Moving from fortification to skirmish –
Skirmishers – troops deployed in loose formation in advance of and/or on the flanks of the main body. These troops drew enemy fire, developed their position, and warned comrades of an imminent clash.
This is a guest post by Mr. Moshe Ferber. Mr. Ferber is Co-Chairman for the Israeli Chapter of the CSA, and a Cloud Security entrepreneur and lecturer, with over 20 years’ experience in information security. Serving in various capacities in information security field, and was involved in major projects in leading organizations worldwide.
In a previous post, we discussed the evolution of the information security perimeter from the early days of firewalls until today. And the conclusion was – without a doubt – the perimeter is changing fast, But now the question is, where are we going with those changes? What will the future perimeter look like? In this post, we will share some thoughts about the future of the information security perimeter and where are we going with this old concept:
The new perimeter will stretch into our endpoint devices
Mobile computing is a disruptive technology for the traditional perimeter. It merged the “inside” and “outside,” and united private and business networks. Google’s recent acquisition of Divide, a BYOD vendor, gives us a hint on where the technology is headed. Divide will enable Google to create separate zones for business data and private data, just like the separation introduced by Apple in iOS7. The segregation of private and business data provides a good example of the new perimeter, in which borders are not built around our servers and physical locations, but around our data. Trusted compartments inside untrusted devices will expand our organization’s perimeter to the endpoint devices, and this logical separation inside the device will demark our new line of defense that divides between internal and external networks.
The new perimeter will be highly segregated
When asking CISOs about the new perimeter, their first thought (or nightmare) is about groups of servers exposed with multiple services. In reality, however, most IaaS vendors provide higher levels of segregation between servers than anything we’ve seen before. In our traditional networks, we were forced to group servers into logical groups based on classification and function. This grouping is a must because we don’t have sufficient resources to segregate all servers. But, in most IaaS implementations, servers are (by default) separated, even when they belong to the same security group. In this paradigm, referred to as “Hyper-segregation” by leading security analysts, compromising one IaaS server does not guarantee access to any of the other servers, even if they are in the same subnet or security group. This level of segregation was almost impossible to achieve in traditional networks (unless installing and managing a personal firewall for each server). In the future, however, technologies such as Software Defined Networking (SDN) will also enable enterprises to deploy this form of hyper-segregated servers. This, in turn, will change the functionality of the traditional DMZ.
Our DMZ environments are moving outside of organization boundaries
Corporate users today are no longer limited to the boundaries of the organization in order to operate – they can access corporate resources from anywhere. The same applies to business applications and services being migrated to external cloud and SaaS offerings. This change renders traditional DMZ architecture useless, because – if your users are located externally, and SaaS and web sites are external – there is no point in moving corporate traffic through the company security controls located in the local DMZ.
Recent acquisitions by Imperva shed some light on their vision of the future of enterprise security. At the core of that vision are globally-spread data centers that provide security controls for our organizational traffic. By re-directing corporate traffic through those centers, organizations will be able to enforce security controls. In the Imperva example, the data centers will filter incoming web server traffic (using Incapsula’s web application firewall technology), while SkyFence’s SaaS governance technology will provide filtering, monitoring and controls for corporate-user traffic directed toward SaaS applications. This external DMZ can be compared to firewall blades, deployed not at the perimeter, but rather at internet junctions. Akamai is also playing in this field with their new WAF services and hints on a future roadmap for security services. Once the organization begins to route its traffic through those security data centers, it can add more security services: WAF, DDOS protection, caching, URL filtering, or SaaS governance services.
“The best way to predict the future is to create it” – Abraham Lincoln.
New technologies that appeared in recent years have disrupted our perception of the information security perimeter. A new paradigm must be adopted for protecting assets that are outside our physical perimeter. In this new world, there is plenty of room for innovations that will replace old perceptions. When looking at recent market developments, we can spot hints and signs where the market is going. New segregation technologies, inside mobile devices or located between servers, as well as the new “external DMZ” offerings will certainly be part of our future organization’s security environment. But there are still unresolved questions around building trust among multiple providers, improving user experience, and more. This is where innovation still has to kick in and provide us with better solutions – because in the world of cloud and mobile, most of our old perimeter concepts are, to say the least, obsolete.