The ever-evolving IT environment is slowly but surely rendering traditional perimeter-based security strategies obsolete. Perimeter-based security is an approach to cybersecurity that focuses on protecting the boundaries or perimeters of a network or system. The primary goal is to prevent unauthorized access from external sources and to create a secure barrier around the organization’s assets. Typically, this includes firewalls, intrusion detection/prevention systems and other network security devices deployed at the network’s edge.
Continual changes to the IT environment are impacting security strategies and limiting the effectiveness of perimeter-based security. Some examples include:
Computing and Remote Work
The adoption of cloud computing and the rise of remote work have led to a shift in how organizations operate. Businesses demand flexibility where employees can access resources from various locations and use multiple devices. While having such flexibility with multiple points of entry may make it easier to conduct business, it blurs the concept of a well-defined network perimeter and, as a result, makes perimeter-based security less effective.
The growing number of connected devices and the Internet of Things (IoT) has expanded the target area for attacks of organizations. Every point of connection creates a potential vulnerability. Traditional perimeter-based security models must be more effectively designed to address security risks posed by the increased connectivity of devices and data flowing through multiple networks and endpoints.
Advanced Persistent Threats (APTs)
As seen in the news, cybercriminals have become more sophisticated and are leveraging advanced techniques to breach traditional perimeter defenses. APTs often involve long-term, targeted attacks aimed at gaining unauthorized access to an organization’s systems and data. Traditional perimeter-based security measures alone may not effectively or quickly prevent or detect such attacks.
Malicious insiders or compromised accounts are a significant threat to organizations. The assumption that the internal network is immune from such risks no longer holds true and perimeter-based security models primarily focus on external threats. Insider threats can easily bypass these perimeter defenses.
Mobile and Bring Your Own Device (BYOD) Trends
The increased use of mobile devices and BYOD policies introduces additional challenges to perimeter-based security. Mobile devices may not always be within the organization’s network perimeter, making applying traditional security controls solely at the perimeter level difficult.
Growth in the Creation of Hybrid Cloud Environments
Pursuing “cloud first” strategies is creating hard-to-manage, secure hybrid cloud environments. Hybrid cloud environments are distributed across multiple locations, including on-premises data centers and various cloud service providers. Organizations need a central, physical perimeter to enforce security measures consistently. In addition, since responsibility for security is shared between the cloud provider and customer, more than the traditional perimeter model is required to protect all data and applications.
Compliance and Privacy Regulations
Stringent data protection regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), require organizations to implement strong security controls and protect personal and sensitive data regardless of location. Perimeter-based security alone may not meet these regulatory requirements.
The primary objective of information security is to protect access to application systems and data while providing user access regardless of how or where such access is initiated. More importance must be placed on verifying users’ identities and controlling their access to resources. The most sensible security model is the one that emphasizes identity and user access controls.
Pursuing “cloud first” strategies and expanding mobile computing and remote access require evolving the security strategy from a perimeter-based model to an identity-based one. Identity-based security models require, at minimum, the implementation of strong authentication, access controls and continuous monitoring:
A key element in identity-based security is to establish that the user is who they say they are. This means enforcing strong passwords that expire periodically and requiring users to change them without reuse. In addition to this, strengthening authentication methods by implementing multi-factor authentication (i.e., hardware tokens, biometrics, one-time passcodes, etc.) and adaptive authentication technology that assesses risk factors such as a user’s location, device information, IP address, time of access, past behavior patterns, etc.
Identity-based security models require the implementation and maintenance of Role Based Access Controls (RBAC); RABC assigns user permissions based on their roles and responsibilities within an organization. This helps limit access to sensitive resources to only those who need them. Emphasis is also placed on granting users the minimum privileges necessary to perform their job functions with regular review and revocation of unnecessary privileges to minimize the risk of privilege abuse. Other security measures include using access control lists (ACLs), firewall rules and network segmentation to control access to systems and data. Finally, one crucial aspect of access control is that organizations must regularly review and update access control policies to reflect changes in the organization’s structure and requirements.
Continuous monitoring is enabled by implementing a Security Incident and Event Monitoring (SIEM) system to collect and analyze logs and events from various systems and applications. This helps identify and respond to security incidents in near real time. Deploying an intrusion detection prevention solution (IDPS) to monitor network traffic and detect potential threats or malicious activities is required to help identify and block unauthorized access attempts. Lastly, User Entity Behavior Analytics (UEBA) tools should be considered to analyze user behavior patterns and detect anomalies that may indicate compromised accounts or insider threats.
Other controls that should be put in place as part of an identity-based security model include:
Security Awareness and Training
Employees should be regularly trained on security best practices, including phishing awareness, password hygiene and safe browsing habits to minimize the risk of human error and social engineering attacks. Organizations should consider periodically testing employees’ ability to identify and report phishing emails by conducting simulated phishing campaigns. Employees should also be provided with feedback and additional training once the test results are evaluated.
Regular Assessments and Audits
Identity-based security models also require periodic assessments to identify vulnerabilities and weaknesses in systems and applications. Penetration tests are needed to simulate real-world attacks and evaluate the effectiveness of an organization’s security controls. In addition, regular review and validation of user access privileges to ensure alignment with current job roles and responsibilities should be implemented, as well as processes that remove any unnecessary or outdated access.
Identity-based security is a layered model that requires continuous monitoring, updates and improvements. It is essential to stay updated on emerging threats and security best practices to protect the organization’s systems and data effectively. Moreover, keep in mind that hybrid environments (i.e., using on-premises as well as cloud resources) require a combination of perimeter-based and identity-based approaches to achieve a comprehensive security posture.
We make sure organizations have the tools, resources and support they need to mitigate risks in an ever-changing landscape. Partner with Sikich to develop a plan to help your business move forward with certainty.