Security researcher and occasional SecureWorld contributor Chris Roberts had a thought-provoking post on his way to Black Hat this week.
He claims the cybersecurity perimeter defense model is dead and now a figment of our imagination. See what you think about his views:
TRUTH HURTS... Sometimes a little bluntness helps, sometimes it can be a reason for people to retreat and not listen, however, somehow the message has to be delivered and accepted. You, I, ALL of us.... we don't have a perimeter. It's not there, it's not around us, and we sure as hell don't have any control over what we think it is these days. The sooner we accept that AND realize that the battle is no longer going to simply be won or lost by a rack of static defenses the sooner we can have productive conversations around what WILL work, what IS going to help the cause AND arguably what needs to change inside our environments AND ourselves to adapt to the new reality we've been facing (or ignoring) for a while. So, as some of you line up for the doors to open on Las Vegas summer camp, and spend your time listening to folks explain how they can help protect your edge, your perimeter, your endpoints or anything else that represents a hard and fast "stopping point" of where you (and your enterprise) end... remember that's simply NOT the case. Come find me, share a single malt, bourbon or other beverage (tea works equally as well) and let's talk about this AND what can be done as we move forward... all for now, Chris.
Roberts is not the only one who feels that perimeter security defense is old school.
Russell Walker, CISO for the Mississippi Secretary of State, told the Cyber Security Hub in spring 2018, "The perimeter in the traditional sense has disappeared. The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’”
Because of cloud computing and BYOD, Walker said, “you cannot provide security using a model that was designed for a much more static and enclosed environment.”
And CSO Online argued in a story this week that this change is what finally pushed Cisco to buy Duo Security:
"Cisco always understood the importance of identity management in the security stack but remained reluctant to jump into this area. Why the change of heart? Because cloud and mobile computing have all but erased the network perimeter."
So how do you view things: Is cybersecurity perimeter defense dead?
Or is this a little bit like the time Mark Twain was rumored as dead, to which he famously replied: “The reports of my death are greatly exaggerated.”
