After the Perimeter: How a ‘Segment of One’ Simplifies and Improves Security
Major enterprise data breaches, initiated and executed by malicious attackers, seem to occur on a weekly basis. If we take a moment to step back and think about these breaches in the aggregate, we come to an interesting, and perhaps somewhat startling conclusion: the traditional perimeter-based approach to network security is failing to adequately protect organizations.
It is clear that a new approach is needed. One of the best recommendations for alternative security architecture has come not from a security vendor or the government, but from an enterprise engaged in the security fight itself, and trying to think radically different about how to do so. A white paper written by senior engineers at Google documented their BeyondCorp initiative, which does an excellent job outlining their view of the future of corporate networking. Google’s vision is essentially to eliminate the implicit trust that for years has been associated with internal private networks. By using more effective mechanisms for measuring trust and controlling access to corporate resources residing on an untrusted network, the “trusted” internal network essentially disappears.
This approach is interesting – and potentially quite valuable – and is a refreshing contrast to the traditional security approaches of:
- Improving multi-factor authentication to make sure users are who they said they are
- Segmenting the network by adding additional VLANs and firewall rulesets to reduce the attack surface
Now there is nothing wrong with multi-factor authentication – in fact, I’m a big fan of using this widely (but wisely, which is a topic for a future blog posting). The challenge comes as organizations try to misuse network access controls like VLANs to enforce fine-grained access controls. Misapplying security technologies increases network complexity and adds substantial operational cost to network teams, and have the inadvertent effect of actually reducing security.
Specifically, when you add more complexity to a network it has three unintended effects:
- New vulnerabilities surface as it becomes impossible for engineers to manage this level of complexity and identify every hole in cascading firewall rulesets.
- Too much VLAN segmentation and onerous firewall rulesets can impact business-user productivity (i.e. inadvertently blocking valid users from networks they should have access to).
- Increases an already onerous task of audit and compliance reporting.
In today’s threat landscape, the fact that once inside the perimeter, legitimate users (or intruders masquerading as authorized users) can roam freely is simply no longer acceptable. In addition to traditional tool limitations, another problem is that in many organizations, network permissions are defined in isolation from application and business stakeholders, often leading to overly generous permissions. This gap is one cybercriminals are well aware of and often leverage once they have established a foothold.
The take-away from all this? Quite simply, a traditional perimeter-centric, VLAN and firewall-based approach cannot be used effectively to securely manage today’s complex corporate networks. We need a new way to apply the principle of least privilege and implement corporate networking that ensures application permissions and network access are in 100% alignment and provides the high-fidelity access controls that are needed today.
Download our latest white paper to help you rethink your approach to network access and how a ‘segment of one’ can simplify and improve your security.