There is no lack of articles declaring the death of the “perimeter.” That is, in the modern environment, if one’s risk model assumes an unsafe exterier environment as opposed to a safe interior network protected by VPNs, firewalls, etc., something is wrong with your security architecture. The argument has a lot of strengths: more of more workers are remote; more employees are connecting to, and regularly using internal software and systems; it’s often safer to assume comprimise and work from there to isolate systems. All of these things are true, but I think painting the picture with such broad strokes is a mistake.
I’ve spent most of my time in the startup space. This is a world (unfortuntenly) embodied by the famous phrase “move fast and break things” – time to market, agility, and pivotability are key business requirements. What this leaves unsaid is that it leaves security in the dust, but it’s hard to argue with the logic. Security is a non-trivial time and cost trade off, and short term survival is more important than protecting companies’ resources from a potential breach. Furthermore, startups are so small that they’re not usually a top target for hackers. The potential payoffs are so small that they’ll look elsewhere, or go completely unseen. That being said, these risks are most definitely non-zero, and ignoring them (as start ups often do) is a careless mistake. This is where I think declaring the death of the perimeter as broadly as several outlets are doing is a mistake:
First, perimeterless security is great, but it is an even larger time and money sink than tradition security. Google has large, dedicated internal teams and systems built specifically to support their BeyondCorp model. Second, declaring something “dead” implies that it’s no longer useful; however, if one doesn’t have either a perimeter or perimeterless security, they’re in big trouble. Finally, and most importantly, startups have something that moots many of the arguments for perimeterless security: they’re tiny. It’s very possible to have only ports 80 and 443 open to the internet, with an internal network or segmented VPN for accessing internal resources with limited access and IP whitelists. Due to lower volumes, its also much easier to log and review everything.
Don’t get me wrong – I’m pro-perimeterless. I think it’s an awesome idea, and would encourage any organizations that can follow it to do so. It should just be made clear that a more traditional security model should not be ignored just because it’s unsexy, or will be migrated away in the future. The number of internet-exposed admin interfaces is just too damn high to think otherwise.