Gunnar Assmy - Fotolia
It is fairly well known that most computer networks have a tough exterior, but are actually weak on the inside. Firewalls and anti-intrusion devices make for a hard shell, but the security isn’t quite as stringent as it perhaps should be throughout. Administrators often think – incorrectly – that internal infrastructure is more trustworthy.
In reality, once an attacker gets past the hard exterior of the network, either through a phishing attack or by exploiting a known vulnerability in the external infrastructure, the ability to steal data becomes much easier. This is because most companies typically allocate up to 80% of their IT security budget to the perimeter’s inbound and outbound security (known as north-south networking) rather than laterally (east-west) across the internal network.
Businesses and administrators often rely on such a hardened perimeter to reduce the workload of having to patch internal servers – server patching consumes work cycles, and some IT administrators may feel that patching takes up considerable time for limited reward.
The risk is compounded by the fact that centralised management, which has served so well in the past, has limited ability to adapt to today’s hyper-mobile world and the challenges this brings. The change in business practices and explosion of short-term freelance and external contractors who use their own devices – such as tablets, laptops and smartphones, all with different operating systems and masses of different configurations – present an administrative challenge.
It takes just one weakness in one client for the whole system to crack wide open in a centralised management infrastructure.
While any particular device may not be fully patched, it is not always feasible to install a virtual private network (VPN) client and lock down configurations on users’ personal devices. As well as security around devices, a substantial amount of infrastructure is now based around supporting cloud applications.
There is also a lot to say about cloud infrastructure, which has changed how users consume data, especially when multicloud providers are added to the mix. But the old way of using a VPN to access a corporate network then jump out to a cloud service on the internet slows down the user experience, as well as increasing bandwidth usage and cost. It makes more sense for the user to go directly to the destination cloud service rather than through a VPN or corporate network.
One answer to this conundrum is perimeterless security, which aims to address the shortcomings of VPNs while enabling mobility and access to cloud services. It is about ensuring integrity and security, while enabling the business to do business. Put simply, it is a whole new paradigm that revolves around security at each point of connectivity and every device, rather than relying on the perimeter. Google has been a leader in this field, assuming the associated risks and rewards.
Perimeterless security is about the user and their identity, not the technology. Putting the user at the centre of establishing security is the cornerstone of perimeterless security. Being able to truly identify and authenticate a user on demand is the first step on the perimeterless journey, and this requires a rethink with regard to passwords.
Legacy authentication methods, such as a single password-based login to the corporate network, are subject to theft from phishing or from breach incidents. Frequently, users re‑use the same passwords, which negates the security measures IT puts in place. This means further security measures are required to be sure that a user logging in is truly who they say they are.
Adopting two-factor authentication (2FA) is a first step into retiring the single-password concept and negating its liabilities. It is also the first step on the perimeterless network security journey.
Google recently reported that once it introduced a 2FA device to supplement its log-in process, the success of phishing attacks fell to zero. Put into context, that is unheard of in large businesses where sustained attacks are frequent.
Hardware tokens such as those from Yubikey and other hardware 2FA token manufacturers provide the ability for the user to unquestionably prove who they are. Many of the top platform-as-a-service (PaaS) providers, such as Workforce, Microsoft Office 365 and Google for Business, provide native support for hardware identity tokens.
Beyond two-factor authentication, it is also best practice to log everything. Logs are key to being able to understand what is happening on the network at any given time.
It is also important to differentiate between company-owned devices and bring-your-own devices (BYOD) as they have to be treated appropriately, depending on which category they fall into. Management and control policies applied to corporate-supplied devices and personal devices should differ.
Verifying the user is an important first step, but equally as important is the integrity of the local device. Ensuring the cleanliness of the device can be enforced by management profiles. Enforcing modern virus scanners, anti-malware and minimum software levels help ensure the device is less likely to be compromised.
These management policies should also ensure full disk encryption is enabled on the device, and only approved applications are installed. Unknown and unauthorised devices present a serious risk in any environment, and the infrastructure should have the ability to recognise and react to such issues. Paired with intelligent systems, a perimeterless network security set-up can react much quicker than traditional administrators and help block data loss and questionable devices on the infrastructure.
Intelligent management infrastructure
While still in its relative infancy, anomaly detection is what makes the whole perimeterless security scenario possible. For example, a user based in Manchester who suddenly starts logging in from Nebraska would potentially be flagged in such a system as “anomalous behaviour” and would be marked as untrustworthy.
Over time, such systems can establish a “pattern of life” associated with the device and user. The more data such a management system has, the better it gets at making decisions. These systems learn normal behaviour, so any variation from what is considered normal may set off warning signals. The anomaly detection system tests various criteria to ascertain the trustworthiness of the device and the user. This trustworthiness score is then used to grant or deny access to a particular network resource.
This backbone is what most people would recognise as perimeterless security, and rights-based and device behaviour can affect it. Security decisions are based on several variables, such as the trustworthiness, location, reputation and past history of the source network. A simple example of this is that while access to lower-level infrastructure can be trusted from a semi-public network, access to the internal, sensitive infrastructure that contains personally identifiable information or sensitive data would not be allowed.
Other examples of how perimeterless security can affect security in a positive way is that external networks have a reputation, so network activity to perform logins from a server farm in a colocation facility, for example, should set alarm bells ringing since a common user would not normally log in from a datacentre.
It’s all about the small details that make up the bigger picture.
Planning and execution
In summary, perimeterless security can work well, but it needs to be planned and executed in a controlled and specific manner. It certainly isn’t about cost reduction, but more a modernisation of the stance that businesses and users have taken as the default in the past.
Trust is everything, and trusting single tokens of proof is not really an effective solution, especially with accounts of privilege such as an admin account. In the old style of networking, one lost password, used on an internal terminal, could lay the entire infrastructure wide open. This is less likely with security-aware companies, but still a big risk at those where IT has not yet caught up with the reality of infrastructure security in an internet-connected world.
But the technologies to support perimeterless security do not come for free and require a significant amount of training and set-up ahead of time to implement correctly. It will also require a significant level of buy-in from management in terms of support and financial commitment. Once in place, however, IT security management should become far easier.
There are many suppliers in this rapidly expanding area, but all keep the core tenants of perimeterless security as their central theme. Do your research, ask questions, but remember that physical security is only one piece of the puzzle: perimeterless network security doesn’t absolve anyone from the fundamentals of good data and security hygiene.