The original idea of a network perimeter is based on the notion that an organization’s internal information assets—hardware devices, hosts, applications, and data—can be protected from outside threats coming from third parties and public networks. It’s the idea that there is a clearly defensible boundary between the information and assets your organization needs to keep safe and those who could harm you, purposefully or not. It’s the belief that network security solutions (like firewalls and anti-malware) can protect what is inside this boundary from the big, bad outside world.
The concept of a network perimeter mattered because it was the best way to defend your information assets. But what does your network really look like right now? If it’s a typical organization and network, you are dealing with issues like this:
- Your internal users are not simply connecting from inside your building, network, or inner circle. They are connecting from external networks and using mobile devices to access internal resources.
- Your data and applications are no longer housed on servers you physically own control, and protect—data warehouses, cloud computing, and anything-as-a-service present access and security challenges for both your internal and external users.
- Web services have opened a wide door to the world outside your trust boundaries—to serve a multitude of clients, or simply to communicate with other services, both internal and external to the organization.
Once you start thinking about all the needs your network meets and users it serves in this modern, data-centric, interconnected new world, it is easy to see that a network perimeter is an outdated concept. And very easy to understand why perimeter based defenses are failing: Because there is no perimeter to defend.
Many organizations, especially older or legacy enterprises, are struggling to adapt systems, behaviors, and security protocols to this new-ish and ever evolving network model. Outdated beliefs about the true nature of the network and the source of threats put many organizations, their information assets, and their customers, partners, and stakeholders at risk.
What used to be carefully monitored, limited communication channels have expanded into an ever changing system of devices and applications. These assets are necessary for your organization to do business—they are what allow you to communicate, exchange data, and make business decisions and are the vehicle with which your organization's runs the business and delivers value to its clients.
The final blow to the myth of the defensible network boundary is the current nature of software development and deployment. Rapid development cycles and need for short iterations require that the entire development process is broken into architectures like micro-services that can be quickly enhanced and updated, reducing time from development to production. No longer are developers or organizations creating large, monolithic applications with identifiable access points and that are able to be updated in their entirety.
How can you realistically provide application protection in a perimeter-less world?
There are two key pieces of information to keep in mind. First, accept that there is no single defensible boundary between your internal assets and the outside world. And second, understand that individually protecting each software, service, or asset is neither efficient nor effective, and definitely not practical.Here are the four critical areas to focus on:
- Strong authentication to allow controlled access to your information assets; to ensure you provide access only for known and trusted users, devices, and applications.
- Hardening of mobile and IoT devices that connect to your network.
- Embedding enhanced security services inside applications – through your own development efforts, or via third party technologies like runtime application self-protection (RASP).
- Collecting security intelligence directly from applications and their hosts.
In the real, connected world of today the concept of a network perimeter is quaint and old fashioned at best, dangerous to your organization at worst. Whether your organization is adapting from the old model or was built in and shaped by this new, perimeter-less world, it’s time to admit that the idea of a clear network boundary is outdated and that traditional network security tools alone cannot protect your information assets. This new world of networking requires a new approach to security, one based on the reality of this new world order.