The new security perimeter for organizations

security perimeter

Slowly but surely, we are experiencing a radical change in the world of networks and access security. To illustrate this in a caricatured way, we are moving from a situation when an organization’s network was inside its walls and the Internet outside, to a situation where everything is based on the Internet, which is shared by all organizations’ networks. The networks of companies are now permanently installed in the Internet network via cloud infrastructures that go beyond the physical boundaries of organizations. The concept of “security perimeter” has been completely transformed and therefore, also the way this new security perimeter is protected.

Ubiquity, the new paradigm for organizations

If the Internet becomes the network of any organization and all IT capacity becomes a cloud service, what is the new border of the organization? We are witnessing the splintering of organizations:

  • on the one hand, workforces, who are no longer necessarily “at the office”, but increasingly on the move, teleworking, or with a service provider, and connected from all types of networks (4G/5G, Wifi, Internet);
  • on the other hand, workloads, which are no longer necessarily “in the datacenter” of the organization, but more and more in Cloud infrastructures or with Cloud service providers, and which are increasingly distributed among a growing number of different providers.

Thus, it seems that organizations no longer have any borders. Before, we used to think: “what is inside is safe; what is outside is dangerous”. Now, we can no longer distinguish between the inside and the outside, and organizations no longer have a security perimeter. They can no longer provide trust by default. Hence the emergence of this “philosophical” approach of security called “zero trust“: starting from the assumption that the level of trust must be checked at each interaction. In this case, on what base should we build the security of access to the IT tools that are essential to the proper operation of any organization?

Identity is the new security perimeter for organizations.

Networks can no longer determine the perimeter of organizations. This perimeter must now be managed at a logical level: based on “persons” and the “applications” they use, and in a more precise, granular way, both in space and time. The identity of the “person” who accesses a resource or application must be considered in its overall context (who (s)he is; what (s)he knows; where (s)he is; what equipment (s)he uses; from what network (s)he accesses; in what context (s)he acts; how (s)he behaves; at the moment and for the entire time (s)he accesses the resource or application). This also involves considering the authorizations on the “applications” accessed, as precisely as possible, according to functional and temporal criteria, but also according to the context of use (for example, access to certain functions could be limited if it is considered that the user is accessing the application from a “riskier context”). As we can see, identity becomes the organization’s new security perimeter: it is the person’s “identity”, in a much broader sense than just the authentication method (which is the verification of his or her identity at a given moment), that determines the scope of what he or she can do.

The “digital” era, which can be seen as the nth phase in the development of IT and which can be defined as the ubiquity of IT, has invaded all sectors and professions. Every experience (as a customer, employee, user, …) has now a digital component, and all these different experiences that occur at any time and for any type of interaction, have a considerable impact on human perception. This digital concentration has been further amplified by the need for physical distancing and teleworking, making almost all interactions virtual. Therefore, the improvement of the workplace experience (#betterWE, “better Workplace Experience”) plays a decisive role in the “global experience” provided. This is also the reason why security must be as seamless as possible for the user in his/her work environment.

The best way to ensure this transparency and fluidity of experience, while improving the level of security and risk control, is to analyze the user’s behavior. You can steal a password, a code, a key, or a card: it’s harder to steal someone’s behavior. Behavioral analysis is the basis of any fraud detection, whether it is identity theft or inappropriate action. In a world where we cannot trust by default, behavioral analysis becomes the safest way to secure the user and the organization without jeopardizing productivity. It is also this behavioral analysis that can make security as transparent as possible and avoid defacing the user experience in favor of a restrictive security.

If everything is cloud, the cloud must protect the cloud.

Organizations’ information systems are now split into various services and resources, some managed by the organization itself and others managed by third parties. This involves securing “inbound” access to all the services and resources operated under the responsibility of the organization, but also securing “outbound” access to all the services and resources operated elsewhere. There are two types of control: protection against increasingly strong threats, and voluntary and explicit authorization of access. Allowing access only to authorized “persons” and only to authorized “applications”. If you only have the walls and moat, no one can enter the castle in a “normal” way: you need a drawbridge to allow “standard” access. However, technological solutions are increasingly combining to cover both types of control.

Now that organizations’ information systems are distributed in this way, it has become common practice to use cloud services to secure access to these information systems; since these have become “hybrid”, with third-party cloud services and components deployed in their own datacenters, it is also natural that cloud services securing access are also “hybrid“. In a world where everything is moving to the cloud, it is normal that the cloud secures the cloud.

The “cloud” is also an approach to information system management, towards what is called “hyper-automation” (or “DevOps” pushed to the extreme, or, to integrate “security by design” into all development and operating processes, “DevSecOps”). The self-service experience of cloud services, the elasticity of the cloud (the ability of the infrastructure to adapt to the load, whether it is increasing or decreasing), the users’ need for speed or even immediacy: all this contributes to the automation of all deployment and update tasks, and to the so-called “software defined …” or “… as code” approaches. The “SASE” approach (Gartner‘s term for “Secure Access Service Edge“) is nothing more than an integrated approach for network and access services management through automated deployment with global policy (centralized) and local enforcement (decentralized). Hence the importance of APIs/CLIs to control all network and access solutions automatically.

The growing use of artificial intelligence further increases the need for hyper-automation: the quality of an AI -based solution is based on the volume of data on which it is validated. This growing volume of data processing generates a growing need for automation of the AI engineering chain. Beyond the trend effect, the players who will be able to leverage artificial intelligence for good purposes, in depth, and responsibly, will bring innovation and differentiation to their sector.

Responsibility: a central challenge for organizations

2020, a very special year, has pushed organizations to the very limits of their business challenges: agility and productivity are being pushed “one step further” towards resilience, and legal and regulatory compliance is leading to new levels of demand in terms of organization’s responsibility, whether economic, ecological or ethical, or even social, societal or solidarity-based. Organizations’ business continuity plans have been shaken up. Teleworking has shaken up the relationship to work. The crisis required the solidarity of each organization to the extent of its possibilities. Many other upheavals could be evoked and will emerge “in the world beyond”: technology will continue to play a key role in the ability of organizations to face the new challenges ahead. CIOs and CISOs have undoubtedly moved closer to the Executive Board in the long term, as IT and cybersecurity have become essential and vital assets for any organization. It is in the wake of this analysis and this vision that Systancia intends to contribute to the provision of a more and more human and secure workplace experience. This is why we will be working with you in 2021 on these new concerns: person-centric computing (workplace and user experience; secure teleworking; transparent security for the user; identity as a new security perimeter); cloud-centric computing (the cloud as the cloud’s shield, and cloud security services; hybrid cloud by nature; new access security architectures; hyper-automation applied to security); new business challenges (from agility to resilience; from compliance to responsibility; from technology to people).