Why your organisation’s perimeter cybersecurity model is outdated
The case for identity and access management, according to Thales’ Rana Gupta.
Australian organisations continue to increase spending on cyber security, yet serious security breaches continue. Part of the problem is the perimeter security model, argues Rana Gupta, Vice President, APAC, Authentication & Encryption for Thales’ Cloud Licencing & Protection division.
Gupta speaks about the issue in a two-part podcast mini-series about zero-trust security (listen to episode 1 below), in which he suggests that a perimeter approach to security is no longer advisable.
He illustrates this by pointing to continued reliance on VPNs to secure the digital work of many remote workforces.
“In the era of almost 100% of the workforce operating from outside the organisational premises and working remotely and accessing [data] in the cloud, the very concept of VPN based or perimeter-based security being applied seems to have become irrelevant,” Gupta says.
A key problem is that organisations’ network boundaries are no longer clear. “Traditionally organisations have relied heavily on perimeter security – that is, there is a trusted boundary or not. But in the aftermath of the health pandemic, there has been the very clear outcome that there is no boundary out there,” Gupta comments.
This makes Identity and Access Management (IAM) more important than ever. But in Gupta’s experience, companies aren’t paying enough attention to this.
He recalls seeing an experienced cybersecurity professional laying out a map of a security model, which showed application and network security and other defences. “Guess what, it was missing identity and access management completely,” Gupta says.
Like others in the cybersecurity field, he recommends a zero-trust approach to security, which he points out requires a change in business leaders’ mindsets. “If you don’t have the buy-in from the leadership level, it is never going to happen,” Gupta comments.
He urges those in charge of security spending to consider this: “Are you continuing to simply put more money in the same type of security layer? If so, how would doing more of the same thing help you bring any different results?”