October 5th, 2015 by Robert Quiros
In the wake of ongoing data breaches, organizations are spending more money to ensure their networks and applications – and the data they possess – remain secure. After the Target breach, 61 percent of organizations increased their security budgets by an average of 34 percent in 2014, according to a study conducted by the Ponemon Institute.
In the words of RSA President Amit Yoran, despite the addition of a wide variety of sophisticated security appliances, security detection approaches and remediation techniques, “Security has failed.” The network perimeter has failed to fulfill its mission of keeping the bad guys out of the enterprise infrastructure despite the numerous improvements and fortifications added to it over time. So what has gone wrong?
The network perimeter architecture originated in a time when the majority of users were inside the physical enterprise, on the same LAN as the resources they were accessing. The perimeter was designed to keep the bad of the Internet out while allowing users inside to access resources outside. Enterprises now operate with an “Outside-In” access model, where most users – badged employees, contractors and third parties – gain access to on-premise and cloud corporate network and computing resources from the outside – from the Internet. Albeit slowly, the access model has flipped and the perimeter has broken.
Yesterday’s Enterprise was Inside-Out
The concept that there is a controlled “inside” environment where valuable data and resources live, and an “outside” wild west, is a fundamental of security. There must be a boundary, a perimeter, between out and in. When the majority of network users were “inside” the enterprise, both physically (as in they were working from a corporate office) and logically (as in they were on the local LAN) using applications like Oracle, Exchange, or SharePoint via their internal network, the perimeter was solid. In the Inside-Out Enterprise access was simple, since everyone had to be on the LAN. Remote users were a small minority, accessing the network via VPN that punched a hole through the perimeter. However, because their numbers were so small, it was easy to keep the holes in the firewall guarded.
Today’s Enterprise is Outside-In
The move to the cloud, popularity of mobility and the sharing economy has created a new normal – the Outside-In Enterprise. Instead of most users being on the inside, most users come in from the outside. This shift is driven, in part, by globalization, e-commerce and collaboration requirements that motivate corporate networks to open up their network and computing resources to partners, contractors and other third parties at an unprecedented rate.
But beyond third parties, employees have also become outsiders. Increasingly, badged employees are not anchored to a desk in an office, and some don’t have an office at all. Every employee that uses their iPhone or iPad from an airport, coffee shop or home office via the Internet to access internal corporate applications is by-passing the company firewall and is, in essence, an outsider.
In addition to badged employees, there is also new breed of ad-hoc employee at the center of the sharing economy, the micro-entrepreneur. These independent contractors, who work for one or more Web-enabled companies like Uber, Lyft, Chegg or Airbnb, not only don’t have an office, they use personal devices to access multiple corporate networks. The result: a third party, casual ‘employee’ who uses a personal device on multiple enterprise production networks.
The Network Perimeter: Slowly Boiled Like the Frog
The outside-in flip has progressed slowly over time leading enterprise IT departments to respond slowly with incremental shifts in security strategy. With increasing amounts of outside-in traffic enterprises opened more and more holes in the perimeter firewall to let all these outsiders in. The perimeter became porous, and breaches have become common because there are too many holes to guard. As the number of holes grew, the attack surface presented to the Internet increased, and the ability for IT and security teams to manage long and complicated access policies degraded.
The frog wasn’t boiled yet. Enterprise IT teams responded by deploying two strategies: “defense-in-depth” and “extend-the-perimeter”. With defense-in-depth the network firewall was fortified with IDS/IPS, DLP, WAF, and other products, to catch ever more bad stuff trying to get through. With “extend-the-perimeter” the strategy was to establish trust with users and endpoints on the Internet before granting access to the network. Technologies like NAC (Network Access Control), and more recently Mobile Device Management (MDM) or Enterprise Mobility Management (EMM), have sought to basically take the users on the outside and bring them back inside.
Like the ever-expanding set of firewall rules, each new product added to the perimeter added complexity and overhead to manage policy. Similarly, with the growing number of Internet enabled devices, extending the perimeter to establishing trust with user devices is a losing battle. The perimeter today is so complex to manage that in many cases it can take IT teams months to make simple changes to accommodate new business needs. Yet, breaches continue at an increasing rate. The perimeter is broken. The frog is boiled.
A Radical New Approach is Needed to Fix the Perimeter
Perimeter security designed for the Inside-Out enterprise doesn’t work for today’s Outside-In enterprise. Security and IT teams need a radically better approach to address the challenges of today’s Outside-In enterprise. We built Soha Cloud to be that radically better solution.