Shopping for Alternatives to Perimeter Security? Try an Invisible Infrastructure
Last week I hosted a webinar on The Software Defined Perimeter: Creating an Invisible Infrastructure where I looked at the traditional perimeter model for security and whether or not it’s still a viable method of threat protection.
The challenge you see is that we have entered an era where perimeter defenses are now in the PAST due to:
- Phishing – adversaries within the perimeter
- Assets – migration to the cloud
- Storage – small, high capacity storage
- Traversal – of the boundary by devices
Today’s network landscape is one of incredible complexity with distributed applications, people, and data. Companies have taken the standard method of protection, the trusted private network, and applied hundreds or thousands of firewall rules and complex topologies to manage the chaos, while the relationship between the network and its users, applications and services is ever weaker. Our expanding ecosystem has made the perimeter porous and irrelevant and infested with unsanctioned, insecure devices – smartphones, tablets, laptops and portable storage media. To complicate matters, in an increasingly distributed work environment, cyber threats are just as likely to come from inside the organization, as they are from the outside.
Companies are shopping for new ideas
As a result, companies are shopping around for new ways to secure access to applications and services. Forward thinking organization such as AT&T, Coca Cola, and Google have all made the news recently with their plans to move away from perimeter based security solutions to cloud-based, virtualized infrastructures.
In the webinar I looked at three new models for security to consider as companies shop around including Jerico Forum’s de-perimeterization, the Cloud Security Alliance’s (CSA) Software Defined Perimeter, and Forrester’s Zero Trust Model:
- De-perimeterization, developed by the Jericho Forum, says protection should be specific and appropriate to the asset at risk, security mechanisms must be pervasive, simple and scalable and that you should assume context at your peril. But just de-perimeterizing isn’t enough because zero day threats aren’t going away anytime soon, compliance might be challenging, and allowing security software on mission critical services will most likely come with issues.
- Software Defined Perimeter (SDP) – The SDP, a model developed by the SDP Working Group at the Cloud Security Alliance (CSA), is an approach that “combines on device authentication, identity-based access and dynamically provisioned connectivity. While the security components in SDP are common place, the integration of the three components is fairly novel.” It advocates making resources dark until authorized and creates a dynamic perimeter around clients/apps/hosts. It mandates authentication only once a day. This could be problematic if you consider a scenario where you may fly from Europe to the US during a day. It is likely that the model will further develop, but there are some good suggestions that are worth adding to your cart.
- Zero Trust Model is a Forrester approach that “allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the user of cloud infrastructure without compromise to security,” according to model author John Kindervag. The model suggests that all resources can be accessed securely regardless of location, and that organizations adopt a least privilege strategy, strictly enforce access control and inspect and log all traffic.
After reviewing these options, there are a number of key take-aways from the models above that you should consider including:
- Device validation
- Least privilege strategy
- Secure access regardless of location
- Simple, scalable and pervasive security mechanisms
- Dynamic perimeters
- Dark until authorized
- Centrally manage from a single console
- Inspect/log all traffic
So how can you take advantage of these features?
The migration of where you are today to where you should be isn’t as scary as you think. Watch the webinar to learn more about these models and how the AppGate solution incorporates the best of these models in a scalable solution that’s ready to go today. You don’t need the budget and resources of Google and Coca Cola to start benefiting from a disruptive new approach to securing access. Learn how AppGate makes your application and server infrastructure effectively “invisible” and grants access only to authorized, verified resources on a case-by-case, session-by-session basis.