The “Castle Wall” Approach is Outdated: Managing Third-Party Cyber Risks

Often, it is seen as more important to the business that something is done and done quickly, than that it is done securely.

Many organizations are operating using a perimeter-focused where everything "good" is allowed inside and everything "bad" should be kept out. However, these approaches often lack the granularity needed to define what an "authorized" user is allowed to do once they are granted access.

This lack of granularity and control means that many organizations allow external parties to have authorized, administrative-level accounts on their networks. Since the partner or vendor needs some level of access to do their job, they're given full access. However, this also opens up an organization to cyber risks if the external party misuses or fails to secure their account. Meeting business needs in a secure fashion requires a more granular approach to securing, employing solutions like identity and access management (IAM).

Perimeter-Based Security Used to Work

The traditional approach to cybersecurity is the "castle approach". Like a castle, an organization's network contains valuable resources that need protecting, and, in general, the threats to these resources originate from outside the organization. By building strong walls to keep the "bad guys" on the outside, the organization's sensitive data and resources remain protected.

This model works well conceptually for cybersecurity since, in the traditional network, all of an organization's valuable data and systems were centralized on an enterprise network that only meets the wider Internet at a single point of contact. By strongly defending that single point of contact with a firewall, email scanner, intrusion prevention system, etc., the organization could find and block most malicious content and attempted attacks before they threatened the internal network.

However, the modern enterprise network and cyber threat surface are evolving. For the modern enterprise, it is commonplace for employees to use mobile devices and laptops, for insecure Internet of Things (IoT) devices to be deployed on the internal network but sending data to the cloud, and even for sensitive enterprise data and workloads to be offloaded to cloud computing. At the same time, cyber threat actors are becoming more sophisticated and able to slip or break past the organization's perimeter-based defenses.

All of these changes break the model behind perimeter-based network security. As a result, modern organizations are adapting their defenses to address a world where the enterprise network includes mobile, IoT, and the cloud. However, even if an organization is not pursuing mobile or cloud computing, the perimeter-based defense model doesn't always work.

Modern Organizations Invite Threats into Their Networks

The problem with perimeter-based approaches to cybersecurity is that they see everything in black and white. Someone is either a trusted employee who has a legitimate right to have access to internal systems or a potential adversary that needs to be kept on the outside. Yet shades of gray definitely exist in cybersecurity. Almost all organizations (94%) give external vendors and subcontractors access to their networks. In 72% of these cases, these external organizations have administrator-level permissions, giving them full control over any affected systems. As a result, 61% of organizations are unsure if their partners are attempting to access sensitive internal data (and possibly succeeding).

The threats created by giving third parties access to internal networks are twofold. The first possibility is that the third party could be malicious. It is entirely possible that a partner may intentionally try to gain access to sensitive data in order to gain a competitive advantage in the industry or to sell it to a competitor. However, partners do not even need to be malicious to pose a threat to an organization's security. Links between an organization's network and that of their partner, in the form of legitimate and even privileged account access, means that the organization's security is only as good as that of their partners.

A classic example of this is the Target breach. A massive amount of payment card data in the retailer's possession was breached because cybercriminals compromised Target's HVAC vendor. The attackers used the credentials provided to the HVAC vendor to gain access to Target's internal systems and install malware on point of sale terminals. The "castle wall" doesn't protect anyone if someone leaves the keys lying around unprotected.

Network Security Requires a More Nuanced Approach

Taking a perimeter-based approach to security doesn't work for the modern network. Networks are too complex, spanning the enterprise network, mobile, IoT, and the cloud, modern threat actors are too sophisticated, and the definition of "trust" is too fuzzy. Protecting the sensitive data and valuable systems in an organization's possession requires the ability to more granularly control access to resources.

Providing third-party vendors or subcontractors with access to the internal network makes good business sense in many cases. However, these external parties do not require full access to every resource and piece of data in the organization's network environment. Limiting the access and permissions that external parties (and even internal employees) have within the network can dramatically reduce an organization's risk and exposure to potential attack.

This is why deploying identity access management is vital throughout an organization's environment. A comprehensive IAM system (that supports on-premises and cloud environments) can allow an organization to know who is accessing their network, what they're doing there, and if those actions are authorized and in-line with their job role.