The Secure Perimeter is Gone
We have an opportunity. This year has radically accelerated a fundamental shift that has been going on for quite some time. A core component of our security architecture has been eliminated.
The “secure perimeter” – an antiquated concept from the days when computers took up an entire room – has all but vanished. “Security”, in those days, was defined by who could physically enter the room. Logical and physical security was centralized. When workstations became commonplace, the secure perimeter was built around the end-point. Every evolution of computing technology has tried to recreate the physical perimeter in one way or another. But the reliance on “end-point mentality” is fundamentally flawed. After all, end-points can be mimicked, spoofed, and intercepted. As long as we have tried to reinforce this antiquated model, we have missed the mark. The perimeter has continued to vanish over time.
More and more devices have been deployed, which has created more and more complexity. At the same time, we continue to see more and more data breaches, more and more lost data, more customer confusion, more regulation, more friction and more problems — all of these issues can be traced to the breakdown of the “secure perimeter”.
Genius has been deployed in inventing and distributing computers whose capabilities vastly outstrip the greatest dreams of our predecessors. But just as the internal components of these computers have evolved with the times, so too do the components of our security architecture need an evolution. Not only has the concept of the “secure perimeter” failed consistently, the concept itself limits what we can do with these new devices if we think differently about them.
In 1997, Steve Jobs challenged us to “Think Different” – we now have the opportunity to think big, think new, think different about how we solve for the vanished perimeter.
2020 is the year that everything changed. Over the last 30 years, there has been a slow, cultural shift breaking down the fortifications of the secure perimeter. Telecommuting, work-from-home, “Bring-Your-Own-Device” and other movements have slowly been eroding the cornerstones of these fortifications. However, while we have had the capability to be a fully remote workforce, it wasn’t until the COVID-19 lockdown started in March that the movement became a stampede, which became an avalanche, which rolled over our concept of a secure perimeter and forced us to reconsider this outmoded concept.
This is a catalyzing moment. One that we can take advantage of to not only fix faulty assumptions, but augment our architecture in such a way as to provide access that our customers, partners and employees never imagined. After all, could you imagine what the world would be like without walls? Imagine feeling safe, secure, protected without needing a fortification.
As a business executive who was part of the first National Cybersecurity Awareness Month, I will grant that this concept seems terrifying. I share the responsibilities many of you have. I share the responsibility to protect customer data, to guard partner resources, I absolutely need to guard our intellectual property, to ensure that we retain our competitive edge, generating revenue and providing for my employees’ livelihoods. There are regulatory and industry considerations that I, like you, need to take into account. We are all governed by a complex set of risk signals including customer satisfaction, employee needs and more. Doing something “new and visionary” may make for a good sound bite, but sometimes the inertia of the status quo leads to fear-based decisions.
Many fear-based decisions can lead you down the wrong path and eliminate opportun paths and options.
When I had the privilege of running PGP, we had a discussion with a major bank. We were talking about encryption and – at the time – encryption was very siloed. At a meeting involving security architects and Line of Business owners, one of my architects asked, “How would your business be different if all of your data was encrypted automatically?”
The Line of Business people said, “Well, that’s preposterous. That’s too hard to do. There are system level changes… and… and… and…”
The bank’s security architect chimed in, “No. We never started with that to begin with. That would dramatically change how we did our business.”
The architecture guys could see that, if they encrypted everything, they could do things more fluidly, with less overhead, less friction. But the Line of Business team didn’t realize the potential and there ensued a disagreement around the table.
There is an effect that status quo inertia has on business.
That was a seminal moment for me. I saw the rut. I saw the effect that status quo inertia could have on business decisions.
As the head of Nok Nok, as someone who was part of the group that proposed what is now the FIDO standard – the standard that was designed from the very beginning to eliminate phishing and account take-over, to eliminate credential stuffing and reduce your attack vectors – as a person who was involved in that, I have seen the same arguments enter this discussion where the people around the table want to solve the problem incrementally and not holistically. Because of that, arguments over budgets, over roles and responsibilities, over a variety of things end up stalling or eliminating changes that could be beneficial.
There are industry groups that realize that, as much as we have advanced technologies from the days of the mainframe, we have also introduced tremendous risk. This is the 17th year we have emphasized awareness of cybersecurity. But we are still talking about “secure perimeters”. We are still talking about things that are 50, 60 years old. I do not suggest that we wipe the slate clean. I do suggest that we stop solving these problems incrementally, that we start solving them holistically.
We need to think different. We need to think holistic.
In the end, we really just have people and devices walking around looking for services. This pandemic has caused a massive explosion in that behavior. People were used to coming and getting services from an office or a building – that entire paradigm has had to be re-thought. While we are re-thinking that, why don’t we take some of the good parts that do work and take some new things, new ideas about what could work and make a better future.
