Access Decisions as Perimeter

Sometimes I just flat out stumble trying to explain certain cyber security concepts. And no concept throws up more speed bumps to clear definition than the humble perimeter. Every day, I hear students, customers, and even security professionals asking about this architectural staple of enterprise protection. They want to know what I mean when I say the perimeter doesn’t work, or that the perimeter is a mirage, or that it is dissolving, and on and on. And they demand a proper definition of the damn thing.

It is the network delineation between inside and outside, I might clumsily offer – which immediately begs the question of whether a cloud workload in AWS is either inside the perimeter, outside the perimeter, or perhaps simultaneously in both states (like some weird security qubit). Perimeter is functionality that wraps network protections around a resource, I might say, which begs the question of whether this applies to a cloud operating system with APIs. You get the idea: Defining perimeter is hard.

So, I was so delighted when one of our industry veterans and experts, Wendy Nather of Duo Security, offered an explanation last week that was ten times better than anything I’d ever created. “Perimeter,” Wendy explained, “is any place you make an access control decision.” Not only is her succinct definition both elegant and correct, but she managed to use only ten words to do it. After she said it, I tapped the definition into my phone. It’s my new baseline.

Her remarks were made during a lovely CISO dinner last week at Lupa Osteria Romana in New York sponsored by Duo. Wendy was welcoming the group and suggesting table discussion topics – and as a longtime fan of the company, as well as their fine CEO Dug Song, I’d expected the conversations to focus primarily on multi-factor authentication. Interestingly, the topic barely came up – which I found to be quite extraordinary. Instead, we talked more generally about reducing access risk.

Proper access control, participants at my discussion table agreed, must be done with diverse layers of cyber defense, each designed to address risk from complementary, but heterogeneous perspectives. “Just because you place armed guards at the front door,” Wendy explained, “this does not remove the need to include solid local protections for any valuable assets located inside.” And this makes perfect sense – especially in hybrid architectures.

The modern enterprise access challenge, as I see it, is that so much of the corporate resource base will soon be scattered across so many different cloud workloads, that Fort Knox-type firewall-based DMZs will soon look like large concrete doors in the middle of a desert: Isolated, unnecessary, easy to bypass, awkward in their placement. In their stead will be distributed, virtualized access control points located adjacent to the assets they are designed to protect.

It was encouraging to see a world-class MFA company like Duo emphasize these points. Traditional VPN-style access across a carefully policed perimeter to locate Intranet-based resources on an enterprise network or website will soon look like that simulated wood-grain answering machine that was on your desk in 1987. But the definition of perimeter – the one Wendy so elegantly offered – well, that will be valid for the foreseeable future. Welcome to the world of hybrid.

As part of this concept of perimeter based on access control decision-making, seamless single sign-on (SSO) based on secure logins will be the new norm for users with mobile devices trying to reach apps in either on-premise virtualized data centers or hybrid cloud-hosted operating systems. Duo’s Trusted Access Platform offers integrated support for just about every cloud system used today in the modern enterprise. This is welcome news for CISO teams.

My general thanks to the Duo team for such a nice evening of stimulating discussion around modern access security, and my special thanks to Wendy Nather for supplying a perimeter definition that works much better than the awkward responses I’ve been providing. I suspect that her definition (hint, hint) just might find its way into a mid-term examination one of these days. So, let’s see which of my students are following me on LinkedIn . . .

Give Duo Security a call, and ask them for a briefing on what they’ve been up to these days. I think your time will be well-spent. And as always, please remember to share what you’ve learned with all the rest of us.