Why traditional network perimeter security no longer protects
Greek philosopher Heraclitus said that the only constant in life is change. This philosophy holds true for securing enterprise network resources. Network security has been and is constantly evolving, often spurred by watershed events such as the 2017 NotPetya ransomware attack that crashed thousands of computers across the globe with a single piece of code. These events prompt changes in network architectures and the philosophies that underlie them.
The internet initially lacked security because there were bigger problems to solve at the time of its creation. Internet pioneer Dan Lynch remembers that time because he led the ARPANET team that made the transition from the original NCP protocols to the current TCP/IP-based protocols. “When we were first starting to test the first internet, we looked at security and thought that it would be too difficult to include at this phase because we were just trying to get it to work at all,” he said. “Once we got it working, we could add security then. Bad choice, eh? We never looked back until it was too late.”
For decades, network security philosophy focused on securing the inside from threat actors on the outside, which was the same philosophy the Romans relied on to protect their frontier. Defining perimeters made sense in the early days of network security and aligned with the basic principle of defense-in-depth — protect internal resources from external forces. It worked because employees were office-bound, and the office walls defined the perimeter that protected the resources they were trusted to access.
Step outside, and employees became intruders if they tried to access those very same resources. While traditional perimeter security was clunky, by and large it worked, despite chokepoints that became flypaper for middleware appliances, which used largely static security policies.
But security best practices and go-to devices eventually fall out of favor or become obsolete, as next-generation practices and technologies rise to replace them — until a pivotal crisis occurs. In these times, the driver for change has been a non-digital virus: COVID-19.
The new VPN workplace
The global pandemic has forced a seismic shift in how and where work gets done, and for now it’s unclear when workers will be able to return to the office. According to a recent Gartner survey, 317 CFOs and finance leaders don’t think that it will be anytime soon. 74 percent also expect teleworking to outlive the pandemic and plan to move at least 5 percent of their previously on-site workforce to permanently remote positions after the pandemic ends.
For decades, organizations have relied on VPNs to provide employees the ability to perform their jobs securely while out of the office, but VPN budgets have generally supported about one-third of workers using VPN services at any one time.
In mid-March, VPN providers reported that traffic soared over 40 percent worldwide, peaking at 65 percent in the United States, days before the signing of the $2 trillion stimulus package. Some enterprises conducted stress tests on their networks (i.e., bandwidth capacity, VPN stability) before allowing the majority of their employees to work from home. Others scrambled to implement VPNs or buy more licenses. In a study conducted by OpenVPN, 68 percent of employees from 300 different U.S. companies claimed that their company expanded VPN usage in response to Covid-19, and 29 percent of employees became first-time users.
While VPNs are relatively quick and less expensive to implement than a network architecture reboot, VPNs are not a panacea. The encrypted VPN communications and data tunnel still adhere to the basic premise that there is a protected perimeter a remote user needs to tunnel through to gain local access privileges to enterprise resources. VPNs also don’t prevent lateral movement or eliminate insider threats.
CISOs worry that IT personnel might cut corners when implementing VPNs, ignoring crucial security policies. They also worry about security analysts becoming fatigued by an increasing number of alerts, many of them false positives. Like the harp that woke up the sleeping giant in Jack and the Beanstalk, the sharp rise in VPN traffic has roused advanced persistent threat (APT) groups to curate new payloads and exploit existing vulnerabilities.
A UK security bulletin issued in January, for example, alerted companies to hackers exploiting a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. Researchers also found a rise in scans looking for vulnerable Citrix devices. CISA issued an alert in March that encouraged enterprises to adopt a heightened awareness about VPN vulnerabilities and recommended multi-factor authentication and alerting employees of phishing scams that steal VPN credentials.
The re-emergence of zero trust
Reality demands that enterprises rethink perimeter security because employees and their laptops and smartphones and other devices are now literally all over the place, shifting the network perimeter to wherever a user is located. The network security paradigm that is designed to meet the dynamics of a mobile workforce is a perimeter-less network, or zero trust architecture (ZTA). At a high level, ZTA is less about network topology and physical location and more about strategy and guiding principles. The underlying philosophy is to replace the assumption of trust with the assumption of mistrust: everyone can be a threat and the network is always under attack.
To prevent or limit breaches, implied trust shrinks down to the level of data — not users, enterprise devices (assets) and infrastructure (though ZT tenets can be used to protect all enterprise assets). The “trust but verify” proverb that is synonymous with perimeter security becomes “never trust, verify and trust, then re-verify and keep re-verifying until zero trust is achieved”.
ZTA seems like a logical progression from perimeter security, just as smartphones became a logical progression of the landline. As is true with the adoption of any new technology, the story is as much about components and peripherals as it is about the psychosocial constructs behind the design principles. To psychoanalyze ZTA is to understand the root of trust. To trust is human and develops at infancy, so when humans first designed network security, it made sense that they would draw on relationships of trust to create a perimeter that created a big zone where everyone and everything were trusted and had access to each other. Beating cybercrime and working in an interconnected world, however, calls for a paradigm of mistrust. ZTA characterizes mistrust as a positive quality that makes computer sense in the global landscape of machine learning.
The notion of zero trust has undulated within the security community since the Jericho Forum published its vision on the topic in 2005. After more than 2,500 cyberattacks hit NATO in 2012, the U.S. federal government urged federal agencies to adopt the zero-trust model. In 2015, the government sounded the alarm again after the largest data breach of federal employee data.
Who listened? Enterprises seeking more flexible solutions than VPNs or more precise access and session control for on-premises and cloud applications.
Before the pandemic, interest in ZTA was piqued. It has now gained fresh momentum, especially since the technology to support it is becoming mainstream. The PulseSecure 2020 Zero Trust Progress Report found that, by the end of the year, almost 75 percent of enterprises plan to implement ZTA, but nearly half of security professionals said they lacked the expertise and confidence to implement it.
Guidance to help enterprises transition and implement ZTA is coming from the private and public sectors. Startups (i.e., Breach View, Obsidian Security, HyperCube) are capitalizing on the trend to offer zero-trust-related services. On the public front, NIST published in February the second draft of special publication 800-207, Zero Trust Architecture. The following month, the National Cybersecurity Center of Excellence, which is part of NIST, mapped ZTA to the NIST Cybersecurity Framework and offered implementation approaches. Despite the guidance, ZTA is unlikely to find full-scale adoption because the principles of perimeter security may still be relevant for some enterprises.
Figure 1. ZTA High-level Architecture. Adapted from NIST (2020). Special Publication 800-207, Zero Trust Architecture
How it works
Identity and asset management, application authentication, network segmentation and threat intelligence are the main components and capabilities ZTA relies on. Figure 1 shows the core architecture — the policy engine and policy administrator, which collectively create the policy enforcement point. The policy engine runs the security policies, which leverage behavioral analytics to make them dynamic, and the policy administrator executes the decisions made by the policy engine to either grant, deny or revoke a request to access data. With ZTA, no packet is trusted without cryptographic signatures, and policy is constructed using software and user identity rather than IP addresses.
Another way to express the relationship between the policy engine and administrator is that a user communicates information (i.e., time/date, geolocation and device posture) to the policy engine, which calculates a risk score and communicates risk (i.e., the decision) to the policy administrator on how to handle the request. The decision made by the policy engine is described as information-trustworthiness.
To implement ZTA, a “protect surface” is identified. The protect surface is composed of a network’s most critical and valuable data, assets, applications and services, or DAAS for short. Single-point barriers (i.e., micro-segmentation) are erected around trust zones for each piece of data. The trust zones create multiple junctions and inspection points to block unauthorized access and lateral movement. Think of the zones as airline boarding areas — only cleared passengers with a boarding pass are granted access to the desired resource (i.e., airplane). Similarly, ZT security policies authenticate and authorize users as they get closer to a requested DAAS resource.
ZTA has its shortcomings. Although it’s designed to limit and prevent breaches, NIST says in its draft ZTA publication that it is not immune to them. Insider threats loom in ZTA as they do with perimeter security. Any enterprise administrator with configuration access to the policy engine or administrator might change the security rules. To mitigate the risk, configuration changes must be logged and subject to audit.
ZTAs are also prone to denial-of-service (DoS) attacks or route hijacks if a hacker disrupted access to the policy enforcement point (PEP). PEP in the cloud or replicating it across several locations mitigates the risk, but if a cloud provider accidentally took the PEP offline or if botnets hit the cloud provider, the experience would be the same — a disruption of service.
But the biggest threat is the one that remains a leading concern for every organization, and that is phishing scams. Verizon’s 2019 Data Breach Investigations Report showed that phishing continues to be the most popular approach for gaining access to systems (followed by stolen credentials). U.S. organizations were the No. 1 phishing target, accounting for 84 percent of total phishing volume, according to a 2019 PhishLabs report.
But the most ghastly statistic is the 667 percent spike in the number of Covid-19-related spear phishing attacks since the end of February. Despite security and awareness training and compensating controls, efforts to patch the last line of defense — users — remains a challenge and is likely to remain that way because the most popular reason to explain the behavior is also the oldest one. Put simply, to err is human.