Redefining Boundary Network Security: Hybrid is the Future
With the further flow of information to the cloud, the role of border security is changing, and gradually becomes a part of the multi-dimensional network security solutions.
Border defense The emergence of is as old as the server itself. Say the word border defense, and you will naturally see a picture in your mind: rows of super large cabinets are buzzing in locked rooms, and firewalls separate the machine from the outside world. But unless you are working for the CIA, this scene is unlikely to be your daily experience. Instead, the data you protect is stored in the cloud and flows around the world through laptops and mobile phones. API access and email sending. When information is everywhere, security must also be everywhere, which makes those who still remember the real server wonder whether there is such thing as border defense now?
1、 From boundary to authorization
Boundary is a very limited idea. In a world full of WiFi and cloud, this kind of thing has already been scattered. Things have changed, and the borders we have always relied on are no longer so reliable. In the past, IT staff can say that if you are on our network - on our hard wired physical network, there is a security protocol; If you are physically connected to our network, we can trust you.
Before the cloud era, borders were strengthened by internal defense such as anti-virus software scanning or terminal protection tools. But time has changed, and now the borders alone are not enough. Just go inside and do whatever you want. It's like you don't use a safe because you lock the door. It seems that the best practice has not changed: it is always a good idea to arrange "guards".
However, the sooner we abandon the idea of borders, the better, because it will give people a false sense of security. In a world where employees are distributed everywhere and work with various equipment, boundaries no longer exist. Nowadays, authorization rather than firewall is the only way to prevent employees from logging into the company's bank account from Las Vegas at 2:00 a.m. Authorization has always been considered an internal defense.
No matter what kind of security measures are taken to capture login from Las Vegas, this abnormal login is obvious. However, for the private central college in Danville, Kentucky, USA, it is possible to log in from London, Shanghai and Strasbourg at 2am. 85% of its students will have at least one overseas study experience, and can log on to the school's learning management system, e-mail system and campus intranet, no matter where they are.
2、 Identity based
Like any college, the data link of the Central College starts from the high school students contacting the admissions office, and runs through the four years of college study, followed by the rest of the graduates' lives. Therefore, everything from the social security number of the students at school to the information of the graduate donation bank needs to be protected. In addition, like all employers, employee information is also among the data to be protected.
The Central College relies more on border defense to protect data than following the trend forecast: a few years ago, all articles said that "the border is dead, let alone the firewall". After this concept became popular for some time, "Oh, you really need to take care of the firewall. Don't ignore it." Fortunately, border security has gone up and down, but firewalls, intrusion detection systems and intrusion prevention systems have never lost their place in the central college: enterprise resource planning (ERP) software containing personal identifiable information (PII) of employees and students, It is still under the traditional boundary protection.
Of course, not all things are surrounded by borders, nor should they be. Take the Academy Theater as an example. The theater's SaaS ticketing platform comes from suppliers with their own security measures. Student email has been migrated to Microsoft Office 365 four years ago after it no longer lies on the border. Then there is all the information that flows between them, such as the code of the college website centre.edu.
Anyway, there is nothing on the website that you really don't want to make public. The important thing is not to prevent data leakage, but to protect the website from being hacked. Finally, most of the data is protected by the hybrid system and hosted on the physical server accessed by the college through the cloud. These servers have physical border defense and internal defense to protect their connections.
This operation of the Central College is a clear proof that the boundaries are changing. Border and internal security are evolving into multi-layer defenses that can operate inside, on the cloud, or both. The boundary is not just a physical boundary, which has changed over time.
Back to the previous example of logging in the company's bank account from Las Vegas at 2 a.m., the security measures based on the login location are obviously not good enough. Security needs to be based on your identity and what you want to do at a specific point in time.
3、 The boundary still exists, but it is more hierarchical
Therefore, the future of security does not lie in borders or interior, but in multi-layered defense. No solution can completely cover it, but there are many different levels of permissions that will change over time.
Just as the original border defense representation "what passes through must be benign", defense in depth can handle different use cases and effectively create a "safe zone" - similar to an airport. Therefore, this is not to say that the boundary is used to block outsiders and the internal defense is used to avoid trouble after entering, but to evaluate data and permissions at a higher and more detailed level.
The transformation speed of the Central College to this new reality has been artificially slowed down, and the IT department is expected to take 10 to 12 years. Because they are not in the forefront of emerging technologies, they are also glad that they are not in this "edge" position. The school's security approach also reflects its own philosophy - not only to win the time to buy the budget internally, but also to make decisions that are most conducive to the school.
The boundaries do exist, but they have changed and become more hierarchical.
No matter where you work, no matter how advanced the environment is, many places actually find that the migration of their own security methods is just to put information back within the boundary. Whether you are a small organization like Ford Motor Company or Central College, you must consider what is really important to the mission of the company when making decisions.
