Joe Shockman
By Joe Shockman
Posted On March 08, 2017

Welcome to the Cloud; What Happened to the Perimeter?

AWS | How Things Work | Runtime Protection | Web Application Firewall

Back in the day...
When you built out your infrastructure you'd rent data center space, build your network, drop in some nice hardware, load balancers, and a stateful firewall, set up your network ACLs, land some racks and get to work (this, of course, takes several months).
The perimeter keeps the baddies out - add some good IDS, harden the OS, and call it good.

For better or worse those days are over.
These days you spin up your cloud infrastructure in an afternoon.

So you set up a VPC (virtual private cloud). You segment your VPC into private and public subnets, you create restrictive security groups, and you create an egress ACL (access control list). You’ve recreated the perimeter in AWS. Sure, no stateful packet inspection, but pretty good is good enough, as they say. The infrastructure is reasonably secure, but now you remember why you wanted to switch to AWS in the first place.

Because you don't care about infrastructure, cables, or racks.
You care about your application, your website, and your product.
What really matters is your customers and the value you provide to them with your app.

So this different but similar perimeter reminds you of what you were thinking about, to begin with. You were thinking about how to securely offer your app to your customers. Now we're talking! It's not just the network, the hosts, or the OS. You're there to run your app. You’ve moved to the cloud so that you were less bogged down by infrastructure only to realize that the attack landscape has changed and suddenly the security of your app itself is what you really care about. Is your app secure? Was your app ever secure? I thought we were talking about the perimeter?

The perimeter stops everything but App traffic. All traffic flows through the load balancer so all your appserver sees is application traffic.
But what about attacks at the app level? What about login abuse -- an attacker trying to guess a password? What about the attacker who finds or buys a leaked password list off of the dark web and starts testing it against your service looking for password reuse? What about attackers who find expensive routes and hit them repeatedly, tying up resources and crowding out legitimate users? What about command injection? What about cross site scripting? Attacks have climbed up the stack and they're poking at the application layer.

These application-level attacks specifically bypass the perimeter because the perimeter deliberately lets application traffic through. After all, that’s what it was built to do, but now we need active application layer defenses.

Now you have to start thinking about who is watching your application traffic to find the baddies. Does your application self-police? (should it?) Does your application security team do it? (do you have an application security team?) If you do, do they have the tools they need to hunt down the baddies or are your people furiously gripping application server logs?

What happened to the perimeter? It's still there, just different. Take this opportunity to focus on what really matters. Your customers, and your ability to provide your product or service to them in a safe and reliable way.