What is SDP?

A security framework that dynamically creates one-to-one network connections between users and resources, making application infrastructure invisible to unauthorized users.

SDP, specified by the Cloud Security Alliance (CSA), is the architectural precursor to what the market now calls ZTNA. The SDP model consists of three components: an initiating host (the client), an accepting host (the application gateway), and an SDP controller that brokers the connection. Before any network connectivity is established, the client must authenticate to the controller and prove its identity and device posture. Only then does the controller instruct the accepting host to open a connection for that specific client.

The key security property is that the accepting host does not respond to any unauthenticated network traffic. It is invisible to port scanners and unauthorized users because it only opens ports for connections that the controller has pre-authorized. This is sometimes called a 'dark cloud' or 'black cloud' because the infrastructure cannot be discovered by attackers.

In practice, the distinction between SDP and ZTNA has blurred. Most ZTNA vendors implement SDP principles: authenticate first, connect second, and limit access to individual applications. The CSA SDP specification remains a useful reference architecture, particularly its emphasis on mutual TLS authentication and single-packet authorization (SPA) for the control channel.

One email per publish. Unsubscribe anytime.