It's a bit late for me to coin that phrase, isn't it? But at nearly every CISO event I've attended over the past few years, we all agree that the perimeter firewall is no longer an effective control. There's no doubt that dependence on the perimeter to protect a squishy center doesn't work.
Defense in depth is critical. And firewalls are frequently effective as an initial layer to repel the majority of attacks. But I believe the net impact of the perimeter-based security paradigm is negative. On the positive side, they knock out the vast majority of trivial attacks and reduce the attack surface on the Internet.
But on the negative side, they're slow and difficult to change (at many mid to large enterprises, implementing firewall rules takes weeks or months). This incentivizes people to try and circumvent the firewall, and they're defeated fairly easily by low-complexity attacks like phishing and drive-by website downloads that utilize approved protocols. And most damning, the firewall has become the reason that it's okay to allow insecure protocols to function on the corporate network. How many of us have allowed an old legacy application to continue running on the network because changing it would break a business process and "it's behind the firewall anyway"?
I've contributed just as eagerly as anyone else during these conversations, but something has always felt wrong about them. Something was missing. Even though the perimeter is an ineffective model, I've still had a strong perimeter in every security program I've been a part of. And I've invested a lot of financial and personnel resources into it. I've stacked IPS, DLP, web content filters, and other security technologies right there at the ingress and egress points. If the perimeter is dead, why am I still investing so heavily in it?
The problem isn't that the supposition is incorrect. What's missing is that we haven't replaced the perimeter with a new paradigm. We can't rip out our firewalls without a new paradigm to replace them.
Secure access to all resources is the goal, and it can be defined as, "ensuring the right people have the right level of access to the right resources, in the right context."
Forester has done a lot of work on this concept, which they've called Zero Trust. In their model it's assumed that all traffic could be malicious. The center of the Zero Trust model is to have a high level of assurance around the identity and access of every user, and federating that information to the entire environment.
In 2015, Google released their BeyondCorp white paper (and Ping Identity CTO Patrick Harding blogged about it). They showed the world that it's possible to create a security model that (1) puts user identity at the center of the model, (2) does not unduly depend on the perimeter, (3) allows convenient and secure access to corporate resources and (4) doesn't give an inch on providing the highest possible level of security assurance. For those of us looking for a new paradigm, BeyondCorp is a revelation.
I was brought to Ping Identity, in large part, to lead a team that's creating our own model for the implementation of identity-centric security. We call this program RedCorp. We're leveraging the Identity Defined Security Alliance to combine best-of-breed technologies with effective processes and excellent security staff.
I'm convinced that we're on the cusp of a revolution in security. Rather than paying lip service to the truth that the perimeter is dead, we now have the technologies to enable the next generation of security--where secure access is enabled not by being in an environment, but through adaptive authentication of a user with a current need to access specific data. Ping Identity is right at the center of this revolution.
I'm excited to share my journey and our learnings with you, and to learn from your own experiences. I encourage you to reach out to me at CISO@pingidentity.com to ask questions or share with me.