Shopping for Alternatives to Perimeter Security? Try an Invisible Infrastructure

August 6, 2015 |
Decorative image of shopping basket

Last week I hosted a webinar on The Software Defined Perimeter: Creating an Invisible Infrastructure where I looked at the traditional perimeter model for security and whether or not it’s still a viable method of threat protection.

The challenge you see is that we have entered an era where perimeter defenses are now in the PAST due to:

  • Phishing – adversaries within the perimeter
  • Assets – migration to the cloud
  • Storage – small, high capacity storage
  • Traversal – of the boundary by devices

Today’s network landscape is one of incredible complexity with distributed applications, people, and data. Companies have taken the standard method of protection, the trusted private network, and applied hundreds or thousands of firewall rules and complex topologies to manage the chaos, while the relationship between the network and its users, applications and services is ever weaker. Our expanding ecosystem has made the perimeter porous and irrelevant and infested with unsanctioned, insecure devices – smartphones, tablets, laptops and portable storage media. To complicate matters, in an increasingly distributed work environment, cyber threats are just as likely to come from inside the organization, as they are from the outside.

Companies are shopping for new ideas

As a result, companies are shopping around for new ways to secure access to applications and services. Forward thinking organization such as AT&T, Coca Cola, and Google have all made the news recently with their plans to move away from perimeter based security solutions to cloud-based, virtualized infrastructures.

In the webinar I looked at three new models for security to consider as companies shop around including Jerico Forum’s de-perimeterization, the Cloud Security Alliance’s (CSA) Software Defined Perimeter, and Forrester’s Zero Trust Model:

  1. De-perimeterization, developed by the Jericho Forum, says protection should be specific and appropriate to the asset at risk, security mechanisms must be pervasive, simple and scalable and that you should assume context at your peril. But just de-perimeterizing isn’t enough because zero day threats aren’t going away anytime soon, compliance might be challenging, and allowing security software on mission critical services will most likely come with issues.
  1. Software Defined Perimeter (SDP) – The SDP, a model developed by the SDP Working Group at the Cloud Security Alliance (CSA), is an approach that “combines on device authentication, identity-based access and dynamically provisioned connectivity. While the security components in SDP are common place, the integration of the three components is fairly novel.” It advocates making resources dark until authorized and creates a dynamic perimeter around clients/apps/hosts. It mandates authentication only once a day. This could be problematic if you consider a scenario where you may fly from Europe to the US during a day. It is likely that the model will further develop, but there are some good suggestions that are worth adding to your cart.
  1. Zero Trust Model is a Forrester approach that “allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the user of cloud infrastructure without compromise to security,” according to model author John Kindervag. The model suggests that all resources can be accessed securely regardless of location, and that organizations adopt a least privilege strategy, strictly enforce access control and inspect and log all traffic.

After reviewing these options, there are a number of key take-aways from the models above that you should consider including:

  • Device validation
  • Least privilege strategy
  • Re-perimeterize
  • Secure access regardless of location
  • Simple, scalable and pervasive security mechanisms
  • Dynamic perimeters
  • Dark until authorized
  • Centrally manage from a single console
  • Inspect/log all traffic

So how can you take advantage of these features?

The migration of where you are today to where you should be isn’t as scary as you think. Watch the webinar to learn more about these models and how the AppGate solution incorporates the best of these models in a scalable solution that’s ready to go today. You don’t need the budget and resources of Google and Coca Cola to start benefiting from a disruptive new approach to securing access. Learn how AppGate makes your application and server infrastructure effectively “invisible” and grants access only to authorized, verified resources on a case-by-case, session-by-session basis.

Watch the webinar now.

Back to Blog Home

Jamie Bodley-Scott

Jamie Bodley-Scott is the Technical Product Manager responsible for the identity & access management solutions offered by Cryptzone. He has worked in a wide range of industries, including financial services, aerospace, automotive and mobile computing prior to moving into IT security. He brings a wealth of accumulated experience in many disciplines: engineering, product & business development and channel management to the strategic team defining and driving the road map of Cryptzone's next generation of dynamic, identity-driven security solutions. Jamie graduated from London University with a degree in Electronic engineering and holds a Diploma in Marketing.

Leave a Reply

Your email address will not be published. Required fields are marked *