The Shrinking Security Model: Micro-perimeters
Blog Article Published: 03/20/2013
By Ed King, VP Product Marketing – Emerging Technologies, Axway (following acquisition of Vordel) As Cloud and mobile computing make enterprise IT ever more extended, the traditional security model of keeping the bad guys out and allowing only the good guys in no longer works well. While the reach of the enterprise has expanded, the security perimeter may actually have to shrink to around the smallest entities such as the application and the dataset. A truly scalable security model for this world of BYOx (fill in device, application, identity) seems to be one based on massively scalable micro-perimeters. What is big is now small and what is small is now big.
Micro-perimeter #1: ApplicationsApplication security has long been secondary to network security. In the old days, since most business applications were only accessible on the corporate network via a browser or fat client, applications only needed rudimentary authentication and authorization capabilities. However, now with the pervasiveness of Cloud based services and mobile access, the network perimeter has effectively evaporated and application security is a front and center of house issue. By shrinking the security perimeter to each individual application, enterprise IT can control a user’s access to the application from anywhere and any device, without having to rely on a cumbersome VPN connection. For applications in the Cloud, Cloud service providers already provide basic network security such as firewalling. Application security, however, is the responsibility of the enterprise. Any access control that was previously implemented at the network level needs to move to the application level. Setting up a micro-perimeter around applications involves:
- Authentication and single sign-on - This can mean strong and multi-factor authentication if a higher level of assurance is required. If the application is being used by third-party users, a federated scheme is highly recommended.
- Authorization - This typically means a role or attribute based scheme. More advanced authorization schemes can involve fine grained entitlement management, as well as risk based schemes. If federated access is required, definitely consider OAuth, which has become the de-facto federated authorization scheme of today.
Micro-perimeter #2: APIsHow we use applications has changed since Apple introduced the iPhone and the App Store. We no longer use a small number of larger complex applications (think Excel, Word), but a large number of small purpose-built applications. How many applications do you have on your smartphone? This same trend is true for Cloud applications. Instead of large ERP platforms such as SAP and Oracle, enterprises are now favoring smaller, best-of-breed applications such as Salesforce and Workday. In addition, the modern application user experience is cross-modal, users use a number of applications on different platforms to complete tasks within the same business process. This new breed of applications use web APIs to enable integration and support multiple user engagement applications on mobile and Cloud. API has become the common access point given the proliferation of applications and endpoints. Setting up a micro-perimeter around APIs involve 3 aspects of protection:
- Interface security to ensure transport level security and blocking of attacks such as SQL injection and cross-site scripting
- Access control to ensure only the right user, device and applications are allowed to access the APIs, along with integration to enterprise identity and access management platforms
- Data security to monitor all data passing through the API, including header, message body, and any attachment, for sensitive data, then perform real-time redaction
Micro-perimeter #3: DevicesMobile devices are more easily compromised than servers and desktop computers, and thus have a much bigger attack surface. In addition to the typical endpoint security vulnerabilities such as malware and operating system exploits, a lost or stolen device gives attackers physical access to the device, which opens up additional exploit options at the hardware, firmware, operating system and application levels. Beyond physical security, the widespread use of application stores creates opportunities for malware to be downloaded freely and spread quickly. Deploying a micro-perimeter around the mobile device has been a hot security field in recent years. Various solutions ranging from MDM (mobile device management), mobile virtual machines and containers, to application signing are available. Look for technologies that can:
- Validate application authenticity and integrity
- Secure operating system and applications from malware and viruses
- Detect and block suspicious/unauthorized cross-application activities
- Secure keys and identities on the device
- Secure communication and prevent man-in-the-middle exploits