For millennia people relied on fortresses to protect themselves and their valuables, allowing only trusted people in. This all-in-one protection method used “defense in depth” with walls, moats, guards, and a Castle Keep that contained the crown jewels. Over time, we realized this wasn’t scalable or efficient. So we expanded to cities, where everyone was free to mingle and roam around and trustworthiness was hard to easily verify. People started to put protections closer to the valuables, like putting money in a vault inside a bank that was freely accessible to all. And of course, we watched the vault. This analogy can be used to describe IT enterprise security approach until very recently.
This meant that initially one could only access corporate resources when on the corporate network. About 10 years ago someone coined the term, deperimeterization of the network, meaning folks did not always have to be “inside” to access data and services (valuables), they could also access services outside, and remotely access internal resources. We accepted this evolution, and we’d manifest this deperimeterization concept by using a VPN from anywhere to get to the corporate network to access email, share files, and log into applications. So we didn’t remove the perimeter, we just extended it, and still only allowed trusted people in, and out.
Today we’ve stepped out even further. With the expansion of mobile devices, and cloud services, there really isn’t any reason for some users to access the enterprise network anymore to do their job. Mail is hosted, applications are hosted, credentials are federated or inherited, one can even share data stores without anyone needing to access the “corporate” network. We’re out of the castle and into the city. But what we haven’t done is update our security approach. How will guards, dogs, and gates on the castle protect the people in the city? We need to have protections on the mobile devices themselves, visibility into their activity, and a process to alert, respond, and remediate when things go wrong, before they can cause the “kingdom” harm. This is the gap I’ve seen with the modern enterprise: we can’t expect the security processes and technology of yesterday for protection in this new business paradigm of today. There are plenty of ways to do this, but as I always said, people, especially companies (companies are people now remember?) are resistant to change. We need to get over that and evolve as we did when we moved out of the castle, and realized we can still be safe.
– Rick Doten, DMI Chief Information Security Officer (CISO)