For years, corporate IT departments
have been told to protect the perimeter of corporate networks with layered defenses, including firewalls. But new technologies such as instant messaging and virtual private networks have poked holes in the perimeter. So, perhaps this thinking is outmoded; maybe we no longer need perimeter security. Speaking at this year's Black Hat Briefings in Las Vegas
, Paul Simmonds, Global Information Security Director (CISO) for Jericho Forum/ICI, declared that deperimeterization
is the decade's next security challenge, if not the next security buzzword. I happen to think he's onto something, though the changes might not work as he proposes.
Are we protecting the data?
For example, Simmonds talked about the money-hauling industry (think Brinks armored trucks). What are they trying to secure? Money. How do they do it? They purchase armored trucks, true, but they also design security into the containers used for conveying the money: the containers explode if the money is stolen.
Deperimeterization is the decade's next security challenge, if not the next security buzzword.
In businesses today, we want to secure the data, yet we're locking down entire companies instead. Given that the nature of business has changed in the last few years, this model is outdated. The workforce now includes more temporary employees. We have more services designed to work around the traditional hardened perimeter, such as VoIP, IM, and VPN. And let's not forget that the hard-shell, soft-nugget strategy of corporate IT security has been successfully violated.
Living in a post-MSBlast world
In recent years, companies have spent millions on their perimeter security and very little on individual desktop security. Last year's MSBlast successfully exploited this flaw, requiring just one infected laptop to cripple entire companies. Yet, companies had to let that one infected laptop into the network because workers are increasingly mobile, working on the road or from home. Companies also allow port 25 e-mail traffic, so there's still the risk of e-mail infections through that chink. And companies have to allow port 80 Internet traffic as well, laying them open to the threat of infected Web pages.
According to Simmonds, the closer the protection is to the data, the better the protection. In other words, deperimeterization is a way to solve business needs without maintaining a strong perimeter. Deperimeterization flips the current paradigm on its head by securing the individual desktops, laptops, and PDAs, as well as the data itself.
The closer the protection is to the data, the better the protection. In other words, deperimeterization is a way to solve business needs without maintaining a strong perimeter.
Return on investment
Simmonds's company has satellite offices all over the world, and, he said, they're constantly opening, closing, or relocating them. So how does his company protect its data yet get the offices up and running smoothly? Using traditional methods, the company would have to design a wide-area network for a new site, negotiate with local Internet providers, install a virtual private network, install encryption and routers, install switches and private wiring, train local staff, create a secure LAN, and install and configure local PCs. Simmonds estimates that this process could take anywhere from one to six months--not good in today's volatile economy.
Simmonds suggested, however, that his company could open a new sales office in a few days. How? By finding an existing office with Internet service, plugging in PCs, then plugging in VoIP phones. By encrypting these laptops and VoIP appliances, the data would stay secure, but the office would remain flexible and mobile. Should you need to relocate or close the office, no problem.
Deperimeterization won't happen overnight
Moving today's companies into tomorrow's IT landscape won't occur quickly, and Simmonds suggested that companies could implement deperimeterization changes (a PDF file) in as few as 4 years. I think that's a bit optimistic. But I do think that over the next 10 years, we will see more encrypted streams of data and less fortress mentality among corporations.
What do you think about turning IT security on its head? Is deperimeterization a good idea? TalkBack to me.