Think you can still protect your company’s IT with a security cordon? Things have moved on. There’s no clear-cut perimeter any more. But that doesn’t spell the end for IT security. Think of it instead as a new beginning, where the right security provider can play a pivotal role.
Text: Andreas Heer, Image: Adobe Stock,
‘The perimeter is dead.’ As a statement this is nothing new – it’s something IT experts have been saying for a long time now. This article in the US CSO magazine was already talking about the end of the perimeter as we knew it and the search for a new one back in 2011. There are various, well-known reasons behind this change. Mobile devices such as smartphones and tablets and flexible forms of working that aren’t tied to a specific location have challenged the limits of the classic, local infrastructure. The perimeter has been worn away. As a result, IT managers can no longer draw a cybersecurity cordon around their entire IT infrastructure. We also have to recognise that cyberattacks in the form of phishing e-mails and bogus websites often simply bypass in-house security measures anyway.
This doesn’t mean that there is no longer a need for the traditional firewall and IDS/IPS protection. But it no longer protects the company’s entire infrastructure – just the local network environment. This is because today’s corporate IT centres around the cloud. Geographically speaking, ‘centres’ isn’t quite the right term, given that the cloud is often outside the perimeter in an external provider’s data centre.
The company’s cloud-based applications can, of course, be accessed via monitored and managed devices inside the company’s security cordon, but they can also be accessed from anywhere outside the cordon. Mobile employees can access and use the company applications online, wherever they are. And, for a long time now, systems have digitally integrated suppliers and partners via different interfaces. On top of this, we have customers accessing the increasing number of online services via a web browser or app. This kind of connectivity is essential for efficient, digital processes. So what options do security managers looking to control all of these connections and devices have? None. Or, to put it another way, zero.
‘Zero Trust policy’ is one of the approaches being used to maintain a high level of IT security. Here, there is no longer a distinction between ‘good’ traffic within the cordon and ‘bad’ traffic from outside. Instead, reflecting the kind of paranoia an IT security specialist needs, all data traffic is seen as potentially ‘bad’. In short: no cordon, no trust.
The consequence of this situation is that all data traffic has to be monitored for malicious activities. Every time a system is accessed from a device, the event has to be logged and centrally evaluated using a threat detection system. It is a good idea for a company to integrate the physical access systems here too, since vulnerabilities sometimes only become apparent when different data sources are combined – for example, if Mr Smith enters the office and then logs on to the ERP five minutes later some significant geographical distance away.
Measures that have replaced the simple perimeter protection extend from a central monitoring system to a complete security operation centre (SOC). Tiered security zones instead of a thick cordon with a central monitoring system. All of which makes eminent sense. But where to find the specialists who can de-escalate ‘false positives’ and intervene where the monitoring systems reach their limits?
One effective approach is the use of managed security services (MSS). Outsourcing parts of IT security to a specialist provider can help bridge gaps in the company’s in-house expertise. Or simply offer an economical alternative to establishing your own comprehensive security infrastructure. Hybrid forms are a perfectly feasible option. Perhaps it makes sense for systems in the local network and in your own data centre to be monitored in-house, while the security of the outsourced cloud environments is delegated to the cloud provider. So, to a certain extent, the elements that lay inside the former perimeter would continue to be controlled as before and only the extensions would be outsourced.
And, last but not least, some good news: even if we declare the perimeter dead, certain security concepts still remain valid. IT security still requires a balanced mix of prevention, recognition of attempted attacks and an appropriate reaction. With the right security provider, companies can outsource certain security responsibilities and focus more on raising awareness among the workforce.
More on the topic