For years, security was synonymous with network security. Firewalls, network segmentation, and VPNs reigned the day. Broadly speaking, that network focused security posture is what people mean today when they talk about the perimeter security model. So-called "impenetrable fortress" security worked well for a period of time when you could reasonably expect your network perimeter to correspond to an actual physical perimeters, users, devices, and servers. But as teams, applications, workloads, and users became more ephemeral and distributed, the shortcomings of perimeter based security have become more apparent in terms of both operational costs and security breaches.

Most networks [have] big castle walls, hard crunchy outer shell, and soft gooey centers...

Rob Joyce Chief of Tailored Access Operations, National Security Agency @ ENIGMA 2016

There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches were perimeter security played a role, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by hacking the HVAC system which was connected to the internal corporate network and then moved laterally to exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military. Google did a bottom up review of their security posture following Operation Aurora. The resulting actions from that review would be released as a series of white papers called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.

In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles.

Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018

The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux. In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure the appropriate audience, however, in practice, operators usually choose between a very precise boundary that is high-touch, time-consuming to mange, and error prone, and that of a more lax boundary that may entail more risk but is less time consuming to update and manage and less prone to break.

Gaps in the perimeter

Perimeter based security suffers from the following shortcomings:

  • Perimeter security largely ignores the insider threat.
  • The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations.
  • Network segmentation is a time-consuming, and difficult to get exactly right mechanism for ensuring secure communication.
  • Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units.
  • VPNs are often misused and exacerbate the issue it by opening yet another door into your network organization.

Zero-trust, behind the gates

Zero-trust instead attempts to mitigate these shortcomings by adopting the following principles:

  • Trust flows from identity, device-state, and context; not network location.
  • Treat both internal and external networks as completely untrusted. Mutually authenticated encryption is used instead of network segmentation.
  • Act like you are already breached, because you probably are, and an attacker could be anyone, and anywhere on your network.
  • Every device, user, and application's communication should be authenticated, authorized, and encrypted. Access policy should be dynamic, and built from multiple sources.

To be clear, perimeter security is not defunct, nor is zero-trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls.

Where Pomerium Fits

So to put all this back in context, before zero-trust tools like Pomerium existed, access to internal applications were gated by whether a user was on the corporate network or not. Trust flowed and was anchored to the security of the perimeter. For all the reasons discussed above, this has turned to be a lacking security model. In contrast, Pomerium adopts the zero-trust stance and uses identity, device-state, and context compared against a single-source of rich authorization policy as the basis for delegating access to an internal resource. All Pomerium communication is mutually authenticated and encrypted, there is no trust belied to internal vs external network.

Further reading

Pomerium was inspired by the security model articulated by John Kindervag in 2010, and by Google in 2011 as a result of the Operation Aurora breach. What follows is a curated list of books, papers, posts, and videos that covers the topic in more depth.