RSAC 2018: Dynamic? Dead? Disappearing? What’s Up With the Perimeter
Overheard at RSAC 2018: The disappearing perimeter. The data perimeter. The shifting perimeter. A dynamic perimeter. The death of the concept of a trusted network. Software-defined perimeters. Zero-trust security model.
Whatever you choose to call it, it was a major strategic theme echoed among leaders in the infosec space at this year's annual RSA Conference in San Francisco.
Thursday's afternoon keynote talk, How Do I Get My Company to Ditch the Firewall, given by Akamai’s Chief Security Officer Andy Ellis and Vice President Josh Shaul dove into the concept of the death of a trusted network (something behind a firewall, trusted until you put something on your private network).
These days, the world is too complex and interconnected - attackers often use our trust in networks to gain access and enable lateral movement in the enterprise, which can lead to data breaches.
Virtual private networks (VPNs) imply a trusted environment - once you're in, you've got access to everything. We need to stop trusting anyone that we allow onto our network. We also need to trust our employees, while figuring out a way to not infer trust from location alone.
As a result, there's a need for secure remote access to ensure our data isn't subject to modification. We need to know who is accessing what.
While we used to think of perimeters as centralized and physical (supported by firewalls), nowadays the data perimeter is actually the boundary between the data and the person.
One of the most basic models of proving your identity all started with the password; this basic model of proving a known factor has stuck over the years. But we keep layering controls on top of controls, because the controls we have don't fundamentally work. Those include randomized password tips and requiring that users change them every so often.
In their talk, they referenced the 2009 Operation Aurora breach that allowed an adversary to move throughout their environment and across servers, by using passwords. We had domain admins logging in with their admin account to read email - once compromised, the adversary was able to move across every server. This motivated them to dig deeper to find their fundamental problem.
They were also face with traveling users that wanted to use their phones to access their intranet, over the internet, without a VPN.
As the information security/tech industry, it's our job to enable the business as users move out of the network. It's time to get rid of the concept of 'inside' the network, and get rid of ineffective controls. We're not necessarily ditching them, but just moving them.
Akamai started to move their perimeter controls by implementing single sign-on (SSO) to control who gets access to what, which allows for a single point of presence across all web applications. They were able to distribute SSO across their content delivery network (CDN) on all applications.
They also had certificates across all of their devices to allow people to authenticate onto their network.
In addition to SSO, passwords and certificates, they wanted another factor of authentication. So they added push-based multi-factor authentication (MFA) enabled through smartphones by rolling out Duo. After enabling all of these access controls, they got rid of the password altogether - and their users loved it.
Akamai demoed the typical login process at their company, starting with the certificate on their devices that authenticates itself. This prompts their SSO to send a Duo Push to the user, which the user can approve by pushing the green Approve button presented to them on their Duo Mobile app.
Focusing on the end user experience is critical to succeeding in security.
Stay tuned for continued coverage of RSAC talks on the topic of the perimeter in my next blog post in the series that explains the main takeaways from Director, Security, Google Cloud Jennifer Lin’s talk, Google on BeyondCorp: Empowering Employees with Security for the Cloud Era.