Scott Gordon, (CISSP) CMO at Pulse Secure, explores how the increased investment in hybrid IT is creating a new perimeter demanding a matched investment in Secure Access technology. As IT service models are diversified, organisations will need to think about how they can protect their assets, access, users and devices whether in the private cloud, public cloud, data centre or – as is looking increasingly likely – a combination of all three.
The news of the perimeter’s death has been much overstated. As we saw in Pulse Secure’s and IDG’s 2019 State of Enterprise Secure Access report, increasingly people are choosing to hybridise their own environments, but just because environments are changing and are non-contiguous, it doesn’t mean that the perimeter is gone.
The report surveyed 300 senior security decision makers in midsize and large organisations across the US, UK, Germany, Austria and Switzerland about their current IT deployment models and their experiences around access issues.
One of its primary findings was that 44% of respondents choose a combination of data centre and public cloud to deliver IT services within the enterprise.
Nearly a third choose data centre with private cloud, and the remaining 26% spread themselves across all three. Furthermore, a majority of respondents said that they would be increasing their spending on multi-cloud support in the next 18 months.
It’s not hard to see why people declare the death of the perimeter so readily. With the arrival of the cloud, the time when you could safely say that the boundaries of a perimeter end at the office walls is over.
The rise of Bring Your Own Device, IoT, coffee shop hotspots and most importantly, the cloud, has forced the perimeter to change radically.
Certainly, we can’t say that the old “allow the good, forbid the bad” perimeter is still a tenable security mindset. Holding on to outdated ideas like that only spells trouble, and in this case, insecurity. But that doesn't mean that the perimeter is dead.
In fact, enterprises and the wider security industry have long been working on solutions that reformulate the perimeter to accommodate modern realities.
One such way is Zero Trust Architecture, introduced by Forrester in 2010. Until then, most of us relied on a vision of security which treated a network like a castle: a structure with walls high enough to keep anyone out and a gate tower which could permit friends and forbid foes.
Of course, once the adversaries were in, they had free roam of the place and could pretty much do anything they wanted. It is of no coincidence that attackers do all of the critical damage to their targets in the late stages of the attack.
Zero Trust Architectures make sure that getting through the perimeter is just the first wall that an attacker has to get past. A Forrester report revealed that Zero Trust organisations are 37% more secure and reduce their security costs by 31%.
Putting aside a binary view of threats, Zero Trust does not automatically trust anything, but instead requires each user, system and device to authenticate to the individual resource that it wants to use.
Instead of a castle, an environment becomes a deathtrap for an attacker.
However, Zero Trust is not so much a product or a piece of software than it is an approach to network defence.
Software Defined Perimeter (SDP) is one way to achieve that Zero Trust stance. Over half, 56%, of respondents said they would be starting an SDP project within the next 18 months. Another 14% will be planning SDP projects beyond the next 18 months.
The key point about SDP is it can extend into the multivariate environment where modern networks reside – from the data centre to the hybrid cloud.
Accommodating this change has prompted an increased interest in Secure Access technologies. In response, over 90% of our respondents are increasing their investments. Nearly a third of them will be increasing it by up to 25%.
Whatever people say – the perimeter is very much alive. The shape of it, however, is changing profoundly.
We can’t draw up security strategies to protect networks that don’t exist anymore. It is no longer possible to draw a clear line around a whole contiguous network – but we can protect what lies within.
As people continue to diversify and hybridise their environments – through multi-cloud delivery models or otherwise – they’re finding new ways, such as Software Defined Perimeters and Zero Trust Architectures, to provide secure access to their networks and the sensitive resources within.
When military engineers realised that medieval castles could no longer withstand the invention of gunpowder, they built something else. Enterprises are doing the same.