Embedded Expertise

Become a partner >>

Beyond the Firewall: From Perimetric to In-Depth Security

Most embedded products start life as proofs of concept, and their security often shows it. This article explains the difference between perimetric and volumetric security, why both are essential, and why cybersecurity must be built-in, not bolted on.

Perimetric vs. Volumetric Security in Embedded Systems: Why Both Matter

When I get my hands on an embedded system, whether for a cybersecurity assessment, a hardening mission, or a post-incident analysis, I almost always see one of these same patterns:

1. No explicit security at all

The product started life as a proof of concept: a quick demo that somehow crept into “production ready” under time pressure. Functionality took priority, and security was left for later. When the customer finally realizes that “we should probably secure this thing,” the reaction is urgent but superficial: close the network ports, lock the serial console, add a password somewhere.

This is perimetric security: protecting the system boundaries. It’s often all that gets done when the schedule is tight and the product is already in the field.

2. Perimetric security, but no volumetric one

The system now has a firewall, SSH keys, maybe even TLS, but inside everything still runs as root. Filesystems are writable. Processes can modify each other’s data. Boot scripts mix BSP logic and application behavior. In short, security was bolted on as an afterthought: the walls are there, but there’s no internal structure. This is where volumetric (or in-depth) security should begin, but rarely does.

3. Both perimetric and volumetric security

These are the rare cases, usually with customers who have a mature view of cybersecurity. They understand that a secure system is not just a fortress with a wall, but a city with districts, checkpoints, and rules of access. In such cases, my role is not to add missing bricks, but to provide an independent assessment, help document the existing controls, and sometimes stress-test the assumptions.

Perimetric vs. Volumetric Security

Perimetric security is about controlling what comes in and out of the system.
It’s the first line of defense: network filtering, secure bootloader access, encrypted communications, and controlled physical I/Os. It keeps intruders from simply walking through the door.

Volumetric (or in-depth) security, on the other hand, is about what happens inside.
It’s the principle of least privilege applied throughout: separating the BSP from the application, enforcing access rights, marking partitions immutable, isolating processes, and validating every trust boundary. It assumes that one day, the perimeter will fail and the damage must stay contained.

Why We Need Both

Perimetric security without volumetric security is like locking your front door while leaving the keys on the table next to an open window.

Volumetric security without a perimeter is like reinforcing every room but never building a fence around the house.

Neither is sufficient on its own. A robust cybersecurity posture requires defense in depth:

  • The perimeter reduces the likelihood of intrusion.

  • The volume limits the impact when intrusion occurs.

Together, they transform an embedded device from a fragile appliance into a resilient system.

In Practice

In embedded projects, volumetric security often means going back to the foundations:

  • defining ownership of each layer (bootloader, BSP, kernel, application),

  • enforcing privilege separation,

  • enabling immutability for what should never change,

  • and making sure that updates and configuration changes follow a verifiable path.

These steps admittedly take time, but they prevent an entire class of vulnerabilities from ever appearing. Once they’re in place, perimetric controls become the finishing layer, not the only one.

Key Takeaways

Cybersecurity is no afterthought. It must be built-in, not bolted on. Because sometimes, bolts break under stress.

Adding a firewall is easy. Defining clear trust boundaries between the BSP, kernel, middleware, and application layers is where true resilience begins. That’s the difference between a system that merely looks secure and one that stays secure.

When I open up a new device and start exploring, I can usually tell within minutes which of the three categories it belongs to. And the difference between them isn’t just about technology: it’s about mindset.

Would you like to explore how your own product measures up, or how to bring true in-depth security into an existing design? That’s exactly what we help our customers do at Embedded Expertise. Contact us now.

Contact
Broken fortress