Episode 41 — Deperimeterize Safely: SASE, SD-WAN, Software-Defined Networking, and Segmentation
In this episode, we’re going to take a careful look at what it means when people say the old network perimeter is fading, and why that idea can be both helpful and dangerous if you take it the wrong way. For a long time, security was often imagined like a castle with walls, where the outside was risky and the inside was trusted, but modern organizations don’t really work like that anymore. People work from home, apps live in cloud services, partners connect from their own networks, and devices move around constantly, so the idea of one clean boundary starts to fall apart. When the boundary becomes blurry, the goal is not to pretend there is no boundary at all, but to make security decisions closer to the user, the device, and the data. That shift is sometimes called deperimeterization, and done well, it reduces risk by assuming connections are messy and constantly changing rather than neat and predictable.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
To understand deperimeterization safely, it helps to start with why the perimeter model was appealing in the first place, because the strengths and weaknesses are connected. If you imagine most important servers sitting in one building and most employees working on computers inside that building, it made sense to place strong controls at the edge where the building meets the internet. Firewalls, gateways, and a few well-controlled entry points could block many threats, and the internal network could be treated as a simpler space with fewer obstacles. The problem is that the perimeter model quietly encouraged a dangerous habit: if something made it inside, it was often treated as more trusted than it should have been. Attackers learned this too, which is why so many intrusions focus on getting any internal foothold and then moving sideways until they find the valuable stuff. Deperimeterization tries to break that habit by treating the internal network as a place that still needs strong boundaries, just not one single boundary.
A common misconception is that deperimeterization means removing security controls or letting everything connect freely because the perimeter is supposedly gone. That is not what safe deperimeterization means, and it is where beginners can get tricked by buzzwords. Safe deperimeterization is really about distributing security controls so they apply consistently no matter where the user is or where the application is hosted. It means the rules follow the identity, the device posture, the sensitivity of the data, and the context of the request, instead of relying mostly on where the network cable happens to plug in. If you take away one perimeter control without replacing its protective effect somewhere else, you do not modernize, you just weaken defenses. So the core idea to hold onto is that the boundary moves closer to what you are protecting, and the number of boundaries usually increases rather than decreases.
One of the big concepts tied to this shift is Secure Access Service Edge (S A S E), which is best understood as a way to deliver network access and security services together, often through distributed points that are closer to users and cloud services. Instead of backhauling all traffic to a central office just so it can pass through security tools, S A S E aims to apply security controls near the place the connection is happening. That can improve performance for users and reduce complexity when many applications are cloud-based, but the security value comes from consistent policy enforcement, not from speed alone. Think of it like moving the security checkpoint from one main gate to many smaller gates that are still controlled by the same rules. The rules still matter, and the rules must be designed thoughtfully, because adding more checkpoints does not automatically make you safer if the checkpoints are poorly defined.
Another major idea in this space is Software-Defined Wide Area Network (S D-W A N), which focuses on how an organization connects multiple locations and routes traffic across different network links. Traditionally, wide area networking often relied on expensive, rigid connections and hardware-focused routing decisions, but S D-W A N emphasizes software-driven control and flexibility. It can choose paths based on performance, reliability, and policy, which can make networks more resilient and easier to manage as organizations grow or change. The important security point is that better routing flexibility can either help security or complicate it, depending on how it is governed. If traffic can go many different ways, you need to be sure security inspection and access rules still apply regardless of path. In a safe design, the routing flexibility supports security by ensuring secure paths are available and policy enforcement points are consistently used.
Software-Defined Networking (S D N) is related but slightly different, because it is more about controlling the behavior of the network inside a data center or environment by separating the control logic from the devices that forward traffic. In simpler terms, S D N allows centralized logic to decide how traffic should flow, while network devices carry out those decisions. This can make networks easier to program, adapt, and segment, especially when workloads move around or scale quickly. The security advantage is that you can enforce consistent rules at a logical level rather than manually configuring every device in a fragile way. The risk is that if the central control plane is misconfigured, compromised, or poorly governed, you can create widespread impact very quickly because the network follows those centralized instructions. Safe deperimeterization treats the control plane as a high-value asset that requires strong access controls, monitoring, and careful change management.
Segmentation is one of the most practical and important safety tools in a deperimeterized world, because it replaces the idea of one big trusted internal network with many smaller zones that have clear boundaries. The basic goal is to limit how far an attacker can move if they compromise one system, and to limit what any one system can talk to by default. It helps to think of segmentation as building internal walls and doors, where the doors only open for the specific conversations that are actually needed. Beginners sometimes assume segmentation is only about separating departments or physical locations, but the deeper value is about separating risk. You might isolate systems that handle sensitive data, isolate systems that are exposed to the internet, isolate management interfaces, and isolate devices that cannot be trusted to be patched quickly. The more clearly you can define what each zone is allowed to do, the easier it is to detect abnormal movement and stop it early.
A related idea you will hear is microsegmentation, which pushes the segmentation concept down to smaller units, sometimes all the way to individual workloads or applications. Instead of saying all servers in a subnet can talk freely, microsegmentation tries to say only this specific service can talk to that specific database on this specific port, and everything else is blocked. This is powerful because it reduces the default “flat network” problem that attackers love, where one compromised server can scan and reach many others. The challenge is that very fine-grained rules require accurate understanding of normal communication patterns and careful maintenance as applications change. If your rules are too strict without a solid understanding, you can accidentally break legitimate business functions, which leads to people bypassing security out of frustration. Safe microsegmentation is usually built gradually, starting with visibility into traffic flows, then enforcing rules in stages so you improve security without causing chaos.
When you combine S A S E, S D-W A N, S D N, and segmentation, a helpful way to picture it is that you are redesigning how connections are built and controlled. Users and devices need secure access to applications and data wherever they are, the network needs to route traffic intelligently, and the security rules need to be enforced consistently and close to the action. Segmentation limits lateral movement inside environments, while access controls and policy enforcement govern who can reach what from the outside and from remote locations. The connection between these pieces is policy, which means the rules that decide what is allowed and what is blocked. If policy is inconsistent across locations, cloud environments, and remote users, attackers can look for the weakest spot and exploit it. So safe deperimeterization is less about buying a new architecture label and more about making policy consistent, testable, and enforceable across many paths.
It is also important to understand the performance and reliability motivations here, because security decisions do not happen in a vacuum. Many organizations moved toward these models because routing everything through one central office can create slow connections, unpredictable user experiences, and unnecessary complexity. If users experience constant delays, they look for workarounds, and workarounds often create security blind spots. A deperimeterized approach can reduce the temptation for shadow IT by making secure access convenient and fast enough that people will actually use it. But performance improvements should never be the only driver, because fast insecure access is still insecure. The safe approach is to design so that secure paths are also the easiest paths, and then measure whether people are actually using those paths in practice.
From a troubleshooting perspective, deperimeterization introduces new kinds of failure patterns that beginners should be ready to recognize. Instead of one firewall being the main decision-maker for traffic, there may be multiple enforcement points making decisions based on identity, device status, location, and application sensitivity. When a connection fails, it might be blocked because the user identity is not allowed, because the device is not compliant, because a segment boundary denies it, or because a routing policy sends traffic down a path that lacks the expected inspection. This can feel confusing at first, but it becomes manageable when you think in layers: who is the user, what is the device, what is the destination, what is the network path, and what policy applies. Good troubleshooting is about isolating which layer made the decision and why, rather than guessing randomly. Safe designs make that easier by keeping policies documented, keeping logs centralized, and avoiding one-off exceptions that no one remembers later.
Another safety lesson is that deperimeterization increases the importance of visibility, because distributed enforcement can hide problems if you do not collect and correlate what is happening. In older models, you might look at logs from one major gateway and get a decent picture of inbound and outbound activity. In newer models, there may be many edges and many enforcement points, so you need a consistent way to observe decisions and traffic behavior. Visibility is not just about collecting lots of data, but about collecting the right signals and being able to answer simple questions quickly, like why a user could not reach a resource, or why a workload suddenly started talking to a new destination. When visibility is weak, teams often respond to outages by loosening security controls, which is exactly the opposite of safe deperimeterization. The safer habit is to improve the ability to explain and predict policy behavior, so you can fix problems without turning off protection.
It is also worth focusing on governance and change control, because software-defined approaches can make changes easier to deploy, which is great until it becomes dangerous. If one person can push a policy update that affects many sites or many workloads, the blast radius of mistakes can be large. Safe design means you treat policy changes with the same seriousness as changes to critical software, including review, testing, and clear rollback plans. Beginners sometimes think governance is just paperwork, but in networking and security architecture, governance is how you prevent one misclick or one rushed change from becoming an organization-wide outage. Segmentation rules, routing rules, and access policies all need disciplined management because they directly shape what is reachable and what is not. When deperimeterization is done with discipline, it reduces risk and improves agility, but when it is done without discipline, it can create a fragile maze that breaks under stress.
As you pull these ideas together, a simple mental model can help you keep the story straight: reduce implicit trust, move enforcement closer to the interaction, and limit movement inside environments. The perimeter is not truly gone, it is multiplied and repositioned, and the safety of the design depends on how consistently you apply identity-based decisions and segmentation boundaries. S A S E provides a way to apply security services near users and cloud access points, S D-W A N provides flexible and policy-driven wide area connectivity, and S D N provides programmable control of network behavior inside environments. Segmentation, including microsegmentation, provides the internal boundaries that keep compromises from spreading like wildfire. If you remember that safe deperimeterization is about carefully replacing old assumptions with better ones, you will avoid the trap of thinking modern means less controlled. Modern done right means more controlled, just in a smarter and more distributed way.
