For years, security has been synonymous with the perimeter security model. This model relies on the strength of its outer defenses. That is, your corporate network is safe so long as your perimeter is impenetrable. Perimeter security typically incorporates tools like firewalls, network segmentation, and VPNs. But perimeter security’s shortcomings have become apparent as:
- Software is shipped differently now. Organizations now deploy code outside their perimeter, in public and private clouds.
- Workforce habits are changing. A majority of the global workforce now works remotely at least one day a week.
- Remote workers want an equivalent user-experience. Traditional tools for internal access like VPNs are clunky and frustrating to use.
- There are now many perimeters to secure and boundaries of the perimeter have become ephemeral and nebulous.
Most networks [have] big castle walls, hard crunchy outer shell, and soft gooey centers...
Most importantly, the model is just not as secure as we thought. Recent high-profile breaches have demonstrated how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many breaches, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by hacking the HVAC system which was connected to the internal corporate network from which hackers were then able to move laterally and exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military known as Operation Aurora. After which, Google did a bottom up review of their security posture. The resulting actions from that review would be released as a series of white papers called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.
In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles.
The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of micro-services, and cloud computing where service communication requirements are constantly in flux.
In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure appropriate access controls. However, in practice, operators are usually pulled in the direction of one of two extremes. That is, either a very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break.
Gaps in the perimeter
In summary, perimeter based security suffers from the following shortcomings:
- Perimeter security largely ignores the insider threat.
- The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations.
- Network segmentation is a time-consuming, and difficult to get exactly right mechanism for ensuring secure communication.
- Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units.
- VPNs are often misused and exacerbate the issue by opening yet another door into your network organization.
Zero trust instead attempts to mitigate these shortcomings by adopting the following principles:
- Trust flows from identity, device-state, and context; not network location.
- Treat both internal and external networks as untrusted.
- Act like you are already breached, because you probably are.
- Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- Access policy should be dynamic, and built from multiple sources.
To be clear, perimeter security is not defunct, nor is zero trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls.
The zero trust security model was first articulated by John Kindervag in 2010, and by Google in 2011 as a result of the Operation Aurora breach. What follows is a curated list of resources that covers the topic in more depth.
- NIST SP 800-207 Zero Trust Architecture
- UK National Cyber Security Centre Zero trust architecture design principles
- Q&A with the writers of NIST SP 800-207
- Zero Trust Networks by Gilman and Barth
- Forrester Build Security Into Your Network's DNA: The Zero Trust Network Architecture
- Google BeyondCorp 1 An overview: "A New Approach to Enterprise Security"
- Google BeyondCorp 2 How Google did it: "Design to Deployment at Google"
- Google BeyondCorp 3 Google's front-end infrastructure: "The Access Proxy"
- Google BeyondCorp 4 Migrating to BeyondCorp: Maintaining Productivity While Improving Security
- Google BeyondCorp 5 The human element: "The User Experience"
- Google BeyondCorp 6 Secure your endpoints: "Building a Healthy Fleet"
- Google How Google adopted BeyondCorp
- Wall Street Journal Google Moves Its Corporate Applications to the Internet
- Gitlab's Blog series and their reddit AMA
- Our blog posts:
- USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers
- What, Why, and How of Zero Trust Networking by Armon Dadgar, Hashicorp
- O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security by Neal Muller, Google
- Be Ready for BeyondCorp: enterprise identity, perimeters and your application by Jason Kent