The Target breach and the end of perimeter security

In December 2013, details emerged about a data breach at the American retail chain Target. Around 40 million payment card numbers were compromised. By January 2014, the investigation had identified the entry point: attackers got in through the credentials of an HVAC contractor - a company that services heating and cooling systems. A company with billions in revenue, a mature IT infrastructure, and presumably a substantial security budget - breached through the air conditioning vendor.

This is not a detective story. It is an architecture story.

Why the perimeter stopped working

The classic security model is built on the idea of a perimeter: enemies outside, trusted parties inside, the job is to keep outsiders out. That model worked when "inside" meant a physical office with a fixed number of entry points.

Today "inside" means dozens of contractors with remote access, cloud services, employee mobile devices, and integrations with partner systems. The boundary has become so blurred that holding it as a single line of defence is simply not realistic.

In Target's case, the contractor had access to the corporate network - and from there attackers reached the payment infrastructure. The perimeter was intact. But a stranger was already operating inside it.

What this means for companies that are not Target

It is easy to look at a case like this and think: "that is a large corporation, we operate at a different scale." But the problem is not about scale - it is about an architectural assumption.

If your company uses even one external contractor with system access - an outsourced accountant, a facilities management company, a CRM integrator - you already live in a reality where the perimeter is not sufficient protection. Remote contractors constitute a second risk perimeter that most organisations map only after something goes wrong.

The question is not whether you have antivirus and a firewall. The question is what happens if one of your contractors is compromised.

The model that works in 2014

The approach that is starting to replace the perimeter model is sometimes called "trust but verify" - or in a more radical version, "trust nothing by default." The idea is straightforward.

Every participant - employee, contractor, system - gets exactly the rights needed for their specific tasks, nothing more. Access to different network segments is isolated. Actions are logged. Anomalies are detected.

This is not cheaper or simpler than perimeter security. But it is more realistic in conditions where the line between "ours" and "theirs" no longer maps to a physical or network boundary.

Three questions for a manager

I am not suggesting panic and a complete infrastructure rewrite. But three questions are worth asking yourself today.

First: who among your external parties has access to your systems, and how broad is that access? It often turns out that a contractor who needed access to one system two years ago still has it - plus access to several adjacent ones.

Second: if one contractor or employee is compromised, how far can an attacker get inside? Is there isolation between critical segments?

Third: when was the last time anyone reviewed the list of people and systems with access to anything critical?

These are not technical questions. They are management questions, and it is worth knowing the answers.