Is Network Perimeter Security Still an Effective Control for Data Security?
There is a predictable pattern behind most of the malicious data breaches that happen today. Hackers bypass the business’ first line of defense – its network perimeter security – and then proceed to harvest as much data as possible before they’re caught. Stolen usernames and passwords are the facilitator, and a lack of visibility and control on the inside are the reason that the attack continues undetected.
So, how have the world’s IT security professionals responded to this explosion in breaches predicated on compromised user accounts? If the results of a recent survey are anything to go by, it looks like they’ve decided to bury their heads in the sand.
The research, carried out by research firm Vanson Bourne and SafeNet and published in Risk Management, found that almost three-quarters (74 percent) of IT decision-makers still feel perimeter security is effective at keeping hackers at bay. As a result, it’s where much of their spending ends up – almost all of them (93 percent) said that they had either increased or maintained the same level of investment in this area for the past half-decade.
Yet there was an implicit acknowledgement that those perimeter defenses weren’t quite effective enough with some 60 percent of IT decision-makers not confident that their data would be secure if unauthorized users were to penetrate their networks. More alarmingly, 41 percent admitted outright that a breach of the perimeter would be within the realms of possibility.
By extrapolation, a sizeable proportion of the IT security community believes that perimeter security defenses are effective and therefore more worthy of investment than anything else, but also that compromises are practically inevitable and will probably result in data falling into the wrong hands. Surely this disconnect can’t last?
Forget perimeter security – protect the data itself
The respondents in the survey were, of course, right to doubt that perimeter security defenses can keep out unauthorized users 100 percent of the time. The susceptibility to theft of usernames and passwords is well documented – a recent study by McAfee found that 80 percent of business email users are unable to detect phishing scams. Once in possession of such credentials, it’s trivial for hackers to penetrate through to the inside of a network.
What’s more, shoring up those perimeter security defenses isn’t just a poor safeguard – it’s also an increasingly costly and impractical endeavor. Both IT resources and workforces are gradually becoming more geographically distributed and fragmented, with infrastructure split across public and private clouds, and employees requesting access from any location and any device; it’s questionable that there’s even still such thing as a network perimeter security, so defending one is far from simple.
Given the current cyber security climate, which has seen dozens of North America’s biggest businesses drop like flies to devastating data breaches, it’s clear that some IT decision-makers – like those who seemed to hold conflicting opinions in the Vanson Bourne survey – are steering their organizations toward disaster. To avoid this, organizations need urgently to alter their tactics and protect the data itself, not the perimeter.
So how should we think about security today? What’s needed is a new model – a model that understands contextual information such as where is the user, what device is he/she using to connect, at what time of day? This data needs to be incorporated into context-specific access rules and authorization checks and used to limit access to resources based on these contextual parameters to better protect from threats both inside and outside the perimeter. We also need to extend our security posture into the line-of-business application itself, and ultimately to the content stored within.
Learn more about context aware, dynamic access solutions to better protect against today’s threat landscape.