, this will guide you in the process of choosing the right solution for your business.

See also: Best Access Rights Management Software