Cyberis 28 April, 2021

Cyber Essentials De-Perimeterised

In 2004, a ragtag fugitive fleet of CISOs created an international group working to define and promote the concept of de-perimeterisation, known as the Jericho Forum. Ten years on, after many valuable contributions to the security industry, it was declared a success and was finally sunsetted in October 2013.  In the summer that followed, the UK Cyber Essentials scheme was launched – the Government-backed scheme designed to help organisations protect themselves against common online threats.  It rather heavily focused on the importance of well-configured boundary firewalls and border routers in the office and at home! If only the walls of the Jericho Forum had stayed up for a few more months!

The new release of Cyber Essentials this month, entitled ‘Beacon’, has finally recognised that host-based software firewalls have a consistent control role outside of the corporate network – allowing them, with appropriate configuration, to be more widely treated as a boundary control rather than in certain circumstances only.   

These scheme changes affect home workers; whilst home networks are still considered in scope on paper, they can allow home routers to be delisted, thus avoiding the unenforceable end-user policies which mandated employees secure the perimeter of their home networks and make them Cyber Essentials compliant.  The alternative control for home workers, required enforcement of corporate VPNs for remote access to company resources in any form, whether they were on-premise or cloud-based systems; this can also now be avoided where a host-based firewall is defined as the boundary, thus putting to bed an area of some ambiguity.

Whilst both controls, certainly the latter one, have some technical merit, to move to reassess the role of the host-based software firewall in the home and give it equivalency regardless of the untrusted network environment, was much needed.  As the scheme is advertised as ‘a set of basic technical controls’ and ‘simple but effective’, these changes have also helped maintain focus on its original objectives.

Improve your security

Our experienced team will identify and address your most critical information security concerns.