Way back when, during the onslaught of deep packet stateful inspection firewalls there were talks abound that perimeter security doesn’t work. It never did. But silver tongues sold the idea of silver bullets to C-level execs and it worked more or less well for quite a while, more than a decade.

What I find quite remarkable is our inability to learn from other people’s experiences. Take castles as prime examples of how layered security should work. Those that were built by masters of their art are still around (if they weren’t used later on as source of building stones for houses around the area, that is), to show how a good defense in depth works. There’s the perimeter layer, a hard-to-pass (unnoticed) area; then there’s first perimeter, with strong defences; then there’s second perimeter, in case first gets breached; … and all that is usually overseen by corner towers that can only reached via a staircase that winds clockwise, to hamper attacker’s sword wielding.

Alas, many took the “we have a firewall, we’re secure” approach and then shot holes right through their perimeter walls. :-)

And now we have ‘deperimetarization’. Everything old is new again. Except that, for most businesses, it is laws and regulations that are increasingly driving the process of layered security, not the long term business vision.

I hail those that take the “security in layers” approach in their stride and run with it on their own accord, because it fits their vision, not because “everyone else is doing it”.

“Security is like onions, it makes your eyes burn and leaves you burping.”
– Steve Bellovin