AppGate Blog: Software-Defined Perimeter

Written by George Wilkes on January 26, 2019

Security Got Left Behind. IT Never Looked Back.

The wonders of technology continually push the boundaries of what is possible. The digital revolution has changed the world forever, and it’s not going to slow down. But as we charge full-steam ahead into tech utopia, we have failed to reevaluate the fundamentals that keep us safe.

Innovation. Agility. Pioneering. Transformation. Just a few words used to describe the current state of IT, which is in the driving seat of the digital economy. However, this is not a manifesto to cease digital progression; its’s a declaration for security to progress as IT has, and to catch up in the process.

The Driving Force of IT

This new world embodies magnificent feats of engineering genius, and businesses have taken notice, experienced its potential, and demand more. Arguably, the single most compelling reason for rapid adoption of new technologies is the promise of increased margins, market share, and competitive advantage; that comes in the form of simplicity, speed, power, and cost.

It goes without saying that the cloud fundamentally changed how organizations approach IT. The data center is not dead, but its role has significantly morphed. IT has endless computational capabilities at their fingertips and the skill-sets for operating these new environments has simplified. The availability, allure of OPEX control, expedient deployment, and rapid scalability of resources outside the perimeter walls of the data center has made the cloud the destination for the majority of new business applications.

Alone, the introduction of the cloud model broke traditional network schemas and developed into a complex, hybrid, dynamic ecosystem where on-demand deployment options are in abundance. But, it went a step further than pure compute resources and developed powerful services that collectively make up intricate sub-ecosystems called workloads where everything is connected, automated, and talking to one another via API connections. In a nutshell, the network schema became deeper and more amorphous.

What’s more, the network schema continues to widen and shows no sign of stopping. Each individual connected device latches onto varying components of the ecosystem at varying times and from varying locations. Phones, tablets, wearables, laptops, and IoT devices all become part of a growing attack surface that is constantly changing. 

What stitches this complicated web together? Data, in different sizes, formats, and levels of value, constantly traversing the network and finding a home in different locations. Unfortunately, a critical component is often forgotten: the people interacting every day with this new, ever-evolving, distributed ecosystem that is foundational to success in today’s digital economy. Employees, customers, and vendors are in constant contact with all aspects of an organization’s digital ecosystem; each represents a point of exposure that greatly expands the level of digital risk.

That is the downside to the rapid evolution of IT: it has created a level of digital risk that has never been accounted for, nor anticipated by the standards of yesterday.

The Inadequate State of Security

As more breaches are becoming publicly known, distrust in organizations abilities to protect their customers and employees is growing and executives are being held personally accountable. This heightened sensitivity now has the attention of regulatory bodies who are increasing their interest in punishing organizations for failing to protect their customers, making it imperative to understand and prioritize digital risk.

The old physical data center perimeter was static; consequently, the security tools created to protect it were architected in a static way. Their creators had not anticipated the highly dynamic and distributed nature of today’s network schemas. VPNs and Firewalls are 20+ year old technologies and, in tech years, that’s antiquated. The fundamental issue is that they were built with a crude definition of trust, which was acceptable at a time when the level of traffic and demand on networks was minimal and easily controlled. These technologies evaluate trust based on a simple IP to port relationship, meaning trust is only extended to the device demanding access. Furthermore, their abilities do not go beyond simply granting access to the network, which means that over privileged users penetrating a network perimeter now have visibility and potential access into systems and data they are not entitled to.

The architectural flaws of yesterday’s security solutions have introduced spiraling complexity for businesses today. Leveraging legacy investments to solve today’s IT challenges is like being the head chef at a busy five-star restaurant, but only have stone age tools to work with. Can it be done? Definitely. But, the level of time, effort, and creativity required to pull it off is significant and unnecessary. Legacy security solutions require a lot of hands, managing a lot of moving pieces; at the end of the day it’s a full-time job to simply keep the doors locked with little time left for solving more strategic issues.

Furthermore, the cybersecurity marketplace has done organizations no favors. Its knee-jerk reaction to the advancements of IT has caused significant confusion and brought about thousands of niche vendors across hundreds of varying categories. As a result, security leaders have built an overwhelming toolbox of disparate technologies each solving very specialized problems – technologies that can be difficult to integrate and have work together, increasing complexity instead of solving the root problems.  

A Focused Approach to Zero Trust

Turning the ship of security is not a simple endeavor. In-order to reaffirm their position and defend against cyberwarfare, businesses need a focused approach to Zero Trust. They must prioritize the core security challenges of today’s distributed and complex IT landscape, which requires:

  1. Reducing their attack surface, making themselves a smaller target by rendering resources invisible and finding vulnerabilities before their adversaries.
  2. Changing their approach to securing access, adopting a Zero Trust mindset and verifying based-on identity rather than IP.
  3.  Neutralizing their adversaries, removing external threats targeting their organization, and seeking and destroying threats already in their network.