CSA SDP Guide v3: Zero Trust should control reachability, not just access
I was the lead author on the new Cloud Security Alliance's Software-Defined Perimeter Architecture Guide v3.0.
The biggest point, in my view: Zero Trust should not only decide who can access a resource after it is reachable. It should decide whether that resource should be reachable at all.
SDP v3 moves beyond “better VPN” framing into identity-first reachability: authenticate and authorize before connect, make services dark by default, and bind connectivity to identity, posture, policy, and named services.
That matters more now because Zero Trust is expanding beyond users and apps into workloads, OT/IoT, service-to-service, and agentic AI flows.
Curious how others here see SDP fitting alongside ZTNA, microsegmentation, service mesh, and AI security.
Here is a blog which surmises the work, and why we did it - https://cloudsecurityalliance.org/blog/2026/05/11/deep-dive-into-the-software-defined-perimeter-sdp-guide-v3