Another KRACK in the network perimeter
When a high profile vulnerability surfaces that is as far reaching as KRACK, a WPA2 encryption attack to hijack Wi-Fi networks, it’s common to respond impulsively. “Why are people using outdated technologies?” or “Why aren’t people patching their software?” While easy to blame the protocols and the people involved, it gets us nowhere. Every breach gets the same treatment.
If we’re ever going to get out of this infinite loop, we need a fundamentally different perspective on corporate security architectures that completely breaks from tradition. How about if we start this way? The security perimeter should be identity, not the network border.
We’ve already witnessed the traditional network perimeter break down in the modern cloud era, where more employees work from remote locations and use a variety of devices to access a range of SaaS applications. KRACK is just the latest reminder that we should be treating every network as hostile – public or private. Despite our industry’s apparent recognition of this fact, the solutions put forth have primarily been band-aids that too often center on defending the network.
“Assume compromise” has become the industry mantra. Case and point – microsegmentation is still network segmentation at the end of the day even if the practice lowers the attack surface. Band-aids only get you through the last breach, they do nothing to prevent future vulnerabilities.
It’s time that we all agree that the network should function purely the way it was originally intended – as a transport layer. As Google proved in its pioneering BeyondCorp framework, networks are for moving bits not protecting bits. BeyondCorp is a real world implementation of Zero Trust, a new approach to corporate security that has already reached consensus: only communicate over end-to-end encrypted; authenticate and authorize requests at the application layer, and only grant trust based on real-time dynamic conditions.
In the case of corporate Wi-Fi networks such as those affected by KRACK, just think about what would happen if you removed your focus from protecting the network to managing access to resources. For one thing you get a lot more speed for your users. An open network is a faster network, much to the delight of the people using it.
A key part of an IT manager’s job is making sure people can do their work securely and effectively. How happy are people working at Starbucks versus on an airplane? Legroom aside, much of that has to do with the speed of the Wi-Fi. Nowhere in that network should you be making access decisions, nor should your traffic be unencrypted.
The challenge lies in making sure security controls adhere to the security policies put in place. Any gaps will impact your security posture and hinder the end user experience. You may have strict policies in place that pass every compliance audit but without enforcement people can, and will, get around them. On the other hand, if your controls are so strictly enforced that they keep people out of the things they need to get their jobs done, then they will become frustrated enough to find clever workarounds.
Closing this adherence gap is one of the most important but overlooked things that Google got right with BeyondCorp, which we can all look towards for guidance. The system they developed removes all trust from the network, eliminating the need for a VPN entirely. Not only does the system provide a better security outcome for Google, the streamlined access policies and controls deliver a much friendlier experience to the employees. The best of both worlds.