By Ron Temske, VP/Security & Networking Solutions
For many years, a secure perimeter was the core concept in organizational cybersecurity. This concept gradually evolved into 3 zones:
- Outside – The outside world (the Internet) was bad and shouldn’t be trusted;
- DMZ – The Demilitarized Zone containing “good” resources that needed to be accessed by the outside world and, therefore, had to be isolated from the rest of the network; and
- Inside – The internal environment which was exclusively made up of “good” people and devices.
The result was a perimeter where everything outside it is untrustworthy and everything inside should be trusted. I’d like to suggest that data is the new security perimeter.
Why the traditional approach is ineffective
Many organizations still employ this traditional three-zone philosophy, but it rarely aligns with the structure of today’s businesses. Why? Let’s focus on the core purpose of cybersecurity—to protect data and reduce risk—and ask a few simple questions:
- Is all my data kept within the data center?
- Am I 100% confident that all people and devices inside my perimeter can be trusted?
The answer to the first question is almost always no, and the answer to the second question is always no.
So if all my data no longer resides within my perimeter, and I can’t fully trust everything within the perimeter, how effective is the traditional approach?
Protecting data vs protecting physical locations
I think a better approach to protecting data is to create a perimeter around your data rather than your physical locations. In other words, “everything is untrusted” instead of the more outdated “trusted vs. untrusted.”
Consider that threat actors often move laterally, progressively snaking through networks and systems, escalating their privileges as they search for their target assets.
Instead of using the principle of least privilege and only providing needed access, the Internet and networks today allow network traffic or applications for any user “trusted/inside.” Thinking in terms of not allowing anything without first understanding (in near real time) context—such as role, identity, geolocation, business purpose, etc.—is a much more effective strategy.
Getting to comprehensive data security
Implementing these concepts requires business and technical stakeholders to take a comprehensive approach to determine “who” (or “what,” in the case of IoT machine-to-machine connectivity) needs access to “what.”
This kind of thorough assessment takes time, and many organizations cannot take time away from their businesses to undergo such a thorough evaluation. Unfortunately, the alternative is to use an outdated security model that is proven to not work and can increase business risk.
So how can you get started?
How Logicalis helps build a security strategy
Logicalis has successfully used this comprehensive approach for many clients who are dealing with the “data everywhere” problem. It starts by assessing:
- Understand where your devices, applications and data are located so you can effectively secure them.
- Go beyond “inside or outside” and consider attributes such as identity, geolocation, application, data privileges, etc.
- Zero Trust. Move beyond “trust everyone and deny specific cases” to zero trust—a term originally coined by Forrester which means “trust no one and allow specific cases.”
- Application mapping. Understand how data flows within the organization and which applications/devices need connectivity to other applications/devices. For example, do workstations really need to directly talk to one another? Does your IP phone system require direct network connectivity to the ERP system? (As a side note, many malware strains leverage the open nature of many networks to spread. With proper segmentation, the impact can often be dramatically reduced.)
- Ensure that technology is enforcing business rules. To effectively deploy newer security models, define the role of applications (and the relationships between them), as well as data and business requirements.
Logicalis believes that adopting an Extensible IT framework enables digital transformation by making it easier to deploy new business services. Security—along with networking, service management, and automation—is an inherent part of the Extensible IT framework.
To learn more about how Logicalis approaches security, take a look at this video on how enterprise security can enable your organization.