Have we put too much emphasis on protecting the network?

Recently, much of the cybersecurity commentary and blogs have talked about new approaches for protecting the network, especially beyond the perimeter. For the past few years, the industry has focused on conditional access (i.e., identity as the new perimeter) and even zero trust.

protecting the network

We talk about the perimeter becoming porous and traditional “network” defenses — like firewalls — as no longer being effective. The trend is for our discussions to take on a verbal shorthand and presume that everyone understands what we mean when we talk about protecting the network, beyond the perimeter.

Let’s take a step back and look afresh at what we are trying to convey. Our focus is not solely on protecting the network. The “network” is really the plumbing that all of our interconnected devices, applications, data, and resources rely on, and through which we pass instructions and information.

In many ways the network is a utility of pathways, mapped so that we can pass those instructions and information effectively. Like a utility, we expect it to be available as needed, and while it should be maintained and yes, even protected, our shorthand of protecting the network has obfuscated the real targets of what we should be protecting and the controls for providing that protection.

We should throttle back the shorthand phrase of protecting the network and actually talk about protecting the application, data, and resources that we rely on in today’s environment of information technology. This means understanding what those targets really are, the value of those targets, and being able to manage and control access to those targets. This is not novel or brilliant — in fact it is the basis of the Center for Internet Security’s Top 20 Critical Security Controls.

For years, we have focused on the basic concepts — the assets we want to protect should be known, have an identity, be a part of managed inventory, be monitored, and be controlled by strong authentication and authorization rules. Additionally, trust cannot and should not be assumed by any asset of any other asset, person, or resource. This is really the definition of zero trust. We have to focus our controls as…