For about 10000 years, humans built walls around their cities. Walls constituted a critical component in the defence of human settlements right up until the 19th century. Now they are all but gone. Historians cite several reasons for the abandonment of this crucial defense. For one, the increasing power and range of artillery meant that walls were less and less effective a defense. Additionally, walls hampered growth and industrialization. Doing away with them allowed cities to grow rapidly, and to incorporate new industries.
The End of Cyber Security Walls
For 30 years, humans built firewalls around their applications. Firewalls constituted a critical component in the defence of applications. Now they are disappearing in favor of more fine grained defences that live around each component of the application. The decline of perimeter defence in favor of workload protection and zero trust has several catalysts. For one, the increasing size and complexity of applications makes these firewalls less effective. Additionally, like their physical analogs, they can slow down the growth of applications.
Firewalls, WAFs, and other perimeter defense solutions imagine a world in which there is a clear delineation of inside and outside, and where bad actors come from the outside through these well defined points. In reality, however, modern applications combine public and private cloud environments, include code and resources that come from first- and third-parties, and increasingly rely on managed services outside the traditional “perimeter”.
Protecting these applications with traditional perimeter tools quickly becomes a liability. Let’s look at some examples of why:
- We deploy a modern cloud native application in Azure. Then we deploy an Azure WAF to protect it. Great. But then one of our developers forgets an access token in some code he pushes to a public GitHub repository. Suddenly attackers can access our resources. The WAF we deployed isn’t even looking at those requests. Because they are considered requests coming from within our application. Uh oh.
- We’re running a kubernetes based application on AWS EKS. Again, we’ve got a firewall from the cloud provider protecting us. But our application includes a managed database from a third-party such as Elastic.co. We have data going to and coming from this service, but no real security around these interactions.
- Our AWS application comprises hundreds of Lambda functions, linked by SQS queue, DynamoDB tables, and fronted by AppSync’s GraphQL. With a lot of effort you managed to not only turn on AWS WAF in front of AppSync, but also to configure it with some meaningful rules. However, a misconfigured IAM permission for one of your Lambdas enabled an attacker to trigger the Lambda directly, bypassing all your security. From there the attacker could pivot and assume more powerful roles or extract data.
Modern applications are distributed, cloud native, and use many managed resources, both from the cloud provider and other providers. To properly secure these applications we need to move away from trying to build the world’s tightest perimeter, and embrace the idea of fine-grained protection for each nano-service, zero-trust interactions not just at the external perimeter but between any two resources, and constant monitoring of our application for risk. Then we win.