The New Cybersecurity Perimeter: Part 1
The concept of “securing the perimeter” goes back ages and is rooted in physical security. In its simplest form, it meant cordoning off an area with a physical barrier–ranging in sophistication from guards, to fences and castle walls. In the early days of network computing, as the internet gained steam and it became clear that security measures were required to protect networks, data and systems, cybersecurity pioneers (it definitely was not called that at the time) turned to physical models for inspiration.
A Short History of Securing IT Perimeters
Thus, firewalls became the first perimeter-based defenses as organizations implemented them to build a virtual wall around their network and computing infrastructure. This infrastructure was typically in the organizations owned or leased offices, other business locations such as branch offices or factories, and in data centers. Along with virus protection installed on PCs, firewalls were the primary defense mechanism.
At the time many organizations effectively had what was jokingly referred to as “M&M security” – hard on the outside (firewall) and a soft, gooey center (very few if any controls in the interior of the network). Over the next few decades, firewalls became more sophisticated, to deal with new types of network traffic and more sophisticated attackers, while additional controls were added to implement a “defense in depth” strategy. This includes intrusion detection/protection (IDS/IPS) systems, sandboxing technology to detect malicious content in emails and other network traffic, advanced endpoint detection and response (EDR) technology and more. This defense in depth model added controls to harden the soft center of many networks and added additional detection capabilities to help gain early warning when attackers had breached the perimeter.
How The Perimeter Shifted
At the same time, many organizations were exploring and adopting new computing models that placed much of their computing infrastructure and systems beyond their perimeter. Proliferation of Software as a Service (SaaS), Infrastructure and Platforms as a Service (IaaS/PaaS), was largely responsible for the moving of systems and data outside of the traditional perimeter. Some of this happened strategically, where IT departments planned and adopted these new computing models, while much of the transition happened rather organically, as business departments subscribed to new applications and implemented new services to support their business needs. The result, in either case, is that in many organizations, the systems and data that cyber security teams are tasked to protect are outside their existing network-based perimeter and often beyond their direct control.
The New Perimeter: Identity
The massive shift by organizations to this new decentralized computing model was crisply defined by Fortune 100, CISO, Jarrod Benson, with the following key precepts:
- “The internet is our network.”
- “The cloud is our data center.”
- “Any device is a work device.”
Given the reality that most organizations are progressing down the path of these three precepts, Jarrod adds a fourth one to the mix – “therefore Identity is the New Perimeter”. Amidst the rush to enable “work from home” during the novel coronavirus pandemic, and the following race to implement appropriate cybersecurity controls as the new reality that anyone in the business may need access to any resource from anywhere, it became abundantly clear to most that the old network based perimeter was finally dead.
In the next blog, we will discuss the implications of this new reality for cybersecurity professionals with a particular focus on what it means for identity management moving forward.