Forget the network perimeter, say security vendors

Forget the network perimeter, say security vendors

Google’s 'BeyondCorp' network security model is starting to influence security offerings

What if all your company’s computers and applications were connected directly to the Internet? That was the assumption behind BeyondCorp, a new model for network security that Google proposed back in 2014, and it’s one that’s starting to get some attention from networking and security vendors.

Enterprises have moved beyond the traditional workspace in recent years, allowing employees to work remotely by using their personal devices and accessing apps in private or public clouds. To bring roaming workers back into the fold, under the security blanket of their local networks, companies rely on VPNs and endpoint software to enforce network access controls.

Google's BeyondCorp approach to enterprise security takes the focus away from the network perimeter and puts it on devices and users. It doesn't assign higher or lower levels of trust to devices based on whether they're inside the internal network or not.

Some security vendors have already started to embrace this no-trust-by-default security model. Duo Security, a two-factor authentication provider launched its own BeyondCorp-inspired offering last week, and enterprise software startup ScaleFT has had dynamic access management service based on the same principles for a while.

Even networking and security appliance manufacturers like Cisco Systems have begun moving what were traditionally perimeter security gateways into the cloud to better serve roaming employees.

Duo Security's new Duo Beyond service consists of a software package that serves as an authentication gateway for all of a company's web-based applications, whether they're hosted inside the local network or in the cloud. It can be deployed in the company network's demilitarized zone (DMZ) and provides a single sign-on service that enforces device and user-based access policies.

Duo Beyond assumes a zero-trust environment for all devices by default, regardless of whether they're connecting from within the enterprise network or from the outside. That said, it does provide administrators with the ability to differentiate between corporate devices and personal devices by deploying Duo certificates to those that are managed by the company.

This device identification process has several benefits. It allows for the easy discovery of new devices that are used to access corporate applications, which helps companies create and maintain accurate inventories that include employees' personal devices. It also allows restricting access to certain applications or accounts to company-managed devices where a certain degree of security can be guaranteed.

The service can also check the security state of a connecting device by looking at whether it's running the latest OS and browser version, whether the browser plug-ins are up to date and, in the case of mobile devices, whether encryption and passcode enforcement are turned on. This allows administrators to create fine-grained access rules based on device "health" and ensure that only reasonably secure devices can access company applications, even if those devices are owned and managed by the employees themselves.

Duo Security doesn't expect customers to completely give up on VPNs if they deploy Duo Beyond, but based on the company's experience so far, customers can cut down VPN licensing costs by up to 80 percent. That's because most roaming employees only use VPN connections to access a few popular intranet web applications like Confluence, Jira or Sharepoint.

The Duo Beyond service is priced at $9 per user per month and includes everything in the company's older Duo Access service, plus the new certificate-based device identification and the mechanism for controlling which internal apps are accessible by remote users.

Moving towards a BeyondCorp security model, where the location of devices does not matter, can help companies avoid having to raise virtual walls inside their networks. Network segmentation, which relies on setting up firewalls and VLANs to restrict access to certain applications and services, is not easy to implement and can quickly become an administrative burden.

In fact, as evidenced by many publicly documented security breaches, attackers often succeed in moving laterally inside a network once they break in. Most hackers start with targeting low-level employees through phishing or other methods and then, once inside a network, jump from system to system, exploiting vulnerabilities and stealing access credentials along the way until they reach the organization's crown jewels.

Google's own network was breached in late 2009 as part of a cyberespionage campaign of Chinese origin known as Operation Aurora. The hackers, who started by targeting the company's employees, sought access to the Gmail accounts of human rights activists.

Other security vendors are embracing BeyondCorp too, and, while there are differences in the implementation, the general goal is the same: moving security beyond a strictly defined network perimeter.

Duo Beyond works only for web-based applications and its device insight technology is agentless. The information about a laptop's OS, browser and plug-ins is obtained through the browser itself.

This approach limits what kind of information can be gathered, but Duo believes that it strikes the right balance between security and usability, since convincing users to install company-mandated software on their personal devices can be problematic.

By comparison, another company called ScaleFT provides a BeyondCorp-inspired solution called Dynamic Access Management that works for SSH (Secure Shell) and RDP (Remote Desktop Protocol), remote access protocols for Linux and Windows servers. ScaleFT's service does requires the installation of client software that synchronizes short-lived access certificates and handles device enrolment and local account creation.

Pushed by the need to address the issue of roaming employees, BYOD and software-as-a-service, some networking vendors have even started to move security appliances outside the network perimeter and into the cloud.

On Monday, Cisco Systems announced what it calls the first Secure Internet Gateway (SIG), which is based on the cloud-based OpenDNS Umbrella service that the company acquired in 2015.

"A SIG provides safe access to the internet anywhere users go, even when they are off the VPN," Cisco said in a blog post. "Before you connect to any destination, a SIG acts as your secure onramp to the internet and provides the first line of defense and inspection. Regardless of where users are located or what they’re trying to connect to, traffic goes through the SIG first."

If this new way of thinking of enterprise security catches on it might even help speed up the adoption of IPv6, which is held back partly by fears that it could punch holes through network perimeters and because many companies still have old firewalls and equipment that don't have proper support for it.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.



Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments