I remember sitting in a data center deep in an IBM facility in the early 1990s typing access control into a Proteon router that we had installed for our first commercial Internet link at that site. The controls were rudimentary, and severely limited access from outside. No one but I could access most of the connected systems, and very few people even knew that they existed. Few cared. Who wanted access from the Internet, anyway?
Fast forward to today when many people carry the Internet in their pocket. Computational and storage resources are available for pennies from many different cloud providers, and virtually everyone walking into an enterprise facility is carrying a powerful computer capable of connecting to both the Internet and any wireless network within the facility.
How does this change the game?
For one thing, it makes the overall attack surface much larger. That surface now includes all of the wireless networks within your network plus all of the various avenues into any of your public or hybrid cloud infrastructures. This means that knowing the attack surface is critical.
For another, the access controls created must take into account this new set of potential attacks, including source addresses–whether spoofed or not–that may include addresses that are legal within the organization.
Taking that entire set into account and following potential resulting access from outside the organization through all potential paths in the network (including any potential access that would result from legal changes to routing based on either load or lost interfaces) is challenging.
Making sure that necessary, business-critical access is open, while also making sure any unnecessary, potentially dangerous access is blocked, is just as challenging.
On top of this work, being sure that you’ve done all of this in the way you intend, that you maintain it over time with clean, current configurations and documentation, and that you are able to report and determine any changes, is one of the core aspects of managing this ever-more-complex situation going forward.