By Ed King
As cloud and mobile computing make enterprise IT ever more extended, the traditional security model of keeping the bad guys out and allowing only the good guys in no longer works well. While the reach of the enterprise has expanded, the security perimeter may actually have to shrink to around the smallest entities such as the application and the dataset. A truly scalable security model for this world of BYOx (fill in device, application, identity) seems to be one based on massively scalable micro-perimeters. What is big is now small and what is small is now big.
Micro-perimeter #1: Applications
Application security has long been secondary to network security. In the old days, since most business applications were only accessible on the corporate network via a browser or fat client, applications only needed rudimentary authentication and authorization capabilities. However, now with the pervasiveness of Cloud based services and mobile access, the network perimeter has effectively evaporated and application security is a front and center of house issue. By shrinking the security perimeter to each individual application, enterprise IT can control a user’s access to the application from anywhere and any device, without having to rely on a cumbersome VPN connection. For applications in the Cloud, Cloud service providers already provide basic network security such as firewalling. Application security, however, is the responsibility of the enterprise. Any access control that was previously implemented at the network level needs to move to the application level. Setting up a micro-perimeter around applications involves:
- Authentication and single sign-on: This can mean strong and multi-factor authentication if a higher level of assurance is required. If the application is being used by third-party users, a federated scheme is highly recommended.
- Authorization: This typically means a role or attribute based scheme. More advanced authorization schemes can involve fine grained entitlement management, as well as risk based schemes. If federated access is required, definitely consider OAuth, which has become the de-facto federated authorization scheme of today.
Building authentication and authorization capabilities into individual applications is neither economical nor scalable. Look for access management technologies that can front new and legacy applications and support the latest federation standards such as OAuth, OpenID Connect, and SCIM (System for Cross-domain Identity Management).
Micro-perimeter #2: APIs
How we use applications has changed since Apple introduced the iPhone and the App Store. We no longer use a small number of larger complex applications (think Excel, Word), but a large number of small purpose-built applications. How many applications do you have on your smartphone? This same trend is true for Cloud applications. Instead of large ERP platforms such as SAP and Oracle, enterprises are now favoring smaller, best-of-breed applications such as Salesforce and Workday. In addition, the modern application user experience is cross-modal, users use a number of applications on different platforms to complete tasks within the same business process. This new breed of applications use web APIs to enable integration and support multiple user engagement applications on mobile and Cloud. API has become the common access point given the proliferation of applications and endpoints. Setting up a micro-perimeter around APIs involve 3 aspects of protection:
- Interface security to ensure transport level security and blocking of attacks such as SQL injection and cross-site scripting
- Access control to ensure only the right user, device and applications are allowed to access the APIs, along with integration to enterprise identity and access management platforms
- Data security to monitor all data passing through the API, including header, message body, and any attachment, for sensitive data, then perform real-time redaction
Just as with application security, do not reinvent the wheel when installing micro-perimeters around APIs. Consider products such as API Servers and API Gateways that offer comprehensive API protection in all three areas.
Micro-perimeter #3: Devices
Mobile devices are more easily compromised than servers and desktop computers, and thus have a much bigger attack surface. In addition to the typical endpoint security vulnerabilities such as malware and operating system exploits, a lost or stolen device gives attackers physical access to the device, which opens up additional exploit options at the hardware, firmware, operating system and application levels. Beyond physical security, the widespread use of application stores creates opportunities for malware to be downloaded freely and spread quickly. Deploying a micro-perimeter around the mobile device has been a hot security field in recent years.
Various solutions ranging from MDM (mobile device management), mobile virtual machines and containers, to application signing are available. Look for technologies that can:
- Validate application authenticity and integrity
- Secure operating system and applications from malware and viruses
- Detect and block suspicious/unauthorized cross-application activities
- Secure keys and identities on the device
- Secure communication and prevent man-in-the-middle exploits
Micro-perimeter #4: Data
In this ultra-connected world, data drives applications and user interactions. Data is often passed from application to application and from device to device. Data security measures are usually in place at the original egress point when the data leave its source, but once the data is sent to its first client, what happens after that is anybody’s guess. Using identity data as an example, once user data is sent to a Cloud service, that service may be caching the user credential to allow single sign-on to a third-party service. The second leg of that integration may not have proper user consent. How the identity data is handled by the second service is an unknown risk to the enterprise.
The way to secure data in a federated environment is to put up a micro-perimeter around the data set. The data set should be encrypted so only authorized endpoints have the means to consume the data. An example of this is the OAuth 2.0 standard that replaces user identity and authorization scope with an opaque token, then provides interaction mechanisms to ensure user consent is provided when a new third-party needs to consume the OAuth token. This type of technology has not yet expanded to handle arbitrary data sets, beyond the traditional cumbersome PKI infrastructure. Future capabilities may also include wrapping data sets with policies that can be directly consumed by client applications.
While mobile and Cloud technologies have expanded the reach of enterprise security, moving to a micro-perimeter based security model maybe the key to having a massively scalable security model. What is big is now small and what is small is now big.
Ed King is the VP of Product Marketing, Emerging Technologies, for Axway (recently acquired Vordel). King has responsibility for Product Marketing of emerging technologies around Cloud and Mobile at Axway, following their recent acquisition of Vordel. At Vordel, he was VP Product Marketing for the API Server product that defined the Enterprise API Delivery Platform. Before that he was VP of Product Management at Qualys, where he directed the company’s transition to its next generation product platform. As VP of Marketing at Agiliance, Ed revamped both product strategy and marketing programs to help the company double its revenue in his first year of tenure. Ed has also held senior executive roles in Product Management and Marketing at Qualys, Agiliance, Oracle, Jamcracker, Softchain and Thor Technologies. He holds an engineering degree from the Massachusetts Institute of Technology and a MBA from the University of California, Berkeley.