This image from 2010 of Jericho Forum’s Cloud Cube Model popped up on my “On This Day” OneDrive feed this morning, and I spent some time reminiscing about how the conversation has evolved since then.
Jericho Forum were forerunners in the conversation about “deperimeterisation”—the idea that the traditional corporate perimeter (where inside = safe) was an increasingly antiquated and potentially dangerous concept (because of the false sense of security it implies). Instead, they argued, the perimeter was around individual endpoints (a radical idea at the time), because this is where all the assets you want to protect reside (e.g. data).
The idea still has some merit, but identity has supplanted this concept of the perimeter. If you own identity, you eventually, inevitably, get access to the endpoints and the data. Identity is the key that unlocks all doors in the digital world; the one ring (perimeter) to rule them all.
The cube is interesting because it proposes that whether something is perimeterised or deperimeterised is a factor in determining whether it is suitable for a cloud workload—whereas, at least from a public cloud perspective, all cloud workloads are deperimeterised, in the traditional sense (since you don’t own or manage anything below the software-defined networking layer). The concept of a perimeter is still valid, but what it means has evolved—and from an identity-as-perimeter perspective, the most advanced identity protection capabilities are in fact cloud-powered, if not cloud-native.
The Internal/External distinction has aged less gracefully as well. In 2010, the distinction between what was “internal” vs. “external” was still meaningful in many organisations; but in a zero trust world, it is irrelevant. Identities, data, and endpoints must all be protected, irrespective of location—and a variety of factors should be used to establish trust and assurance. I routinely work with customers who still consider endpoints on their corporate network to be inherently trusted, simply because they are “internal”—it is a hangover from this antiquated paradigm. Fortunately, this is changing.
One sobering reflection is that a suitable model today can be antiquated or even dangerous tomorrow. Many vendors in the cybersecurity industry are still hanging their hats on paradigms that were superseded years ago, because people keep buying it. American philosopher Eric Hoffer’s words are a warning to us all: “In times of change, learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists.”