The Perimeter is a lie – an approach (part 2)

The perimeter is a lie

In my previous post I advocated reducing the security perimeter to the smallest possible size – because perimeter based security is often not enough, the slightest ‘hole’ in the perimeter allows attackers to get in. In this post I’m going to start expanding on how to fix this problem. In practical terms this means you should ensure security at Application / Container/ MicroService level:

  • Each App/Device should have direct authentication/encryption (this is a challenge for TLS offload – but if used you need to make sure the un-encrypted segment is as small as possible)
  • Each App/Device should have local network access control blocking all traffic it does not need (both inbound and outbound!)
  • Each App/Device should be read-only except for what actually needs to be writable
  • Each App/Device should be signed and verified ideally at boot and runtime
  • App/Devices should all authenticate to each other using unique, rotatable and regularly rotated credentials
  • Logs should be centralised and tuned to provide useful and actionable data

So how do we go about achieving this? In this article I’ll show a ‘reference’ architecture to achieve this – it’s not the only way to do it – but I think it’s one that practical and not too hard to implement. Let me start with a diagram:

This reference assumes a couple of things

  • You want to run in containers
  • You need resilience and scalability

The basic idea is to run each application as a container and make sure that both the application and container enforce security. Docker & Kubernetes provide great tools for this, but you could also do this with VM’s or bare metal (but the tooling is more complex).

The diagram above splits the world into 2 parts – services – that are provided by the environment, and the container cluster themselves. This design works, in principle, the same on IoT devices, private data centers & public/private cloud hosting. Some of the implementation details will vary, but the overall components are the same. In future articles I’ll drill into some of the main components to give you an idea of how they can be implemented.