Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly
E-Mail vvv

Out With the Old Perimeter, in With the New Perimeters

A confluence of trends and events has exploded the whole idea of "the perimeter." Now there are many perimeters, and businesses must adjust accordingly.

As business started to connect to the Internet, this connection point became the natural place to enforce security controls, mimicking existing physical security models. Businesses assumed that if someone was inside the building or inside a certain perimeter, that person inherently had a higher level of trust than those outside.

The same business needs that required connectivity forced erosion of this perimeter. Websites and email servers had to be reached from outside of the defenses. Additional perimeters were created to address this, starting with DMZ networks. Some users and data moved to the untrusted side of the walls, and attacks were originating from the inside (whether from phishing, compromised credentials, or insiders). More perimeters were created, including data center firewalls and internal segmentation or even microsegmentation deployments.

Related Content:

Physical Security Has a Lot of Catching Up to Do

2020 State of Cybersecurity Operations and Incident Response

9 Cyber Disaster Recovery Planning Tips for a Disaster-Prone Time

With the pandemic, the erosion of the perimeter turned into a collapse. Instead of some data and a few users being outside the perimeter, there was an almost overnight need to have all the employees outside. The new demands weren't easy: access to all the data, from all the places, all the time, on all the devices. Securely.

The New Perimeters

Identity as a Perimeter
Identity has been a key part of security forever. The importance of strong identity has increased exponentially with digital transformations — for a software-as-as-security (SaaS) application, it may be the only control in the hands of the data owners.

The scope of "identity" has grown from who you are to include physical location, the device being connected from and its state, the time of day, and other parameters. Multifactor authentication has become a minimum standard, while role-based access based on "extended" identity enforces policy once the connection is established.

There are limitations to the "identity-as-a-perimeter" concept; not everything is in SaaS applications, and additional controls (such as data leakage prevention) may be needed and must be in the application itself.

Endpoint as a Perimeter
Before firewalls, security was controlled at the endpoint — and what is old is new again. Modern endpoint solutions provide software asset inventory, threat prevention, and advanced attack detection backed by machine learning and artificial intelligence. The endpoint perimeter is much more robust than in the past.

Agents on the endpoint can provide more benefits as well, just like the traditional perimeter. Functions such as asset management, software management, vulnerability management, and data leakage prevention are all possible extensions of the "endpoint perimeter," though you may need many agents to support many functions.

Secure Access Service Edge
Secure access service edge (SASE) is a framework that moves security controls closer to where the user meets the data. Data is increasingly stored in cloud applications, so the SASE frameworks add security controls on the cloud edge. The framework can support a range of services to protect data and applications both in the cloud and on-premises.

Integral to this concept is the identity of the user and that person's rights as well as the assurance that the endpoint is "appropriately" secure for the access the user is getting. SASE frameworks must incorporate identity and endpoint elements to work most effectively.

Zero-Trust Network Architecture
The culmination of the "perimeterless network" is a zero-trust networking architecture (ZTNA). In a zero-trust environment, every connection is presumed hostile until proven friendly — a "never trust, always verify" model in which connections will only be allowed on a least-privilege basis, closely inspected, and all activities and traffic will be logged.

As a design philosophy, ZTNA informs all the above choices and make them more effective — though doing so while maintaining a relatively frictionless end-user experience is no easy task and doesn't get easier with scale.

…and the Legacy Perimeter
The legacy Internet edge perimeter and the existing internal perimeters are not yet completely obsolete. Some resources and users reside and will continue to reside on-premises and need protection. It's just that they aren't the single control that they were before. Defense in depth is hugely important and will likely include "legacy" controls for the foreseeable future as part of a comprehensive multiperimeter strategy.

So, What's My "New Perimeter"?
This is the perfect place for the engineer's favorite answer: "It depends." The new perimeter is going to depend on the state of digital transformation, the locations of your data, your risk tolerance, and the type of endpoints you're using. Your solution is going to have to be built and designed to meet your unique needs, objectives, and risks. It must be as frictionless as possible to your users and simultaneously minimize the attack surface. It's not easy, but it's possible.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...