Perimeter-only cyber defences are severely lacking in the face of today’s threats
When it comes to network security there is no border between the inside and outside, and the concept of a defensible perimeter is as outdated as keeping money under the mattress.
The perimeter used to be king: secure it and you could protect your assets. Build a firewall, fortify it with deep packet inspection (DPI), set up intrusion prevention and detection systems, and you could relax. Whilst perimeter security is still required, a layered defence is needed to tackle new attack vectors.
The strongest perimeter in the world has been rendered permeable by the proliferation of cloud services, insider threat, and the way BYOD has blurred the line between business and personal life. The sense of security it offers amounts to dangerous over-confidence in a defence system that is no longer fit for purpose. It’s like relying on a moat to defend against an attack from the air.
Know your Achilles heel
In today’s interconnected world, vulnerability is multi-dimensional, which means your defence system must be too. Too much investment in one area can leave you lacking resource in others.
Cloud services have made the perimeter difficult to define, let alone secure. If data is stored in the cloud, do you even know where the perimeter is? Where precisely does your hosting provider hold your data? What controls are placed on it?
Then there are insider threats, unwitting or otherwise. By definition, such threats are already in breach of the perimeter so its strength in this instance is immaterial. Insiders have access to the network: even if that only amounts to low-level or guest privileges, they’re in.
BYOD, by stealth or by design, introduces vast numbers of potential infiltrators to the workplace. Personal devices brought into the organisation and connected at will to corporate data, offer easy infill or exfill for an attacker.
Configuring perimeter devices such as firewalls, VPNs, and access control lists, may indeed be required to thwart some attacks, but they must not be the only area of focus and investment.
Need-to-know is one of the oldest and most fundamental principles of security. In the cyber arena, a similar principle restricts network access rights to the minimum level required for individuals to do their jobs.
The principle of least privilege (POLP) improves security inside the enterprise, by requiring authentication for all endpoints attempting to access the network or network resources, and closing sessions after use to prevent unauthorised access.
Due diligence is critical when selecting services such as VPN providers and cloud hosting. You want to do everything possible to ensure that data hosted outside your perimeter is protected, both in transit and at rest.
Carrying out background checks on employees is another valuable defence measure when the enemy may already be within.
Testing the locks
You might not be able to erect an impenetrable barrier around the organisation, but you can interrogate the strength of the defence systems you have in place.
- Evaluate your strategy for the use of cloud-based services to ensure the best possible security.
- Understand where your data is physically located and what controls are already in place.
- Define access levels for data across the organisation, and levels of access for specific data types.
- Evaluate your attitude towards BYOD and make sure your employees are trained in cybersecurity.
- Ensure you understand what shadow IT services are used within your organisation.
First published in Computing