Let’s look at the facts: in 2012 over 80% of the ‘standard’ computing devices purchased by business were laptops. Also in 2012, the purchase of mobile ‘smart’ devices surpassed traditional PC sales. Enterprises are buying these devices because they require IT to be mobile, delivering the same solutions and information to the people who need it – employees, partners, contractors, and third parties – irrespective of location.
The fact is that a perimeter mentality – whether from a network (only our devices on our network), identity (users of our services must be a registered on our identity system), or security point of view (inside our network = trusted; outside our network = un-trusted) – is flawed thinking. More critically, such thinking still drives architectures and solutions that actively hinder businesses, re-enforcing the view that security’s role is to say ‘no’.
So if I chose to have a ‘traditional’ corporate network (and many of the most agile companies are actively choosing not to), would I still have a firewall between it and the internet? The answer is yes, but not as a ‘security’ device. If the business decides it needs an expensive private network with guaranteed performance, then we need to protect it from the ‘lumps’ on the internet, the packet storms, the script kiddies randomly firing packets and the automated programs. But in this new world you need to understand this is not a security boundary; this is purely to protect network performance. It’s a quality-of-service boundary – any decent attack will have a vector that traverses the perimeter or bypasses it entirely.
Inside the network, most IT people can only guess how many devices are currently on it. And unless they have an automated scanning regime in place, they will have no control over a reasonably large percentage of those devices. Putting a hacking ‘black-box’ on a corporate network is trivial work for most pen-testing companies.
The reality is, for companies that cling to the perimeter security myth, the internal network is less secure than the external network because internal applications, file servers and other devices are not as hardened (and in some cases not at all), and thus wide open to the insider attack.
From an application point of view, you need to have exactly the same security posture inside as you do outside of the corporate network, so that applications function exactly the same irrespective of their physical location or the device accessing it. In this new world it means optimal point-to-point (device to application) connectivity using native secure protocols, not VPN tunnels terminating at the corporate perimeter.
Identity systems and applications that consume identity information (that is, identity about the user, device, organization, location, etc., and not just the user) must be designed to understand the identity of all the relevant parts of the transaction chain and make an ‘entitlement’ decision (about access to network, systems, applications and data) based on multiple characteristics.
Architecting for such a de-perimeterized world not only delivers better security, more agile and business friendly solutions, but also lays the foundation for the transition to cloud-based services without the nightmare that accompanies employees bypassing both security and IT (because they’d just say ‘no’).
At the February 2012 RSA Conference in San Francisco, every keynote speaker reminded us that the “perimeter is dead”. Yet, going onto the show floor and talking to vendors, there were new solutions that “monitor your network” or “connect to your span port”, and when asked about a holistic solution that would monitor and secure all my employees and all my data irrespective of whether they were on the corporate network, I was often met with blank stares and un-comprehending sales people.
The time has come to write the perimeter’s obituary as a security boundary and move on. Security professionals need to grasp what ‘the perimeter is dead’ actually means, rather than trying to reinvent the perimeter (and even having these kinds of debates). They need to understand how architecting for no security perimeter provides better security, more agile solutions that will enable organizations, and will let tomorrow’s security professionals be the trusted business partners who say ‘yes’.
Paul Simmonds is a security consultant, a co-founder and board member of the Jericho Forum, a co-editor of the Cloud Security Alliance’s “Guidance” Version 3.0, and the ex-global CISO of both AstraZeneca and ICI (Imperial Chemicals PLC).