It sounds like an easy question. “The perimeter is everything outside your network.”
If you’re doing it right, it’s marked off by a firewall. All your data and assets are typically inside this area while the big bad world of hackers and threats are on the outside.
That is, until you start getting into “The Cloud.”
Virtually every single user today has assets in the cloud. Think about your email. Is it hosted by your internet provider? Are you using a web based service like Gmail? Do you use Dropbox or OneDrive? Do you use a remote backup service like BackBlaze or Mozy? If so, you have information in the cloud. These is a very small sampling of SaaS (Software as a Service) examples, all of which utilize remote data management to some degree or another.
This presents a distinct challenge when you’re trying to establish a perimeter and keep your information safe. How do you put a firewall around cloud services? It’s nearly impossible to add the same protection you have for your internal network around these services. The real problem is, how can you protect what you don’t actually own?
What are the real options for tightening up security?
The radical method is bring everything back in house, but this takes a lot of work and expertise that might not be available. One of the main reasons that anyone would use a cloud service is because they don’t have to know how to run an email server to get their email, for instance. Businesses are usually capable of hiring experts to know how to provide services offered by SaaS businesses, but there’s also the additional ongoing costs of equipment, infrastructure, and maintenance. For many companies, the benefits just aren’t worth the investment.
The good news is that there are other non-radical means of using cloud services without compromising your personal or business data.
A simple first step is to set up 2FA (Two-Factor Authentication). This uses a number generator or a one-time text code in addition to your password in order to login to the service, usually delivered via SMS or through specialized apps that should only be accessible to the designated user. This keeps outsiders from accessing your account. Even if an outsider got a password, without access to the user’s personal items, it’s not useful.
In addition to 2FA, don’t reuse passwords for any of your sites. If one is compromised and you share a password, then they are all compromised. Of course, this can cause problems for people who have a lot of passwords to keep track of, so encourage your users to use a “salt,” a seed word that can be reused but with site-specific alterations. As an example, a user’s salt might be “Hon12#” – contains a capital letter, a number, and a special character – and they might add “Mail” to the end for their email service and “Docs” to the end for their OneDrive account. (I’ll delve more into this later.)
Taking care of what you can from the inside
Wherever possible, encrypt the data you can. One big problem with SaaS is the owner of the service has complete control of the data, which means that whatever data you store with them could be seen by unintended audiences. The more you can encrypt on your end, the less they are able to usefully access.
Of course, encryption has its own set of problems, such as making sure the keys are kept safe and accessible when needed. It can also add in extra time with encrypting and decrypting the data, impacting end user’s schedules.
Some higher end services such as AWS or Azure will allow you to create a secure tunnel between your site and theirs. This tunnel is like a private road with high fences and trees that keeps the data being sent between them nearly invisible to outside sources.
Some services won’t allow any of these methods, so think carefully about what you send through these services. Do you really want your SSN to be sent via an unencrypted email? (Quick answer: NO.) If you want to test the veracity of your cloud service’s security, consider leaving behind “honeypot” information, deliberately false information that is easily searchable like “1564 Lame Ave.” Make sure to use an address that is not actually valid. Should that address start to show up either passively or from an active search, then you know the data was compromised and from where.
So, where exactly is the Perimeter? It’s not as easy to demarc as it once was. From both the professional and personal perspective, think about where your data is, across which channels it’s being transmitted, and how’s being used. This is your entire footprint in the digital world, and it takes a bit of extra work to keep it only where you want it to go.