The cloud security conundrum: de-perimeterisation or re-perimeterisation?

Barbed wire fence

The cloud is, perhaps, the epitome of de-perimeterisation. If you take the definition of this being the removal of boundaries between the enterprise and the outside world it's pretty much bang on the money.

It's easy to assume, therefore, that de-perimeterisation in the information security sense is the answer to your cloud security concerns. It isn't, at least not the complete answer. For the more rounded solution you need to throw re-perimeterisation into the mix and let the two bang heads. I appreciate that this sounds more than a little contradictory, but when you think about it there is plenty of method in the apparent anarchic madness.

I've spoken before about security at the edge of the cloud where I argued that the cloud, and virtualisation in general, was forcing a transition from network-based boundary security to a broader edge-based scenario. Then, and many times since, I have stated that at the strategic level data has to be at the centre of security policy and this means the application of multiple protection levels including encryption and authentication as primary requirements. This is de-perimeterisation at work, the evolution of information security away from the 'castle and moat' approach of old which relied on hardened perimeters to keep the bad guys out. Castling and the cloud, it would appear, do not secure bedfellows make.

Appearances, as we all should know, can be deceptive. So while there is little argument within the IT security industry that mixing encryption, secure protocols, secure systems and data-level authentication is a 'good thing' as far as the cloud is concerned, it's not the only thing.

Securing from the centre outwards, focusing on your data rather than the network edges, is a given; live with it. Ignoring perimeters completely, though, is a sure fire way to weaken your security posture considerably. Which is where a degree of re-perimeterisation comes in to play. Think in terms of 'boundaries of control' and the bigger security picture starts to form. Identifying where these are and then applying your security methodology to them, again from the inside out with a data-centric focus, is key to a holistic and rounded cloud security posture.

Re-perimeterisation means understanding and accepting that the virtualised or cloud environment does, actually, still have a secure perimeter but it has just been moved somewhat. Your mission, and you have to accept it or suffer the inevitable consequences, is to determine where these new perimeters lay and ensure you have control over securing them accordingly. De-perimeterisation and re-perimeterisation are not mutually exclusive processes. Quite the opposite in fact, you need both to secure the cloud...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at