Software Defined Perimeter Working Group

Fill out the form below to view this webinar!

Introduction to the Software Defined Perimeter Working Group

With the adoption of cloud services, the threat of network attacks against application infrastructure increases since servers can not be protected with traditional perimeter defense techniques. The Software Defined Perimeter (SDP) is a research working group that was established in 2013 with the goal to develop a solution to stop network attacks against application infrastructure. The working group research will be made freely available for use without license fees or restrictions by the CSA.

From the beginning the working group decided to take a clean-sheet approach to defeating cyber attacks that was comprehensive and cost effective. To achieve their goal, the team felt that three design elements were key. First, a security model that verified identity of the user, their devices, and role before granting access to protected systems. Second, cryptographic verification to ensure the security model was being followed. And third, that the protocols to achieve items one and two be proven public domain security controls.

The working group decided that a control channel based architecture using standard components such as SAML, PKI, and mutual TLS would provide the ideal approach. They published a paper in December 2013 to determine if there was interest in the concept and called it SDP.

Strong interest in the SDP concept led to the publishing of the SDP Version 1 specification in April 2014. The initial design consisted of an Initiating Host that would transmit device and user identity to a Controller over a mutual TLS connection. The Controller in turn would connect to an Issuing CA to verify the hardware identity and to an Identity Provider to verify user identity. Once verified, the Controller would then provision one or more mutual TLS connections between the Initiating Host and the appropriate Accepting Hosts.

Download the Software Defined Perimeter Working Group Charter


Security Model

To solve the problem of stopping network attacks on application infrastructure the SDP Workgroup developed a clean sheet approach that combines on device authentication, identity-based access and dynamically provisioned connectivity. While the security components in SDP are common place, the integration of the three components is fairly novel. More importantly, the SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat (APT).

SDP Version 1 Design

The initial commercial SDP products implemented the concept as an overlay network for enterprise applications such as remote access high value data or protect cloud instances from network attacks. The SDP Initiating Host became a client and the Accepting Host became a Gateway.

SDP Architecture

SDP Client

The SDP Client handles a wide range of functions from verifying device and user identity to routing whitelisted applications (local) to authorized protected applications (remote). The SDP Client is configured in real time to ensure the certificate-based mutual TLS VPN only connects to services the user is authorized for. The SDP Client becomes the policy enforcement point for organizations, as that is where access control is implemented after user device and identity have been cryptographically verified.

SDP Controller

The SDP Controller functions as a trust broker between the SDP Client and backend security controls such as Issuing Certificate Authority and Identity Provider. Once the identity of the SDP client has been verified and the services that it is authorized for determined, the SDP Controller configures both the SDP Client and Gateway in real time to provision a mutual TLS connection.

SDP Gateway

The SDP Gateway is the termination point for the mutual TLS connection from the Client. It is usually deployed as topologically close to the protected application as possible. The SDP Gateway is provided with the SDP Client’s IP address and Certificates after the identity of the requesting device has been verified and the authorization of the user’s determined.

Working together, the three SDP architectural components provide a number of unique security properties:

1) Information Hiding

No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.

2) Pre-authentication

Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.

3) Pre-authorization

Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.

4) Application Layer Access

Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.

5) Extensibility

SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.

Pre-authentication when combined with pre-authorization create networks that are dark to unknown hosts while providing need-to-know access to authorized users. A key aspect of SDP is that pre-authentication and pre-authorization happen before a TCP connection between the user and protected application occurs. Additionally users are only granted access to authorized applications to eliminate the threat of lateral movement from compromised devices.

Software Defined Perimeter Working Group Founders

  • Brent Bilger
  • Alan Boehme
  • Bob Flores
  • Junaid Islam
  • Jeff Schweitzer

Software Defined Perimeter Working Group Leadership

Software Defined Perimeter Co-chairs

Jason Garbis

Jason Garbis

Jason Garbis is Vice President of Secure Access Products at Cyxtera, a provider of secure infrastructure for today’s hybrid environments, where he leads strategy and management for the company’s security solutions. Jason has over 25 years of product management, engineering, and consulting experience at security and technology firms including RSA, HPE, BMC, and Iona.

Jason is co-chair of the Software Defined Perimeter (SDP) Working Group at the Cloud Security Alliance, holds a CISSP certification, is a published author, and led the creation of the Cloud Security Alliance initiative applying Software-Defined Perimeter to Infrastructure-as-a-Service environments.

Junaid Islam

Junaid Islam

Junaid Islam is the CTO and founder of Vidder which provides distributed access control solutions to Fortune 500 companies. Prior to founding Vidder, Junaid founded Bivio Networks which developed the first Gigabit speed software based security platform in the industry. Earlier in his career Junaid helped create networking standards such as Frame Relay, ATM and MPLS while at StrataCom and Cisco.

In addition to his work in the technology industry Junaid has served at the local and national levels. Junaid served as the Human Relations Commissioner of Santa Clara Country (Silicon Valley) from 2002 to 2009. Currently Junaid is the Co-Chair of the Software Defined Perimeter (SDP) research group which supports a number of US national cyber security initiatives.

Co-chair of the SDP Working group; co-author and chief architect behind the SDP specification. Presenter at several events including U.S. Congress 2013, CSA Congress in 2014 and 2015 and CSA Summit Hack-a-thon host. Recipient of the Ron Knode Award.

Bob Flores

Bob Flores

Bob Flores is a co-founder and partner of Cognitio. Prior to this, Bob spent 31 years at the Central Intelligence Agency. While at CIA, Bob held various positions in the Directorate of Intelligence, Directorate of Support, and the National Clandestine Service. Toward the end of his career at the CIA, Bob spent three years as the CIA’s Chief Technology Officer where he was responsible for ensuring that the Agency’s technology investments matched the needs of its mission. Bob is the Co-chair of the Software Defined Perimeter (SDP) Working Group at the Cloud Security Alliance.

Software Defined Perimeter Working Group Initiatives

SDP Glossary v2.0

Objective: Reference document that brings together SDP related terms and definitions
Application: To provide a good understanding and minimize misinterpretation about SDP
Membership: Open to the public
Information: All documents publicly available

Private Internet

Objective: Utilize SDP to build an overlay network across the public Internet
Application: Enable global supply chain security for Global 100 companies
Membership: Invitation Only
Information: Briefing available upon request

SDP Architecture Guide v2.0

Objective: This guide intends to help enterprises and practitioners learn about SDP, understand the benefits, and successfully implement an SDP architecture in their organization.
Application: Enterprises successfully deploy SDP solutions based on the architecture recommendations in this document.
Membership: Open to the public
Information: All documents publicly available

Automotive Secure Communications

Objective: Utilize SDP for secure vehicle to cloud communications
Application: Secure telematics data transfer, OTA IVI software update
Membership: Open to automotive OEMs and suppliers
Information: Briefing available upon request

SDP Specification v2.0

Objective: This document specifies the base architecture for Software Defined Perimeter (SDP)-compliant systems.
Application: SDP-spec networks can be used in government applications such as enabling secure access to FedRAMP certified cloud networks as well as enterprise applications such as enabling secure mobile phone access to public clouds.
Membership: Open to the public
Information: All documents publicly available

Open Source DDoS Initiative

Objective: Research SDP as a high speed Internet-based packet filter
Application: Enable access to mission critical sites during DDoS attacks
Membership: Open to the public
Information: All documents publicly available

Open Peer Reviews

Initiative Details Close Date

There are no working drafts at this time.

Want to contribute to the Software Defined Perimeter Working Group?

Fill out the form below to join today!


Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels:

Indicates a required field.

If you experience trouble using this form, please submit the information here.

Thanks for your interest!

Your request to join Software Defined Perimeter has been recorded. Someone will be in touch with you soon with more instructions.

Connect with Us

Software Defined Perimeter Working Group Downloads

Software Defined Perimeter Glossary

Description: The Software Defined Perimeter (SDP) Glossary is a reference document that brings together SDP related terms and definitions from various professional resources. The terms and supporting information in the SDP glossary cover a broad range of areas, including the components of SDP and common supporting technologies.

Release Date: June 12, 2018

SDP for IaaS

Release Date: February 13, 2017

Re-Think Security

Release Date: July 15, 2016

SDP Specification v1.0

This document outlines a Cloud Security Alliance (CSA) initiated protocol for the Software Defined Perimeter specification, and requests discussion and suggestions for improvements.

Release Date: April 30, 2014

SDP Hackathon Whitepaper

The CSA SDP Hackathon challenged hackers to attack a server defended by a software defined perimeter. Of the billions of packets fired at the server, not one attacker penetrated even the first layer of security. The whitepaper outlines how this is possible.

Release Date: April 17, 2014

Software Defined Perimeter

This document explains the software defined perimeter (SDP) security framework and how it can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from organizations such as the National Institute of Standards and Technology (NIST) as well as security concepts from organizations such as the U.S. Department of Defense (DoD) into an integrated framework.

Release Date: December 01, 2013