Secure Your Perimeterless Network

Build an effective tooling strategy based on zero trust security principles.

Executive Brief

Analyst Perspective

Build resilience rather than defending the perimeter.

Rather than thinking about securing the perimeter of your network, think in terms of identities, data, and applications and where they reside and how you can protect them from threats no matter where they are located. Following the concept of data and information as the core of your security requirements, it is essential for strong end-to-end encryption to play a key role.

Additionally, identity and access management (IAM) is an essential element of perimeterless network security. Think of IAM as your new perimeter and a pillar of your protect surface.

With the increased attack surface of perimeterless networks – whether it is location, devices, or distributed resources in a cloud environment – security considerations need to address identity, data, and applications in terms of end-to-end encryption, data loss prevention (DLP), and identity and access control.

In effect, building resilience rather than defending the perimeter needs to be at the forefront of your strategy.

John Donovan

Principal Research Director, I&O
Info-Tech Research Group

Executive Summary

Info-Tech Insight

As networks become increasingly cloud-based, security leaders need to implement security monitoring solutions that don’t rely on traditional perimeter-based methods of threat detection (firewalls, VPNs, etc.), which do not incorporate any proactive steps to prevent intrusion or attack but only remediate after the fact.

State of cybersecurity

Statistics that impact businesses financially due to lack of preventative and holistic approach to perimeterless networks

Cyberattacks

72%

• In 2023 there were 2,365 cyberattacks with 343,338,964 victims.
• The number of data breaches in 2023 was 72% higher than the previous high set in 2021.

Source: ITRC, 2024

51%

Fifty-one percent of organizations are planning to increase security investments as a result of a breach, including incident response planning and testing, employee training, and threat detection and response tools.

Source Certified Nerds, 2024

The global average cost of a data breach in 2023 was US$4.45 million, a 15% increase over three years.

Source: IBM, 2024

Info-Tech Insight

Rather than thinking about securing the perimeter of your network, think in terms of identities, data, and applications and where they reside and how you can protect them from threats no matter where they are located.

Determine which methods and tools are required to protect your security pillars in a perimeterless environment

Activity

Vendor evaluation for perimeterless network security capabilities

1. Evaluation Overview

   • Read through the capabilities of the various vendors listed on Tab 4 of the Perimeterless Network Vendor Evaluation Tool and understand them as they pertain to perimeterless network security.
   • This will give you insight into the evaluation criteria that is filled out in the workbook. You can also add your own criteria. (Use the reference material in this blueprint to understand the zero trust pillars and determine the capabilities that are relevant to your organization.)

2. Methodology

   • On Tab 1, Scoring Criteria, use the drop-down menu to assign a weight to each evaluation category. Provide a rationale to validate your weighting, if desired.
   • On Tab 2, score candidate vendors on a scale of 1 to 5 for each category. The category weightings are based on the importance you assigned them on Tab 1.

3. Findings

   • Once the scoring is complete, the top three vendors will be highlighted in yellow.
   • The results on Tab 3 rate all the vendors selected for evaluation.

4. Next Steps

   • Use the results to determine if you should consider each solution or a suite of solutions for a pilot to find out if they are effective in a perimeterless network security environment.

Download the Perimeterless Network Vendor Evaluation Tool

Tools and methods that cross multiple protect surfaces (MFA/SSO & SIEM)

Info-Tech Insight

When analyzing the protect surfaces, keep in mind that several tools can effectively secure multiple pillars in a zero trust architecture. Analyze the tools that have this capability that can cross those pillars and simplify your vendor assessment when designing your security in a perimeterless environment.

Review available candidate solutions

Identify and preliminarily evaluate potential vendors

Info-Tech Insight

Understand your priorities. No zero trust solution offers a perfect balance of high ROI, low cost, high benefits, and alignment. The selection process is a game of compromises; prioritize the factors that matter most, but don’t entirely sacrifice the rest.

Moving from traditional network security to perimeterless network security

Traditional network security techniques

Core Principles:

• Perimeter-Based Defense: Traditional security models operate on the assumption that threats are primarily external. The focus is on securing the network perimeter using firewalls, VPNs, and intrusion detection systems to protect the network from unauthorized external access.
• Trust Inside the Perimeter: Once inside the network, devices and users are generally trusted by default. This can create vulnerabilities, as it allows for potentially unimpeded lateral movement within the network if the perimeter is breached.

Advantages

• Well Understood: These techniques are established and familiar to many IT professionals, with well-documented best practices and extensive support.
• Effective Against External Threats: They effectively defend against unauthorized access attempts from outside the network.

Disadvantages

• Perimeter Vulnerability: If the perimeter is breached, the entire network can be exposed. This model struggles with insider threats, compromised credentials, and any other security issues that arise from within.
• Poor Flexibility and Scalability: Adapting to new technologies and work environments (like remote work or cloud services) can be challenging and often requires additional security layers, which can complicate the security infrastructure.

Traditional perimeter-based network security

Traditional network security focuses on protecting an organization’s network boundaries using firewalls, VPNs, and intrusion detection systems (IDS) to create a secure "perimeter." The concept is that once inside the perimeter, users are generally trusted, and security is less stringent.

Tools:

• Firewalls: Act as a barrier between the trusted internal network and untrusted external networks.
• VPN: Virtual private networks secure remote access to the internal network by creating encrypted tunnels.
• Intrusion Detection Systems (IDS): Monitor network traffic for suspicious activity and known threats.

Vendors:

• Cisco ASA: A robust firewall and VPN solution to create a secure perimeter.
• Symantec Endpoint Protection: Provides traditional antivirus and personal firewall services for endpoints within the perimeter.
• McAfee Network Security Platform: An IDS that detects and prevents malicious activity on the network.

Info-Tech Insight

The evolution from traditional perimeter-based network security to perimeterless networks reflects changes in how organizations operate, especially with the increased adoption of cloud services, remote work, and mobile technologies. Understanding the differences between these approaches and the tools used can help in designing effective security strategies.

Understand the protect surface

Data, application, asset, and services (DAAS)

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, application, asset, and services (DAAS) – that requires protection. This is also the area zero trust policy aims to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business. This aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface, and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, a microperimeter is created around it and the appropriate protection is applied. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The answer to this question is tied to the organization’s risk tolerance, and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

• Data

• Application

• Asset

• Services

Info-Tech Insight

Focus has shifted away from the attack surface and onto the protect surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (identity, devices, network, application, and data) need to be applied.

What is zero trust?

From theoretical to practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to the ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Principles of zero trust

Principal 1: Never Trust, Always Verify

The main goal of zero trust is to secure corporate resources by eliminating persistent trust in everything:

• Identities
• Devices
• Applications
• Infrastructure
• Network
• Data

Removing trust is the key to security because, as John Kindervag has said, “Trust is a vulnerability that is also an exploit at the same time.” Access policies should revolve around the principle of least privilege first and dynamically adjust based on contextual information.

Principle 2: Assume Breach

Assume breach is a principle derived from a speech given by General Michael Hayden, the former director of the CIA and NSA. He said:

“Fundamentally, if somebody wants to get in, they’re getting in … Accept that.”

This is a mindset that means that your organization should operate on the assumption that your environment has already been breached. The environment should be architected to minimize the effects of a breach with controls to prevent lateral movement and reduce damage.

Principle 3: Verify Explicitly

Identities can be forged, and access can be duplicated; therefore, verification is needed. Zero trust is like an airport with multiple security checks between the ticket counter, precheck, and again before you board the plane. Multiple modes of verification, both dynamic and static, must be produced to give access to resources.

Static

• Passwords
• Biometrics
• Security tokens

Dynamic

• Risk-based access
• User and entity behavior analytics

Info-Tech Insight

Zero trust is a strategy that forgoes reliance on perimeter security and moves controls to where users access resources. It consolidates security solutions and saves operating expenditures, but it also enables business mobility by securing the digital environment at all layers.

The Info-Tech Zero Trust Framework

Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

• ACT Zero Trust Cybersecurity Current Trends, 2019
• NIST SP 800-207: Zero Trust Architecture, 2020
• DOD Zero Trust Reference Architecture, 2021
• NSA Embracing a Zero Trust Security Model, 2021
• CISA Zero Trust Maturity Model, 2021
• Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House, 2021
• OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022
• NSTAC Zero Trust and Trusted Identity Management, 2022
• NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

Understand zero trust’s high-level architecture

Zero trust is not one product but multiple capabilities working together simultaneously.

Consider the control areas and examples below for how they map this high-level architecture.

• Identities: Users require identities with defined roles, access privileges, and controls such as multifactor authentication and single sign-on.
• Devices: Devices also have identities, require endpoint protection and detection, and should also have access privileges defined.
• Applications: Applications must be segmented by workflow and administrative access must be limited.
• Infrastructure: Your infrastructure is set up with monitoring and alerts.
• Network: Your internal network is not considered an implicit trust zone.
• Data: Encryption in transit and at rest with allowlisted policies on how that data can be accessed and used.

Adapted from NIST SP 800-207, 2020

Zero trust architecture of perimeterless network security

The components and methods to secure your applications and data