Children’s Guide to Deperimeterization

December 13, 2023

This is part of our Children's Guide to Zero Trust series. This specific story is a follow up “solution” to the problems identified in Children’s Guide to the Perimeter Problem — deperimeterization.


Alice was thinking about the Perimeter Problem. DevMom made sense, of course… but Alice still had a problem.

“So I shouldn’t use VPNs because they tunnel past walls, but what happens if I forget my homework at home?”

“Perhaps you shouldn’t forget your homework at home,” DevMom chuckled.

“I don’t mean to forget!” Alice said indignantly, “I just… do. Don’t you ever forget things at work?” she added, “You work from home. What if you need something from the Castle in the Clouds? How do you get it without a VPN? Do you actually drive there?”

“No, of course not,” DevMom laughed at Alice’s stream of questions. “You want remote access, right? Where you can get to use something without actually being there.”

“Yes, so when I’m at school I can play — get to things I left at home,” Alice confirmed. “So how do you use work stuff when you’re always home?”

“I can access the services I need through the internet.”

“Through the internet?” Alice frowned. “Does that mean anyone can enter the Castle in the Clouds?”

“No no no,” explained DevMom. “It’s the best practice for keeping things safe but accessible. Remember how the Perimeter Problem means if something is accessible in your walls, it might no longer be safe?”

“Yes,” Alice responded, “Because you’re tunneling through the walls.”

“Good! You remember. Then, the best way to solve the Perimeter Problem is to think about how you keep things safe when you think of the Castle as having no walls! It’s called deperimeterization.”

AI generated image

“No walls?” Alice tilted her head to the side, confused. “Depressurization?”

Deperimeterization,” DevMom corrected. “And well, we keep the walls — the network perimeter — but the Castle doesn’t automatically trust what’s inside. Remember why?”

“Because people inside can still steal your ice cream.”

“Yes. Just because someone is normally allowed to be inside, does not mean they won’t do bad things,” DevMom nodded approvingly. “And so, the Castle thinks about how to keep everything safe without adding walls.”

“But don’t we need more walls?” Alice thought. “Network separation is how we make things safe, with extra rooms, right?”

“Network seg-men-ta-tion, Alice,” DevMom corrected again. “And, remember how the more we talked about, the more it sounded like we should add walls everywhere?”

Alice nodded. “Yes. To protect the kitchen. And then to protect the refrigerator.”

“Well, if the goal is to start protecting everything, then why not just treat everything as its own fenced off segment?” DevMom winked. “Everything is a room, with its own walls and door!”

“A… room…” Alice tried to picture living in a refrigerator in her head. It sounds cold. “I guess? A small room?”

“Yes!” DevMom explained, “And what if everything could be treated as the smallest room possible, and then check anyone who tried to access it?”

“Oh.” Alice thought about it, then her eyebrows shot up. “Like my container ship?

AI generated image

“Ah, right! Your DevDad did do that, didn’t he?” DevMom mused, “So — what if the refrigerator’s own door can work like your container ship? It checks to see if you’re Alice when you open it before letting you have ice cream?”

Alice scrunched up her face, deep in thought, before lighting up. “Then only I can have ice cream!”

“Yes, sweetie,” DevMom ruffled Alice’s hair affectionately. “We protect what’s important by giving it a way to check if the person trying to get in is the right person or a BadHat. On the other hand, you need to also check if the refrigerator is working as expected, you don’t want to eat ice cream that’s gone bad! This process of checking each other is called mutual authentication . In my line of work, it’s also the smallest network segmentation possible.”

“Mutual affirmation?”

Authentication, Alice,” DevMom corrected, then conceded, “Though, affirmation isn’t too far off the mark. The Castle in the Sky is comfortable letting me access from home because the services can affirm who I am and whether I should be allowed to use it.”

“No tunnel?”

“No tunnel,” DevMom confirmed. “Everything has its own room. This is how important things are protected without relying on walls. Remember why your DevDad and I taught you to recognize us, not just trust whoever is at home? And remember how it’s all about continuous verification?”

“Yes.”

“Well, the front door and tunnel you wanted can’t exactly be responsible for checking everything people are doing. That’s why when everything inside can do the check instead, everything is much safer. Making sure your refrigerator can check if the person coming to get ice cream is you or a BadHat.”

“Hmm, makes sense,” Alice looked around at the house. “So… if I do the same for all the things in my room, I can reach them from school too?”

AI generated image

“Yes, we can set up a reverse proxy for your things,” DevMom agreed. “Go make a list of the things you want to get access from anywhere, and we can get you set up over this weekend.”

“Yay!”

“Which will not include Minecraft.”

“Noooo!”

Sign up to receive an illustrated digital copy of our Children’s Guides!

Share:

Stay Connected

Stay up to date with Pomerium news and announcements.

More Blog Posts

See All Blog Posts
Blog
Taking Back Zero Trust: Bank Policy Institute (BPI) provides a fairly reasoned take on Zero Trust
Blog
November 2024 Data Breaches [LIST]
Blog
12 Zero Trust Architecture Examples With Actionable Guide

Revolutionize
Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved