Beyond the Perimeter: Shifting Focus to Users & Devices
Moving beyond the perimeter is about shifting the security focus from network-based to more identity-based (users and devices). At login, the identity of a user and the security posture of their device is verified before access is granted.
This concept is explained in the infosec industry a couple different ways - from a zero-trust security model to the software-defined perimeter. The two major reasons for this shift can be explained by the effectiveness and user experience of this security approach.
Identity-based attacks target user and device access; two aspects not protected by perimeter-based defenses. Earlier this year, a US-CERT (United States Computer Emergency Readiness Team) alert about attacks against organizations in the energy, nuclear, water aviation and critical manufacturing sectors revealed how threat actors bypassed these defenses.
Initially, threat actors used compromised credentials to access the networks of energy organizations not protected by multi-factor authentication - then a series of steps followed:
- Once they gained remote access, they used scripts to create new local admin accounts.
- Then, they were able to disable the firewall and open up a port for persistent RDP (Remote Desktop Protocol) access.
- They also stole even more credentials by leveraging Microsoft’s Server Message Block (SMB) authentication process.
As a result of bypassing the firewall and stealing the keys to proving user identity (passwords), they were able to access system files, virtual profiles and configuration information on how to access industrial control systems on the network.
These types of attacks are not unusual for any type of industry - showing a clear need for enhanced security that is actually effective. Moving beyond traditional perimeter-based controls, Duo Beyond addresses threats that can bypass the firewall, including stolen passwords, policy gaps, vulnerable endpoints and more.
Weak authentication can result in compromises via phishing attacks, while the threat of malware infection is increased when your users are accessing your networks with out-of-date and personal devices that you don’t have any insight into or control over.
To prevent these types of threats, Duo Beyond focuses on the combination of an authenticated user and a secure, healthy device. With risk-based, adaptive two-factor authentication, you can both verify the identities of your users and apply stronger user access policies at login. Duo Beyond also checks the security posture of their devices to ensure they meet your security requirements, and whether or not they’re a trusted device, with the presence of a company-issued certificate.
Security is only as effective as it is usable. More people than ever are working remotely from different locations, using different devices. While technology has quickly evolved to accommodate this new working and consumer model, security also needs to integrate with this technology and work with users, not against them.
That might mean finding a secure access solution that doesn't require clunky clients or software that is either unsupported on mobile devices or inelegant in use. Virtual private networks (VPNs) encrypt data sent over the internet, but may not always support all types of remote users and their devices.
This is the mission behind Google's BeyondCorp security model - to design an internal framework that allows “every Google employee to work successfully from untrusted networks without use of a VPN.”
Similarly, Duo Beyond is designed to give your users access with ease via secure single sign-on (SSO), accessible over any web browser with internet access. By logging in once, they can securely access certain applications deemed appropriate by administrators, after completing two-factor authentication to verify their identity and passing device security checks by the system.
Moving beyond the perimeter into this new era of remote access requires the combination of effective security and a smooth user experience - make sure your security technology can deliver.