December 11, 2015

The perimeter isn’t going to die, it’s going to spawn

“The perimeter is going to die!”

We’ve been hearing the death to blanket firewalls cry from the security industry for years, but we think this might be a little overstated.

Instead we believe the perimeter is actually going to be reshaped into something new — micro-perimeters. This is the act of cordoning-off entire sections of their systems in order to avoid major compromise when only one segment of their architecture is weak.

The way businesses operate today, with a heavy emphasis on cloud services and personal- or corporate-owned mobile device use, employees require multiple entries into the perimeter. This may include Wi-Fi access to these oftentimes unmanaged mobile devices, open ports for web service integrations, VPN access for contactors, and more. This means it is becoming harder and harder for IT departments to truly have control over what moves in and out of the perimeter.

The problem is, today’s “perimeter” is like a fence around a house with no locks. There are many entry points on the fence — the front gate, the back gate, maybe a side entrance into the garage. While all of these entrances are locked, there may also be unknown entrances, such as a loose slatt, a tunnel under, or a really good lockpick set. If a criminal uses any of these entrances, they suddenly have full reign of the house — the filing cabinets, the desk drawers, the more obvious TVs hanging on the wall — it’s all at an arm’s reach.

We call this the “juicy core,” or the center of the perimeter that can become totally compromised if the perimeter is broken in any way. If an attacker is able to break through one section of the perimeter, she could theoretically move nearly barrierless-ly throughout the system, accessing whatever data she wants.

The new perimeter, however, is more like the house with the fence, but this time, the house is locked. The rooms in the house are locked. There’s a guard dog sitting in front of the jewelry cabinet. Sure, if the attacker breaks through the fence, she might get access to your lawn decorations, but she’ll be faced with many other locks to pick if she can even make it through the first door.

Micro-perimeters are needed to envelop and protect many segments of the larger system — applications, data stores, etc. — that can even be customized with their own policies depending on how sensitive that information is.

The existing perimeter will crumble, but it will be reformed into stronger, smaller perimeters that make what was once a one-and-done attack into a major obstacle course.

Leave a comment