The Death of Perimeter-Based Security
Perimeter-based security has become flawed and outdated. It’s no longer a tenable approach. This is because perimeter-based security is a self-defeating mechanism in an era that has dissolved the traditional network perimeter.
How the remote workforce and flexible work era have affected perimeter-based security
There are three trends accelerating the death of perimeter-based security, namely:
- Remote work: Even before the global pandemic, advances in technology were increasingly making it easier for employees to do their jobs productively outside the office. Since employees aren’t cocooned within corporate defenses, remote work negates the structural benefits of perimeter-based security more than any other factor.
- Bring your own device (BYOD): The explosion in the use of mobile devices has allowed organizations to permit their employees to use their personal devices at work. While BYOD policies can lead to positive benefits – such as a 34% boost in productivity – these devices provide attackers with tantalizingly new entry points into a corporate network.
- Cloud-based applications: You need more than perimeter-based security to secure applications deployed and used on the cloud. Even if remote work and BYOD policies weren’t negatively impacting perimeter-based security, cloud migration would have eventually done the damage. It was projected that by 2020, 83% of all enterprise workloads would have shifted to the cloud.
The Covid-19 pandemic caused a massive shift to remote work with employees suddenly compelled to work from home. Criminals quickly adapted to take advantage of the remote work shift so threats were at an all-time high because of the pandemic.
However, remote work also exposed the limitations of perimeter-based security. While organizations adopted practices like using virtual private networks (VPNs) and multi-factor authentication (MFA), these were insufficient deterrents to highly motivated threat actors. So, remote work became a bonanza for hackers who profited immensely from a plethora of COVID-19 Cyber scams through intellectual property theft, ransomware hijacks, and data exfiltration.
This is because the traditional, perimeter-based approach to security doesn’t take into account the cybersecurity implications of a remote workforce. It wasn’t built to allow employees to access IT resources from anywhere and everywhere across on-premise and distributed cloud systems.
To compound the situation, the embrace of a remote workforce has increased the attack surface for cybercriminals to exploit. So, remote work creates new vulnerabilities around employees working from their less secure networks at home or from a local cafe.
Employees hardly have the same professional security setup at home, with their poorly configured firewalls and poorly secured routers connecting to corporate networks.
As the need for remote work grew, organizations adopted virtual private networks (VPNs) to provide employees with the ability to perform tasks securely while away from the office. But this was equivalent to putting a band-aid on a gunshot wound.
This is because attackers started heavily targeting common VPN vulnerabilities; ironically because they provide a convenient entry point to an enterprise and corporate network. In fact, VPN attacks surged in the first quarter of 2021, with Fortinet’s SSL-VPN experiencing a whopping 1,916% from the beginning of the year’s quarter. Other VPN vendors have also reported an increase in attacks after the Covid-19 outbreak.
Since the perimeter has changed rapidly, security teams have to be more vigilant with managing and monitoring identities across the network. In addition to greatly reduced security barriers, they have to grapple with the number of vulnerability points a modern employee navigates regularly.
The inadequacy of perimeter-based security
Perimeter-based security was adequate enough to prevent external attackers from gaining access into a network with a clearly defined perimeter. Its security system is supported by firewalls, intrusion detection and prevention systems. These acted as sentry guards at designated checkpoints akin to physical perimeters like doors and windows.
Compared to current standards, perimeter-based is a laissez-faire approach to security. For instance, almost any user who had access to the network could most often than not also access large parts of it. This worked well for legacy systems and applications. Moreover, remote work was a distant aberration since most employees were expected to commute to work and discharge their job responsibilities at on-premise work sites.
However, the evolution toward mobility and more diffused cloud systems has made perimeter-based systems obsolete.
One reason is that perimeter-based systems are easily overwhelmed by “perimeter-less” gush of internet traffic. Due to the Covid-19 pandemic and increase in remote work, online and internet traffic has correspondingly increased by as much as 90%.
Even with firewalls and VPNs, networks are vulnerable and the modern perimeter is full of too many holes.
Adopting a zero-trust model
Perimeter-based security was somewhat effective when employees were only able to access corporate resources while working at the office. However, the age of digital transformation and remote work has changed all of this. The advent of cloud computing, the Internet of Things (IoT), and mobility have changed and obliterated the concept of the well-delineated defense perimeter.
A corporate network now has to accommodate a large plethora of possible entry points and so has to adopt a slogan of “never trust, always verify.”
Cybersecurity professionals increasingly view zero-based security as the more effective approach. It is an approach more in tune with the major shift to a mobile-first, cloud-based digital world. Zero-trust also requires rethinking the traditional perimeter.
Zero-trust leans heavily on identity management and network segmentation to remove implicit trust and gains better visibility into the internal network.
As a result, corporate security must embrace zero-trust models because of the additional layer of security it provides, especially for the ubiquitous cloud environments and remote work.
As far back as 2019, as many as 69% of organizations were migrating their business-critical application data to the cloud. At this point, perimeter-based security was barely sufficient to protect on-premise digital assets; it was, however, woefully inadequate for secure data residing on offshore systems.
Moving away from perimeter-based security: Steps toward zero trust-based security
Zero Trust-based security is based on three core principles, namely:
- Verify explicitly
- Assume breach
- Use Least Privilege
Here, we’ll unwrap how organizations can start implementing processes and procedures to ensure these principles are met in their corporate entities.
Establishing identity as the new perimeter
In zero trust-based security, the first thing that changes when identity takes up the mantle of the new perimeter is never to assume access. So identity access management is the first step to implementing a zero trust-based security system.
In the age of remote work, all traffic is now assumed to be dangerous and so workforce identity is now paramount. Organizations should ensure they deploy effective Identity access management (IAM) software. This relegates the importance of VPNs, with some professionals even advocating ditching them entirely.
Authentication and authorization are the most important steps here. Removing implicit trust starts with assuming you don’t know the identity of the user inside the network. A systems administrator needs to be confident that the person at the other end a laptop, desktop, or mobile device isn’t a cybercriminal or a disgruntled employee looking to wreak havoc.
IAM software ensures that a user’s identity is authenticated before they’re granted access. It also ensures the user has the requisite authorization levels to carry out selected tasks. IAM software operates on the principle of least privilege and allows a user to execute a specific task only when they have the matching permission.
Organizations can fortify their zero-security system architecture by using next-generation firewalls. Next-generation firewalls go beyond the limits and capabilities of the traditional-based firewall. The traditional firewall used in perimeter-based security only provided rote inspection of incoming and outgoing traffic.
In addition to these, however, a next-generation firewall also provides a higher level of security with features like integration intrusion prevention, application awareness and control, and cloud-delivered threat intelligence.
Unlike a perimeter-based system, a zero-trust model fosters the mindset you’re always under attack. Network segmentation helps organizations minimize the blast radius of an attack if and when they’re compromised. It involves implementing granular controls in the form of software-defined perimeters often referred to as micro-perimeters.
A mobile- and cloud-first world has changed a lot of things enterprises used to take for granted. They used to secure their corporate network perimeters with traditional controls and feel fairly confident in their ability to keep bad guys out.
But the confluence of several factors over the past year, especially the pandemic and the necessity for remote work has accelerated the death of perimeter-based security.
Contact The Launchpad to help your organization fortify its defenses in this era of a remote workforce and zero-trust security. We’re partnered with the top tier of cybersecurity, and IAM providers in the market.