Networking, Cloud Security, Zero trust

Infinite perimeter: How modern consolidated security protects the cloud

Share
A set of Mandelbrot fractals, each with an infinitely recursive perimeter.

Despite the widespread adoption of cloud computing and remote work, and the steady rollout of zero-trust networking, the perimeter is far from dead. Rather, it has been redefined. Like the border of a mathematical fractal shape, the modern network perimeter now extends everywhere, infinitely.

Unfortunately, legacy tools don't work terribly well with the modern infinite perimeter. The modern perimeter needs modern security tools like a cloud access security broker (CASB) and decentralized network architectures like secure access service edge (SASE).

"Anywhere you can access data, anywhere you can send data to, anywhere you host data or save data, that's where you have to make sure that you have a way to reach or protect that particular asset," explains Aviv Abramovich, Head of Security Services Product Management at Check Point.

One way to efficiently get what you need to secure and manage the infinite perimeter is to implement a consolidated security platform. It bundles together modern networking and security technologies into a complete package, saving you the complicated and tedious task of aligning disparate tools from multiple vendors.

The savings in cost, time and training gained by implementing a consolidated security platform will put your organization on a fast track toward modernizing its systems.

How the perimeter went global

A decade or two ago, the perimeter was where the company network's wires and Wi-Fi signals ended. There were tunnels in via remote-access VPNs or database calls from web servers, but those were, at least in theory, well-guarded.

"All you needed was the edge perimeter firewall, and that was your network security because everything was just a flat network," says Julian Mihai, CISO at Penn Medicine in Philadelphia.

Then came cloud computing, followed by the explosion of remote work that accompanied the COVID-19 pandemic.

Now the old ways are not enough. Remote workers use their own personal computers to connect to the company network from anywhere in the world, bringing the risk of malware intrusions and data theft.

Security personnel must relinquish total control of assets that have been moved to the cloud, placing their trust in cloud service providers who promise robust protections as long as the assets fall into the CSPs' fuzzily defined areas of responsibility.

"Everything in the cloud is shared responsibility," said one security professional who responded to a recent CyberRisk Alliance survey. "We have to understand how the security works and what is our responsibility."

More and more complex

Meanwhile, the speed and ease of setting up new cloud instances lead to a morass of misconfigurations and poorly secured data buckets. When any IT staffer can spin up a cloud instance, it exacerbates the existing shadow-IT problem.

"The thing that really makes me lose sleep at night is the misconfiguration," said another respondent to a CRA survey. "We're not mature enough to be able to easily see what's not set up properly."

Cloud instances may be inherently easier to attack, and more difficult to defend, than on-prem networks. All an attacker needs is a stolen set of admin credentials, while defenders lose their home-field advantage when they move from defending the LAN to defending cloud assets on a CSP's infrastructure.

The network itself is no longer static, but dynamic. Endpoint devices log on and off around the clock and frequently change locations. Cloud instances pop in and out of existence, while others are never wound down and quietly stay online, forgotten. Data is scattered over an array of servers, few of which your organization may control.

Naturally, the complexity of cloud computing and remote work have made it much tougher to protect the network and the devices and staffers who use it.

"You're solving a problem that's 10 times more complicated than you were trying to solve only a few years ago," says Dave Gronner, Product Marketing Manager at Check Point.

How consolidated security platforms protect the infinite perimeter

Fortunately, network security and network architecture have caught up to these new demands, offering several ways that organizations can tackle the infinite perimeter.

A plethora of "cloud native" security tools has been developed. Cloud security posture management (CSPM) checks and monitors cloud instances and assets for misconfigurations and policy violations.

Cloud workload protection platforms (CWPP) do the same for malware, vulnerabilities and other threats, while the cloud access security broker (CASB) checks the behavior and controls the access of cloud users. A cloud-native application protection platform (CNAPP) ties together many of these tools.

These tools not only work on the cloud, but they are also themselves in the cloud, matching the flexibility and, well, boundless perimeter of the assets they protect.

"A cloud environment is a lot more dynamic. You click a button, you have 10 new servers, so you need your security to also be very dynamic and adjust to it," says Check Point's Abramovich. "Network security can read information, if you will, from the cloud and automatically and dynamically adapt the policy and the access to the changes in the cloud."

Bringing the network to the people

But while routing data and network traffic to and from the cloud through on-premises access points may work well from the company offices, it's not such a smooth process if many employees are working remotely. It doesn't make sense to send data from those employees to the central office via VPN, then hairpin it back out to the cloud. That would just create congestion and delays.

Hence the secure access service edge (SASE) model, which brings the network closer to remote users through a software-defined wide access network (SD-WAN) and geographically distributed points of presence (PoPs), edge servers that provider user access, enforce security policies and securely deliver data.

Secure web gateways (SWGs) monitor and filter traffic, detect malware and thwart data loss; software-defined firewalls-as-a-service (FWaaS) protect the entire virtual network much as a hardware firewall would protect an on-prem network.

Tying together SASE and the cloud-native security tools is zero-trust network access (ZTNA), a software component of the larger zero-trust model that grants no user implicit access based on location or device but challenges each user to continually verify their identity.

"A modern unified platform needs to be built around the zero-trust concept," says Abramovich. "Fewer privileges, always verify, continuous verification and awareness and visibility — if you don't have these specific capabilities, your platform will be missing some really important components and capabilities."

ZTNA uses identity-defined policies to give each user or device access only to specific assets, network areas and applications, differing from a VPN that gives access to the entire local network.

Putting it all together

All of these networking and security tools can be acquired individually, and most organizations cobble together SASE and cloud-native protections using products from various vendors. But while you can obtain an off-the-shelf ZTNA tool, you'll have a hard time finding a vendor that offers a full off-the-shelf zero-trust implementation.

However, getting all these different tools to work together can be expensive, time-consuming and taxing on security staffers who must be trained in a dozen different interfaces and tools.

To save effort, time and money, many organizations are turning to consolidated security platforms that offer some or most of the cloud-native and SASE components.

These platforms may also offer basic cybersecurity features like endpoint protection, identity and access management (IAM), and network monitoring, as well as more sophisticated tools like extended detection and response (XDR) and security orchestration and response (SOAR) systems. Many include AI-powered functions to assist with configuration, detection and analysis.

While no consolidated security platform offers everything an organization might need to manage and protect the modern globally distributed network, the reduction in vendors should result in lower costs, less training time and fewer configuration and patching headaches.

"If it's from a single vendor, then you're actually improving your efficiency, because there are a lot fewer skills that you need in your security team to manage all these different [tools]," says Abramovich.

Through more efficient data sharing among tools, a consolidated security platform should also provide tighter security integration as well as greater visibility into your systems, whether in the cloud or on-prem, letting you see all the way out to the edge of the infinite perimeter.

Infinite perimeter: How modern consolidated security protects the cloud

A consolidated security platform that bundles together distributed networking and cloud-native security tools can cut costs and speed implementation as you modernize your systems.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.