This topic describes Software-Defined Perimeter (SDP), a feature of Alibaba Cloud Identity as a Service (IDaaS). SDP helps businesses implement secure and efficient cloud identity management and access control by providing solutions for various complex enterprise scenarios.
What is IDaaS SDP?
Identity as a Service (IDaaS) Software-Defined Perimeter (SDP) builds on Alibaba Cloud's experience in endpoint and network management. After you install a client on an endpoint, SDP provides features such as endpoint management, cross-network connectivity, application cloaking, and physically unidirectional but logically bidirectional traffic. SDP creates a one-to-one authentication and authorization mapping between users and applications and confines traffic within specific tunnels. This approach reduces the north-south external attack surface and prevents east-west lateral movement within the internal network. It also enables microsegmentation between applications, ensuring secure user access to applications and data.
Product features
1. A single center
SDP is based on the zero trust principle and centers on identity authentication. Leveraging the powerful identity authentication capabilities of IDaaS, SDP provides continuous authentication and dynamic authorization for users throughout their access sessions. This ensures that only authorized users can access their granted applications and data.
2. Two application layers
SDP processes different application types, such as Web and TCP, in separate layers. This method applies consistent security principles while ensuring performance and supporting tens of thousands of Transactions Per Second (TPS). For Layer 7 (L7) Web and API applications, you can insert an id_token into the HTTP header. For Layer 4 (L4) SSH and RDP applications, you can attach an id_token to the TCP/UDP tunnel. This allows for fine-grained access control over services.
3. Three layers of cloaking
SDP provides three layers of network cloaking. Gateway cloaking: The gateway closes all ports by default. The client uses single-packet authorization to establish a connection with the gateway. Application cloaking: Authorized users can see only the applications to which they are granted access. Internal network cloaking: Application connectors create a physically unidirectional but logically bidirectional link. You do not need to open any inbound ports on the internal network firewall. This prevents the exposure of any internal network services.
4. Four endpoint types
SDP supports four types of endpoints: Windows, macOS, Android, and iOS. It operates smoothly on all these devices. SDP also provides a Software Development Kit (SDK). You can integrate the SDK with your existing business applications in a few simple steps to provide secure and efficient access.
5. Five trusted identities
Based on the concept of pan-identity, SDP treats all factors in a user's access session as identities and builds five trusted identities: trusted user, trusted device, trusted network, trusted application, and trusted connector. SDP then checks and continuously verifies each trusted identity to ensure service security.
Core values
Security
The core principle of SDP is zero trust: never trust, always verify. Because cloud migration and mobile work blur network borders, SDP moves beyond the limitations of traditional firewalls and VPNs. It secures users, which in turn secures data.
Convenience
Using clients and the SDK, businesses can instantly connect networks without disrupting the existing user experience. For example, using SDP to connect DingTalk Mail to an internal mail server does not alter the user experience.
Compliance
SDP's identity-defined border capabilities effectively isolate different data domains, which helps businesses meet industry regulatory requirements.
Economy
SDP's high concurrency and optional cloud-based distributed deployment can help reduce costs. A small investment can significantly improve capabilities.
Learn more
For more information about the IDaaS SDP product, see Contact Us.