Editor's note: The following is a guest article from Dan Petrozzo, partner at Oak HC/FT and former CIO at Fidelity Investments.
It was not that long ago that the network perimeter was considered the central focus of enterprise security.
In today's world, few rely on the perimeter as the primary means of defense. Still, most organizations now maintain perimeters for their on-premises and private cloud environments.
Groups ranging from Gartner to the FBI have all noted that the perimeter is not capable of fully securing an organization's data. Why, then, do IT organizations continue to invest and perpetuate perimeter security?
The answer provides a fresh perspective of how companies, particularly in regulated industries, can bring their workloads to public clouds while maintaining a trusted environment.
The perimeter still performs an important security function. Despite its porous nature and generally reactive stance to threats, a network perimeter still deflects the vast majority of attacks. Consider organizations that retain desktop or device endpoint security, such as antivirus software, for example.
The perimeter forms a delineation between a "trusted" environment under the control of the organization and the outside world. This has several implications.
First, what's inside is bounded rather than unlimited — which makes the attack surface smaller and more manageable. Bounded conditions make it easier to devise strategies, understand conditions, and prepare for growth and change.
Second, what's inside — the users, applications, servers, infrastructure, etc. — is known. Unfortunately, most organizations only know a portion of these entities, given the dynamic nature of change in the enterprise and the power of groups and individual employees to add elements to the network without the involvement of IT or security.
What's inside the perimeter is also a trusted environment. Organizations can control insiders to varying degrees. This also may be problematic, but companies have the means to attempt to control what employees can and cannot do. Companies can also put monitoring systems and checks and balances in place in these trusted environments.
Moving confidential data to the cloud
Industry is pitching public cloud as the way of the future. The flexibility and nearly instantaneous scalability of cloud computing offer important strategic and competitive capabilities.
When a company no longer maintains a data center, the model moves from upfront capital investment to only paying for what's needed when it's needed. Geographic coverage, including point of presence for compliance reasons, is also an important benefit.
There's the promise of better infrastructure maintenance, know-how and security in the cloud than many organizations currently have on-premises.
Companies in regulated industries and those with particularly sensitive data and algorithms struggle with finding an acceptable path to public cloud platforms. The advantages of the cloud are becoming too great to disregard, but the security challenges are too serious to ignore.
Now there's an answer. New technological breakthroughs and security strategies are paving the way to transfer the value of a perimeter to the public cloud.
All major public cloud providers now offer confidential computing capabilities that take advantage of advancements at the CPU and memory level in the physical servers providing cloud services. When utilized with software solutions that allow enterprise applications to run without modification and at scale, companies can now establish a trusted environment in the public cloud — in essence, a confidential cloud.
Data in a confidential cloud is kept from any insiders or others with access to the cloud data center. This protects against the unlikely possibility that virtual sleuths have somehow gained unauthorized access by traversing across virtual machines or compute instances. Even an attacker with root access to a physical server remains locked out of the data.
With these advances, maintaining a security perimeter remains a viable security approach for the public cloud. Enterprises with stringent requirements may now replicate all the value of their on-premise perimeter in the cloud — removing any remaining impediments toward embracing the public cloud.