For years, the perimeter-based approach to security has defined how organisations protect their devices and data from cyber-attacks. However, times change. Threats evolve, working practices move on and security models need to adapt to reflect the realities of how organisations and their employees operate. The twin demands of greater worker mobility and data accessibility mean that perimeter walls are being displaced in favour of something more fluid.
Even in this era of hybrid cloud, on-premise architectures and BYOD-driven policies, it's hard for many organisations to think in terms of the end of the external perimeter. The sense of relinquishing control is a challenge - but there are ways to balance flexibility with visibility and control for both personal and corporate devices without compromising security.
A growing proportion of employees now work remotely, on their own laptops, tablets or smartphones - either from home, in public spaces, or whilst travelling. These flexible working practices, and the ability for teams to work together from wherever they are based, brings considerable operational benefits. Staff can be more productive and have more freedom to collaborate with teams no matter their location.
Given these shifting working practices and the increased use of cloud applications, in practical terms, the perimeter-based approach to security simply doesn't work. Employees, contractors and other users are now using personal devices from home to log into cloud applications such as Salesforce or Dropbox, completely bypassing the corporate network. Security leaders need to consider how to enforce security policies for these types of scenarios.
As is evident from recent breaches, if an attacker can gain access to an employee's or contractor's credentials and break into the perimeter, then they're often at liberty to move around within the network. Security teams need to work on the assumption that anyone on the inside could pose a security threat too.
These fundamental differences in the way we work mean that we need to move from a firewall- based approach to access policies customised for every work application based on device information, device health, and the associated user.
Build security policies for users
The notion that we are protected from threats if we have information on a user's location is no longer adequate. However, adapting policies doesn't mean that we need to think of this in terms of removing the perimeter but, rather, as improving security on the inside so that the perimeter isn't the primary line of defence. There needs to be greater emphasis on trusting users and their devices.
Build security policies for devices
There's a similar issue with devices: if a device is able to connect to the corporate network, it would be assumed that it is a trusted device and could access anything that the user requested. However, there are several reasons why we can't rely on this as verification that the user and device are ‘trusted:' stolen passwords, spoofed network addresses and compromised endpoints mean that we need more checkpoints.
As enterprises no longer have distinct boundaries defined by inside and outside the firewall, gaining visibility on the health of devices connecting to their network is more critical than ever. Verifying the health of the device effectively protects against threats which exploit vulnerabilities in outdated software. This information also enables organisations to accommodate the growing number of personal devices, without having to resort to a ‘block-all' approach.
Companies also need to think about verifying devices to establish trust without installing thick agents that, for example, track the location of the device. Traditional device analysis solutions, such as MDMs, are invasive and compromise the privacy policies of some countries and go against the expectations of employees.
Beyond the firewall
Security today is less about fortifying the perimeter of the network and more about ensuring that only trusted users and devices access an organisation's data. Companies are beginning to implement security models to solve this including using Google's BeyondCorp framework.
Contributed by Ash Devata, vice president of products, Duo Security
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.