The death of the corporate network had long been predicted. You can't rely on your old corporate controls anymore — firewalls, NIDS, and WAFs don't keep attackers out; "they are a Band-aid," they said. They give you a "false sense of security," they cried. I know you think your hardened perimeter protects you, but eventually, someone will find their way past it. Once there is that single crack, an attacker can rampage around your network's soft center. Building a castle wall around your data won't stop a persistent threat.

The security industry had an answer for that; you started to hear about more and more companies pushing towards a Zero Trust security model. Then you started to read about Google's BeyondCorp implementation. And then you visited the vendor floor at a major security conference, and you found a lot of companies willing to sell you that zero trust dream.

It all made total sense. Why should you trust a device just because it's inside your perimeter? Why do you even need a perimeter?! Do I even know what my perimeter is?!

Then, on Monday morning, you returned to your headquarters and were confronted with your reality. Most people were still in your office. They came in every day and left again. Maybe they did some work here and there outside of the building, a flex-day to work around an appointment or a school sports day. The corporate applications that kept your Business running mostly still lived in your data center, within your building, and accessed from the local network. Your perimeter was pretty hard; it was the walls of your buildings that wrapped around your employees. Adding external access outside of your corporate VPN introduced its own set of problems and risks. Then, before you could start decoupling them, they were still heavily integrated with an old legacy IAM system, which was also sitting in your data center.

There Never Was a Castle Wall Around Your Data

I was having some fun in the intro, but most security professionals have had the realization that their networks were not fortresses. Unless you are able to disconnect your users from the Internet, then you were only ever one firewall rule change, misconfigured wireless access point, or a secret operations maintenance backdoor away from having unexpected and unmonitored remote access. If you issued Laptops, then unless you had locked in a mandatory full tunnel VPN, then your users were likely taking them home to work on the weekends, and you lost visibility into their activity "off-net."

The reality of Shadow IT in Enterprise environments is not new. People expect to move quickly, and if your infrastructure was static and restrictive, then likely your users had silently adopted a new cloud tool. This means that your data was being moved to unknown and unmonitored locations. Finding and curbing this has always been ongoing risk mitigation for IT and Security teams.