The Cyber Security ‘Perimeter:’ Has It Simply Vanished?
The concept of the “perimeter” is something that has long intrigued security practitioners. For eons, it seems, they fought against emerging malware strains and external threats to fortify a network’s interior. But is that castle-and-moat strategy a thing of the past?
When firewalls were deployed to bolster an enterprise’s security, it was the right rationale: isolate threats, act against them and make the inner-workings of the enterprise flow as smoothly as possible. Yet, security has evolved in recent years – to the point where “insiders” gain elevated access to critical systems/data, or privileged users fall victim to various phishing offensives to crack the proverbial code into the crown jewels. With propagating threats, and new vectors emerging almost as quickly, do these practitioners have to rethink their objectives?
The advent of cloud computing and mobile technology, along with practices such as bring your own device (BYOD), etc., have forced security professionals to approach their defense from a different angle.
Always at the back of their mind, it seems, lies the threat of a mega-breach – meaning immediate impact on the bottom line, tarnished brand reputation and all other components of a “crisis.” However, practices such as Identity and Access Management (IAM), Privileged Access Management (PAM), User Behavior Analytics (UBA), and more, have become crucial for the day-to-day operations of the security operations center (SOC). One must protect the entire grounds instead of simply ensuring that the moat is sufficiently soggy.
In a recent episode of “Task Force 7 Radio,” as recapped on the Cyber Security Hub, host George Rettas spoke with Securonix CEO Sachin Nayyar, and CTO Tanuj Gulati, about the swift expansion of the insider threat.
Nayyar said, “We’ve come a long way (with insider threat detection). But I preface that by saying we still have a long way to go.” The CEO said that more insider threat teams must become aligned with the core SOC as the threats intensify.
Clearly, much more forward-thinking, analysis and preparation is needed today – an age where threat actors can skim the moat and go right for the treasure trove.
Trust No One?
So, enter a model that has steadily transformed enterprise security: Zero Trust. Brought on with specific technologies (IAM and PAM included), along with intense focus in analytics and encryption, governance, etc., Zero Trust involves the idea that nothing should be trusted, and everything should be validated before being granted access to the network.
Giacomo Collini, Director of Information Security for King.com (“Candy Crush”), previously told the Cyber Security Hub that Zero Trust is “key to enable companies to transition to a pure-cloud environment.”
Implementation, he said, requires “a holistic approach” and it “does not admit mistakes.”
Has the perimeter, and a layered approach, vanished in one fell swoop, then? Not according to Collini. “Layered controls still make sense but they must be carefully designed to avoid unnecessary complexity, loss of focus and hidden cracks,” he said.
Experts Give Their Take
Where do other security practitioners stand on this significant issue?
Russell Walker, CISO for the Mississippi Secretary of State, told the Cyber Security Hub that “the perimeter in the traditional sense has disappeared. The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’”
Because of cloud computing and BYOD, Walker said, “you cannot provide security using a model that was designed for a much more static and enclosed environment.”
Walker called the Zero Trust Model, or the least amount of permissions and access, “the first stage of evolution in network security in the fight against today’s threats.”
Walker also cautions against the belief that Zero Trust is simply technology and policies. “It involves changing the way IT staff and the end-users think and approach their environment.”
A Decades-Long Transition
Information Security Executive, Candy Alexander, told the Cyber Security Hub that the transition away from the castle-and-moat approach actually began in the late 1990s, with the introduction of “partner networks.”
She added, “The perimeter further blurred into disappearing with BYOD and of course the cloud. So, I would say that the perimeter has disappeared, and some time ago.”
With regard to the resource-intensive Zero Trust Model, Alexander said it can and should be applied to critical data in a system. “It’s actually the foundation of PCI/DSS and arguably the new GDPR requirements. It further supports the ‘protect down to the lowest variable’ approach – the object.”
Know Before You Trust
Security Awareness Advocate with KnowBe4, Erich Kron, told the Cyber Security Hub that “we need to treat (the perimeter) as something that is more of a dynamic entity.”
Kron acknowledged that today, the perimeter could extend as far as a remote worker. Then, with cloud-based services, another point of ingress and egress emerges.
The advocate credited easily deployed remote-access VPNs, high-speed Internet and cloud services with the rapid expansion of remote workers. Because of that, access rights become more “intentional.”
“This is a major challenge for many organizations, as frankly, we have struggled for years to effectively deploy the principle of least privilege in static environments without the complexity of multiple points of ingress, egress and data access,” he said.
Kron called Zero Trust a “great way to start thinking differently about current processes.” He also pushed for more employee awareness with regard to WiFi networks, weak passwords and stressed the importance of multi-factor authentication (MFA).
These principles, it seems, will help set a new perimeter, or revise the “old” one!
Be Sure To Check Out: Cyber Expert Breaks Down The EU's Sweeping Answer To InfoSec: GDPR