Future-proof thanks to perimeterless cybersecurity

This article was originally published in the November 2024 newsletter of SwissICT.

Traditional security models are increasingly reaching their limits in everyday business life. Today's collaboration methods and technological developments require adapted cybersecurity measures.

Cybersecurity has become much more complex in recent years. Advances in technology, digital infrastructure, and new ways of working together are placing new demands on security organizations. Companies and organizations can no longer rely on traditional security models.

But what are traditional security models? In the past, it was common practice to use the network perimeter as the preferred security tool to protect against threats and risks. Companies built a kind of castle wall around their own organization with the network perimeter. Anything that did not need to enter the “castle” for whatever reason was blocked – typically by firewalls. Once inside the network perimeter, it was usually possible to move around freely in many cases.

Traditional security models are no longer sufficient

Traditional security models have provided excellent protection for companies whose data and access to resources have always been within the network perimeter. However, with the cloud and new ways of working, this solution is no longer appropriate. In most cases, infrastructures, applications, and systems in the cloud are no longer within the network perimeter, but outside it. Access to resources and data therefore no longer takes place only within the “castle,” but also outside it. This turns the concept of the network perimeter as a protective mechanism on its head.

With newer collaboration models such as “New Work,” “Remote Work,” and “Mobile First,” we want to access all data from anywhere, using all kinds of devices. This also contradicts the concept of the castle wall. Traditional security models, which focus primarily on protecting data and resources within the network perimeter, are therefore no longer sufficient.

The necessary change in mindset

Cyberattacks, data loss, and business disruptions are situations that cannot be completely avoided. The digital world and the infrastructure of many organizations have reached a level of complexity that makes complete control through conventional security measures impossible. For this reason, a change in the understanding of cybersecurity is also necessary.

Many organizations want to prevent cyberattacks and try to block all potential vulnerabilities. However, in today's digital world, this is hardly feasible. Instead, organizations need to strengthen their resilience to cyberattacks and business disruptions. This means that, in addition to preventive measures to prevent attacks and minimize security gaps, they should be prepared to respond quickly and limit damage in the event of an incident. This shifts the focus from purely preventive to more reactive security measures.

What characterizes perimeterless cybersecurity strategies

Perimeterless cybersecurity strategies are strongly based on the zero trust security model. Zero trust is very well suited as a toolkit for implementing appropriate measures and principles within your own organization. Perimeterless cybersecurity strategies are about moving from a network-based approach to an identity-based approach. Identity plays a central role here: protection no longer takes place at the network perimeter, but at the identity level – whether that be the user, the device, the system, the resource, or even the data itself. Each element has an identity that can be protected using specific parameters. In this context, access control plays an important role. The appropriate parameters can be used to verify whether a system is allowed to access a resource or not.

Perimeterless cybersecurity strategies should also include organizational aspects to ensure effective protection against cyberattacks. These include topics such as incident response, emergency processes, and business continuity management. These organizational tasks—such as defining responsibilities, developing processes, and regularly testing emergency plans—must be clarified and established within the company.