Long live perimeter security

It is not possible to build the perfect security perimeter. But that doesn't mean you shouldn't try.

Most security experts agree that just because something is not 100% bulletproof doesn't mean it is worthless, even if, as Bayshore Networks CEO Francis Cianfrocca, puts it: "The traditional network perimeter is no longer defensible."

[Security pros say their companies invest in the wrong technologies]

The most recent stark illustration of that is Adobe. The company acknowledged in mid-September that hackers had broken in a month or so earlier and accessed customer names, encrypted credit and debit card numbers and expiration dates, as well as source code. The company has not yet reported how the attackers got in but clearly, whatever perimeter defenses were in place were not enough.

But Cianfrocca himself, in his next breath, declares that enterprises should keep investing in traditional perimeter defenses. "You still have to keep your front doors locked, even as you confront threats from entities that freely move through or bypass them," he said.

Gary McGraw, CTO of Cigital, calls perimeter security "basic hygiene," and likens putting software security ahead of network security to, "putting on your pants before putting on your underwear."

Dr. Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, said that while organizations need protection inside their perimeters, "Why let attackers in without a fight at the perimeter? Perimeter defenses won't make you secure, but it is useful place to fight your first battle with the attacker, gather intelligence, etc."

That is not a unanimous view, however. Thevi Sundaralingam, vice president of product management at Accellion, told Dark Reading recently that, given a world where mobile-enabled employees connect with their company networks from around the world on devices of their choosing, "perimeter security is no longer relevant to enterprises. Next-gen security needs to focus on keeping content safe, not on defining a network perimeter."

Tyler Rorabaugh, vice president of engineering at Cenzic, agrees. "The perimeter has been gone for several years due to BYOD, and data being accessible from anywhere. It's difficult to build a perimeter or virtual fence around a non-existent border, as a border cannot be defined around data that is accessible from everywhere," he said.

[The new perimeter]

In support of that view, he noted that, "There are more than 60,000 public facing APIs (Application Programming Interface) through systems like APIHub, Mashery, and Apigee. Almost all major companies give access to some form of third-party data, and most consumer-related data, even health records, are now public facing."

But Sundaralingam and Rorabaugh appear to be in the minority. Chuvakin calls that view "silly."

"Yes, next-gen security needs to focus on keeping content safe, but do that first by defining and defending a network perimeter," he said, arguing that even a perimeter that is only 30% effective, "means that you have a third less malware to fight on the inside."

[Identity is the new perimeter]

Kevin McAleavey, an expert on malware as a service and founder and chief architect of the KNOS Project, said a good perimeter will do much better than 30%. "Defending the perimeter is still the best way to prevent upward of 90% of attacks against infrastructure from even getting in there in the first place," he said. I definitely disagree that it's obsolete."

Nimmy Reichenberg, vice president of strategy at AlgoSec, is another who compares it to protecting the valuables in a house. "The fact that you have a safe in your house does not mean you unlock all your doors and tear down your fence," he said. "There is no inherent conflict between protecting the perimeter and protecting sensitive data -- and combining both is a best practice."

And Trevor Hawthorn, CTO of ThreatSim, says while attackers know there are easier ways to steal data -- web application vulnerabilities and social engineering that by-pass network security controls -- that doesn't mean organizations should abandon perimeter security. "The minute we stop doing that, we give hackers another easy route to get closer to sensitive data," he said.

Some of the debate may be more about semantics than substance. Chuvakin and others agree that the explosion of mobile devices and remote access has drastically changed the definition of a perimeter. He notes that, "an organization's Virtual Machines (VM) are deployed inside the perimeter, while the Virtual Private Cloud (VPM) "extends the perimeter to include the Amazon environment."

Kevin O'Brien, enterprise solution architect at CloudLock, said the BYOD reality is that the perimeter frequently extends beyond that. An example, he said, is a tablet that is used for work during the day, but then taken home in the evening, "connected to an unencrypted home wireless network, and used to edit sensitive files."

[Citadel exploit goes after weakest link at airport: employees]

Perimeter based security would not protect that information, he said, "even if an IT organization enforced good multifactor password authentication or mandated SSL-wrapped connections to the cloud services used by that device."

For that reason and others, Eldon Sprickerhoff, cofounder and CTO of eSentire, said he believes what is obsolete is, "the idea of a single, secure perimeter. Now, several perimeters need to be defended simultaneously: the classic perimeter, such as corporate headquarters and wholly owned data centers; smaller ones like implementations in the cloud and shared infrastructure; and finally personal perimeters like BYOD."

[CSOs face ongoing paradoxical challenges, according to report]

In other words, modern perimeter security is about more than threats from outside the wall. "It must review internal behavior, including the use of bandwidth analysis, honeypot and honeytoken systems, and access anomalies to guard against unacceptable activity," Sprickerhoff said.

"Though nothing is completely secure, building a 'honeycomb' of little perimeters instead of one large will provide better security for the modern network."

Arthur Braunstein, vice president of strategic accounts at CloudLock, takes it a step further: In essence, the person has become the perimeter, he said.

"The cloud and BYOD add a dimension to the porosity of networks and the rise of insider threats that is profound," he said. "Data is associated with users, not with devices. Companies can no longer go to a device, isolate it with access controls or enumerate the files on it, since the device is now the cloud and all users have pretty much equal access. So data protection has to be people-centric, leading to the metaphor of the human firewall."

And that firewall is, to put it mildly, porous. "The lion's share of exploits result when insiders maliciously or negligently externalize data," Braunstein said. "Or, outsiders socially engineer their way into enterprises and use code or takeovers to camouflage their illegitimacy."

Braunstein said he thinks the economics point to a trend where, "companies contract with public cloud vendors for infrastructure, with perimeter security built into that, and then focus their own efforts on safeguarding data usage."

He likens it to companies that use bank vaults. "No sane enterprise would run its own cash repository," he said. "Their cash defense perimeter moved from an on-premise safe to a better protected vault at a trusted bank. But enterprises do manage their cash with great sophistication and in line with their business needs."

But if people are the perimeter, doesn't ultimate security depend on human nature, which includes both carelessness and sometimes malicious intent?

[The 4 tiers of a secure B2B framework]

Not entirely, in the view of Sprickerhoff, who said that when human failure results in a breach, better technology can detect it more quickly. "I am a huge fan of internal honeypots -- systems that are deployed within an environment that appear to contain the 'secret sauce' that an external attacker would want to gain access but to which there's no legitimate need to access," he said. "They act as a 'canary in a coal mine' to alert an enterprise when other defenses have been breached."

Braunstein adds that IT departments can lower the risk from end users by providing them with cloud tools. "You move them away from increasingly more expensive and difficult-to-control, diminishing-return legacy infrastructure, encourage them to use sanctioned and controllable cloud solutions like Google Apps, and reduce the incentive to cheat," he said.

Reichenberg agrees that BYOD expands and fragments the perimeter. To deal with it, "companies must take measures to protect against threats such as lost or stolen devices. We have been doing this for corporate laptops for many years, but with BYOD we must extend this protection to non-company owned and highly mobile devices," he said.

Trevor Hawthorn, CTO of ThreatSim, contends that BYOD, the cloud and web services have made the "traditional perimeter" less relevant. "But if you look at nearly any large enterprise you will find a significant amount of data that still lives inside the castle walls," he said. "This isn't to say that we shouldn't stop moving towards putting security controls closer to the data, but we can't scrap the old paradigm just yet."

Ultimately, most experts agree that perimeter security is not so much a wall, but a layer of protection -- one that deserves an investment of time, effort and money, but not at the expense of software and data-level control.

"The network perimeter is now pervasive," Bayshore's Cianfrocca said, and an enterprise that focuses only on a single perimeter is the high-tech version of, "the drunk who looks for his car keys under the streetlight because the light is better."

[Cyberattacks the greatest threat to nations, say global execs]

Hawthorn said the most investment should be made in, "two places deep within the enterprise that the Internet can still directly reach: software and people.

"Developing secure software is possible and there are a ton of resources to help," he said, "and users can either be your biggest weakness or your greatest asset. Most modern attacks involve some sort of user-targeted attack.

Hawthorn stressed, however, that he wasn't necessarily calling for every end user to get training to the point of making them experts.

"We just need to tweak their mindset to be more of a 'smart skeptic' when it comes to emails, handling data, and anomalies they encounter during their day," he said.

This story, "Long live perimeter security" was originally published by CSO.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.