Security boundaries in the IT world are changing, porous, often imaginary lines. A security boundary is a demarcation that delineates sovereign or administrative borders that dictate who controls what. Boundary owners are supposed to protect the assets inside their domains against all other unauthorized incursions.
Security boundaries are important. Nearly every war is fought over one.
For many decades, boundaries were dictated by traditional firewalls or routers. The firewall or router owner defined, usually by IP address, the inside and outside legs -- or if they required one, a DMZ shared by both sides. All traffic traversing one side to another underwent inspection and was blocked if not allowed.
This concept of a three-legged security boundary was all most of us really needed to know for a long time, and it still forms at least the first layer for the complexities we face today.
The rise of virtual networks
That was the simple life. Then single virtual networks spread over multiple physical sites with multiple routers and firewalls. First bridged by dial-up modems and other slow point-to-point analog links, virtual networks are now made into a single network space by real-time, fast, always-on, Internet-tunneled connections.
There may be dozens to hundreds of firewalls, routers, and services involved, many of which may not be under control of the ultimate organization, even though the top-tier owner is ultimately responsible for securing it.
Early software-defined networks (I’m using the phrase in the traditional sense) at higher layers of the OSI model, such as Kerberos realms and NT domains, began to proliferate decades ago. In the Microsoft Windows networking world the mantra was "the NT domain is the security boundary.” As networks and Microsoft networking, in particular, matured, the mantra became “the Active Directory forest is the security boundary."
Even though these mantras were oft repeated by those in charge of securing Windows networks, they were never really, entirely true. A domain or forest might have been the Active Directory security boundary, but many attacks don’t care how you define your Active Directory permissions. Worms like SQL Slammer or the Linux Lion readily infect any application that contains the vulnerability meeting its exploitation requirements.
Security boundaries are always made up of different, intermingled, often contrary layers. Every layer represented by the OSI networking model can -- and usually does -- have a different set of security boundaries. Your company’s physical boundaries are certainly different than its virtual boundaries, and a single application can cross many networks and domains. The often global, transitory nature of many networks further erode the hardened castle walls of traditional security boundaries.
A new security model
In the early 2000’s, my former work colleague, Steve Riley, was the first person I know who said it plainly: There are no true security boundaries.
Riley said the DMZ was dead and firewalls were an outdated, quaint concept. He recommended no firewalls. Protect the servers and the apps instead, he said. Although all he was saying was the obvious truth of the matter, what he said was shocking to me and others at the time.
Initially I fought the idea, but the more I thought about it, the more I realized he was right.
Most networks that supposedly have secure firewalls and routers are always a lot more porous than they are supposed to be. Every firewall I’ve ever reviewed in a real-world production environment has dozens to hundreds of exceptions to the default rules. Too many to count allow any-to-any rules, often incorrectly left behind by someone troubleshooting a connection or application issue, essentially killing the purpose of the firewall in the first place. Most firewalls have rules allowing remote admins to connect from anyway to anywhere. You only need to know the port to get the wide-open tunnel to the rest of the kingdom.
Your “secure” boundary was never as secure as you thought or planned.
Identity takes center stage
Last week one of my favorite co-workers and recognized security authority Mark Simos stated, “Identity is the new security boundary.”
He’s completely right. It’s never been the network or firewall. That was an illusion. If someone can log on to your network, OS, or application with any identity, then they’ve successfully passed the protecting security boundary. This is especially true of today’s multicloud, multiple-identity world.
There's no doubt in my mind that proper identity management is key to securing any environment. It used to be that we controlled what identities came into our networks and applications. It was our directory space. That’s no longer true.
Today we have to layer on top of our private namespaces all the external global namespaces and credentials that already exist, or will come to exist, on our networks and applications. I’m talking about the external single-sign-on authentication methods that are proliferating around the world now, including Facebook, Twitter, Gmail, Microsoft Accounts, Microsoft Passport, OpenID, and all the Liberty Alliance Identity Framework SAML tokens.
With a valid identity an attacker can access the network, OS, or application with all the rights and permissions of a legitimate identity holder. Sometimes obtaining an unprivileged identity is the first step to the attacker gaining a full-access identity. Other times a normal identity is all that's needed to access the required information. If you can’t stop an attacker from stealing an identity account, all your other security measures are for naught.
Identity is the new security boundary.