Why The Perimeter Must Become Virtual

The Perimeter is a key concept in the world of information security and even older than that. In its original sense, it means a path that surrounds an area. In the context of information security, this path consists of an ensemble of protection mechanisms that surround your information: they include physical walls and physical protection around servers in a data-center and logical walls (firewall, intrusion prevention systems, anti-virus protection).

In the world of cloud infrastructures (IaaS), it is not so easy to determine the “area” that is supposed to be surrounded. Resources are shared among different clients (multi-tenancy) and they are allocated in data-centers of external providers (outsourcing). Moreover, computing resources get virtual – physical resources are transparently shared – and elastic – they are allocated and destroyed on demand. Since this can be done via APIs in a programmable and automated way, cloud computing infrastructures are highly dynamic and volatile. How can one build a perimeter around a moving target?

Well, the short answer is: the perimeter must also become virtual, highly dynamic, and automated.

Let’s have a look at an example: A new web application is being launched. There should be an automated verification process that checks the firewall rules, the access rights of users, the level of patches and if they are automated, if backups are being done, that performs an external audit of the application (using a SaaS service for instance), even the deployment of a Web application firewall in front of it – just to name a few steps. This does not eliminate the need for including security during the development life-cycle, but unless we can deliver such an automated service, we will hear complaints about the time to get new services online and continue to have insecure application online (maybe in an another cloud :-)).

5 thoughts on “Why The Perimeter Must Become Virtual

    • Thanks for your comment. Indeed VPNs such as VPN-Cubed (and Amazon VPC) are an important element of a virtual security perimeter.

      In addition, we believe that the perimeter should be automatically adapted to infrastructure changes (for example, launch of a new
      machine). So, the configuration of the VPN must be generated and deployed without manual intervention. Do you currently support this
      use case?
      We’re using configuration management (CM) tools such as Chef and Puppet but we still need to install the CM agents…

      Nevertheless, there is still the challenge of key management. How to manage the VPN keys on an elastic security perimeter?
      I would love to hear about solutions for this!

      Cheers,
      Sergio

  1. Pingback: Don’t Conflate Virtual with Dynamic | Load Balancing Trix

  2. Pingback: Don’t Conflate Virtual with Dynamic » Welcome to privatecloud.com

  3. Pingback: Reply to “Don’t Conflate Virtual with Dynamic” « Elastic Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s