The idea of perimeter defense is as old as servers themselves – say the word and it conjures up images of ENIAC-sized machines buzzing in locked rooms, firewalls separating them from the outside world. Unless you work for the CIA, that’s likely not your reality. Instead, the data you secure lives in the cloud, flowing through laptops and cellphones around the world. APIs connect in; emails go out. When information is everywhere, security must be everywhere, too, leaving those who remember real servers to wonder if there’s even such a thing as the perimeter anymore.
“[The perimeter] is a very limited mindset which breaks down in a Wi-Fi and cloud world,” Keith Casey says. In addition to serving as adviser to multiple startups, Casey is an API problem solver at Okta, a San Francisco-based identity cloud provider. “Because we can’t count on the borders that we’ve always counted on, things are different,” he explains. “Previously, [IT] could say if you’re on our network – on our physical, hard-wired network – here are the security protocols. If you have physical access to our network, we can trust you.”
Pre-cloud, this perimeter was always reinforced by internal defenses such as antivirus scanning or endpoint protection tools. Both then and now, Casey says, “Perimeter by itself isn’t enough. If I get inside, I can run wild. It’s like not using a safe because you keep your front door locked.” In that way, best practices haven’t changed: It’s always a good idea to have a rear guard.
However, Casey says, “The faster we can kill off the idea of the perimeter, the better it is because it gives people a false sense of security.” In a world where employees work on multiple devices from anywhere in the world, the perimeter as we knew it barely exists. Now, authorization – and not a firewall – is what he says keeps employees from “log[ging] into your corporate bank account at 2 am in Vegas.” Authorization has been traditionally thought of as an internal defense.
Regardless of the type of security that’s supposed to catch it, that Vegas login likely isn’t welcome. At Centre College in Danville, Kentucky, 2 a.m. logins from London, Shanghai, and Strasbourg are. Eighty-five percent of Centre students study abroad at least once and can access email, the college’s learning management system, and campus intranet wherever they are.
Like any college, Centre’s data chain starts when a high-schooler connects with admissions, continues through four years of enrollment, then follows alumni the rest of their lives. So senior systems and network coordinator Shane Wilson must secure everything from teenagers’ social security numbers to the banking coordinates graduates provide when they donate. Then, like any workplace, there’s employee data to protect as well.
To do this, Wilson relies on perimeter defense more than trends might predict: “Several years ago all the articles [said], ‘The perimeter’s dead. It doesn’t exist anymore. Don’t worry about firewalls,’ and then it went along as a concept for a little while and then, ‘Oh, you really do need to still do that stuff. Don’t just ignore it.’” Fortunately, as perimeter security has fallen out and into style, firewalls, intrusion detection systems, and intrusion prevention systems never lost their place at Centre College: Enterprise resource planning (ERP) software – which contains employee and student personally identifiable information (PII) – remains under a traditional perimeter.
Wilson admits there isn’t a perimeter around everything – nor should there be. Take the college theater, for example. It uses a SaaS ticketing platform from a vendor with its own security. Student email isn’t behind the perimeter anymore, either. Four years ago, Wilson moved it to Microsoft Office 365. Then there’s all the info in between, like the code for centre.edu – the college website.
Wilson says, “There’s nothing [on the site] that you’re literally not telling the world anyway. For it, the important part [isn’t preventing exfiltration; it’s] not having it hacked.” In the end, most data is protected by a hybrid system, hosted on physical servers that the college accesses through the cloud. These servers have on-premises, perimeter defense, then internal defense protects the connection.
Casey might say this practice is proof that the perimeter is changing, that perimeter and internal security are morphing into a layered defense that operates internally, in the cloud, or both. “We need to understand that the perimeter is not physical and that it changes over time,” he says. Going back to the Vegas example, he adds, “Security based just on where you are is not good enough. We need to have security based on who you are and what you’re trying to do at that particular moment.”
The future of security is, therefore, not perimeter or internal. It’s a multifaceted defense that looks a little like both. “It’s the idea that there’s no one solution that will cover everything but there’s a lot of different level permissions that change over time,” Casey continues. Just as the original perimeter defense was a way of saying, ‘If you got through, you must be okay,’ he says, “Defense in depth can address different use cases and effectively create ‘security zones’ where you do/don’t have access – like at the airport.” Then it’s not about the perimeter keeping you out and internal keeping you out of trouble once you get there. It’s about evaluating data and permissions on a higher, finessed level.
“[Casey] is correct,” Wilson says. “The perimeter does exist, but it’s just different – it’s more prioritized.”
Centre College’s transition to this new reality has been intentionally slow, taking 10 to 12 years. “We’re not cutting edge,” Wilson admits, “but we’ve been happy not to be.” Centre is a small liberal arts college with a brand reputation for teaching students to logically and independently reflect before making conscious decisions. Wilson’s security approach must mirror the institution itself – not just so he can get internal buy-in come budget time, but so his department can make the decisions that are best for his employer. “Frankly, my information is in that system,” he adds, “It is in my own best interest to make sure our systems are secure.”
This is true no matter where you work or how progressive the environment. Wilson says, “A lot of places have actually found that they have migrated things out” just to bring that information back behind the perimeter. The decision you make, he concludes, must take into account “[what’s] really important to the mission of the business whether you’re Ford Motor Company or Centre College.”