Yes and No! The traditional perimeter as we have known it, is dead. I repeat. The traditional model of “protect the castle walls and everything inside will be secure” is dead. To be honest, this model has been dying a slow death since the development of the laptop computer. The dawn of the smart devices (often also referred to as BYOD or BYOX) has only but accelerated the demise of the long held castle perimeter paradigm.
Let me explain why I believe this is so with a real life scenario I see repeated in organisations across the world.
Organisation ABC is a large multinational company (a fictional company, any and all resemblances to real world companies is purely coincidental). ABC’s IT Department, run by the COO, has just completed a new and urgent security upgrade to ensure that the corporate network perimeter is protected by latest next generation firewall technology.
To celebrate the successful implementation of its product the firewall vendor has invited the COO to speak about his successful implementation at a seminar. The COO describes how his organisation now has the most advanced perimeter protection firewalls around. They are application aware, understand every protocol, have this really impressive way of sniffing all that encrypted traffic.
They can improve employee productivity by slowing down Facebook, LinkedIn, YouTube and Twitter traffic, so the employees can get back to work! Even better, these 3rd generation perimeter firewalls have the latest malware database and can stop most advanced malware in their tracks! No more APT attacks in my network!
With the audience hanging on his every word, the COO added, “The perimeter is everything. We are fully protected! No one can get in! Oh, we are also protected against all the mobile malware for Android and Apple - any user who is on the corporate network is never going to get infected. And finally, the firewall even does SIEM and can detect all types of intrusion attempts! We are safe!”
Sounds familiar? That’s right folks! The same next generation technology that serves other organisations so well!
Midway into the firewall project, ABC organisation appointed a CIO, Sarah, who decided to go fully cloud and mobile. Everyone loves her - well, likes her. She embraced the cloud and made access to email much easier and importantly an enjoyable experience! In addition, every employee was offered a 30% discount to purchase their own smart mobile and tablet device that could be used for corporate and personal use. The CIO sat with her legal counsel and updated the Acceptable Use Policy and created a Mobile policy to ensure that employees understand the who, what, why, etc.
Sarah encouraged the increased adoption of mobile technology to improve working condition so that engineers and developers could complete major project deliverables on their mobile devices from anywhere.
What happens next?
The company CFO, like the rest of the senior executives, was using his own brand new mobile device and had clicked on an emailed attachment while surfing at a neighbourhood coffee shop! The email contained an infected PDF that appeared to offer an amazing deal to the CFO’s favourite holiday destination, Iceland.
Long story cut super short: the mobile was infected via the PDF that then started stealing the CFO’s contact details, call logs, email, browsing data and, yes, password details. It then spread to the rest of the finance department laptops stealing their data and finally settled on the finance data servers. The malware copied all the confidential data and anything else that it could ‘see’.
ABC company only discovered this leak when inappropriate email communications between the CFO and his PA started to leak on the Internet. The start of a very messy cyber breach that resulted in a massive data leak. The CFO’s personal emails, photos and browsing habits for the last 2 years were also disclosed, much to the deep embarrassment of the company. The most catastrophic aspect of the breach? The company’s unaudited financial results! You can guess the shareholders were not very happy when they had access to the real results!
What Happened to the All Singing All Dancing Perimeter Firewall?
The COO had a lot of answering to do to the board. His multimillion dollar security program was unable to detect or prevent what appears to be a straightforward phishing attack that led to the most embarrassing reputation damaging security breach in the company’s history. Practically useless.
How did this Happen?
The CFO’s multiple laptops and browsing from unprotected wireless connections in coffee shops meant that the traditional perimeter was practically of no use in prevent this type of attack. The virus was willingly downloaded, albeit by trickery, by the CFO, because he thought he was going on a holiday! Once the malware was deployed, the lack of proper access controls around the data stores and basic security hygiene made the security compromise a walk in the park.
Why did this happen? First don’t blame the firewall. It has a purpose and place. Next:
- Practically no one in the COO’s company ‘lived’ on the corporate network!
- The work force had been empowered by the CIO to be mobile. They were encouraged to be more productive and adaptive.
- The traditional castle perimeter was dead! The perimeter was everywhere and there was nothing protecting that everywhere perimeter.
The perimeter must move
The perimeter must move closer to what you want to protect. Not just close but in close proximity to what is important to your organisation. Some objects of interest include
- Information: Protecting access to your financial data store with an eight character password is not sufficient;
- People: Yes, us humans are major object of interest. It’s not good enough to expect us humans to understand cyberspace’s complexities and threats without sufficient training and knowledge.
This step is just the beginning. Defining or rather redefining your parameter is just one of a strategic set of actions that must be taken to prevent security breaches. However, one of the most important steps is to (1) acknowledge that the fundamental concept of the perimeter has changed and (2) to delivery appropriate security measures to the new perimeters.
It must be stressed here that the concept of layered security or defines in depth must be discarded as a result of moving the perimeter closer to the object of interest. To the contrary, it is even more important to have several different layers of controls and technologies to ensure that if one defence is breached the others stand firm.
50 Billion Perimeters - Secure That!
Cisco predicted that by 2020, just five years away, there will be 50 billion connected devices on planet earth (all right, a few might be in space, too). You get the drift? That’s right, what’s the new perimeter or rather where is the new perimeter? Every one of those 50 billion devices has its invisible perimeter around its operating system and hardware controls. Knowing the pace of innovation, many of these devices types will include some contraption of the current mobile device, wearables and not sure what else!
Go try containing these always on, always connected (Internet of Things) devices with your traditional firewalls! Good luck, but I do not want to be the CISO or CIO of the company that does not understand this fundamental paradigm shift.
Oh! By the way, let’s not forget the volume of data that these 50 billion devices generate!
This article has originally appeared in the KuppingerCole Analysts' View newsletter.