The Royal Mail has led several FTSE 100 companies in calling for a
new security standard so that firms can trade with their suppliers
without fear of hacker attacks.
When the police put a "ring of steel" around Tony Blair and US
president George W Bush last week they were doing what IT security
experts have been practising for years.
Putting a perimeter defence around an IT system is textbook
practice, but some experts want to break with tradition by doing
away with the perimeter and creating a series of smaller security
"islands".
The process has been seen by customers, consultancies and suppliers
as a means of coping with more fluid networks as wireless devices
become commonplace and supply chain inte-gration becomes a reality.
The result could be a network that is more outside the firewall
than inside, reaching right to the application server's network
jack.
Hacker attacks are becoming increasingly varied, making them
difficult to defeat by blocking network ports. Instead of applying
a single bubble of security around your organisation's IT
infrastructure using edge-based firewalls, it is possible to focus
on just the critical parts of a datacentre, or the "crown jewels",
said Ollie Whitehouse, managing security architect at security
consultancy @Stake.
"Every business unit identifies what these data components are and
then provides mechanisms such as additional firewalls, host-based
intrusion detection systems and anti-virus tools," Whitehouse said.
Think of the original security bubble shrinking until it becomes a
film coating individual IT resources within your business.
Consultants such as Whitehouse believe that compartmentalising
security and applying it to individual resources and business units
makes it harder for hackers to gain widespread access to an
organisation's system by exploiting single loopholes.
However, industry veterans have scoffed at this idea, which has
been promoted by executives at virtual private network suppliers
such as Aventail.
Ovum analyst Graham Titterington argued that applying security
close to your key resources has also been recommended as best
practice by security experts for years, but that few companies do
it consistently.
Some firms are, however, moving in that direction. The approach
taken at BP is known as "radical externalisation". Paul Dorey,
director of digital security at BP, said, "Radical externalisation
places the clients onto the internet, they have their own firewalls
and security measures and use automated patching technologies.
"Systemic risk within the corporate network is reduced and, by not
devoting so much time to network protection, more effort can be
focused on strengthening security around applications and servers,"
he said.
David Lacey, director of security and risk management at the Royal
Mail Group, was convinced there are new drivers and new
technologies supporting "deperimeterisation".
Lacey, who claimed to have coined the term and is a keen advocate
of the technique in his own company, spoke at an RSA conference
earlier this month in a bid to persuade other organisations to move
towards the model.
Business-to-business integration using web services and other
communication techniques is a key driver for organisations to move
security away from the perimeter, he said. The more people you want
to work with, the less a single ring of security makes sense.
"We are talking about an extended enterprise model which would work
with our partners as well as ourselves," he said. "We go out to
partners and customers and we have to wrap security around those
communications and transactions."
Lacey described how individual systems would be protected to make
it easier for different parts of a company to open up to business
partners. He likened a business where security has been moved from
the perimeter to a bank cash machine; the machine is "soft" on the
outside and is made of easily breakable plastic; it provides a
functional interface for customers. But underneath the external
interface, it has been hardened to protect the money it holds. This
means that any authorised person can interact with it in predefined
ways, but few people, if any, can penetrate it.
Supply chain-led moves to break up the security cordon will be
built on several technologies, Lacey said, such as virtual private
networks. Digital certificates would be critical for
identification, along with federated identity systems supporting
specifications from groups such as the Liberty Alliance.
Lacey argued that the edge-based firewall will probably disappear.
Whitehouse disagreed. "There is still a requirement for edge-level
authentication," he said. "You still have virtual private networks,
but you are not solely reliant on them."
One critical technology that Lacey did not mention is the
application-level firewall, said Titterington. This is an outer
shell tailored for a single application that scans network traffic
at content level, looking for items such as malicious user data.
Security supplier Internet Security Systems is moving towards this
model with its gateway systems.
Johann Beckers, European regional director of technology solutions
at ISS, believed that today's firewalls will become irrelevant
because port-based monitoring cannot catch all threats. Instead,
new devices will scan data at a content level.
ISS has launched its Proventia series of gateway appliances, which
complement traditional firewall functions with intrusion detection
systems and content scanning. Over time, it will move from a
gateway-based model to desktop and server-focused protection,
echoing Lacey's deperimeterisation model.
What Lacey described is the move to a service-oriented architecture
where services formed from applications speak to each other using
common protocols, treating one another as "black boxes".
Services do not need to know how other services work, as long as
they deliver data via a predefined interface. Microsoft heavily
emphasised this approach as it moves to the next generation of the
Windows systems with Longhorn. Its chief technical officer, Craig
Mundie, said the idea of boundaries and trust relationships will be
central to this model.
The problem, according to Gartner analyst John Pescatore, is that
some of the technologies underpinning this new model have failed at
business level. Identity management is vital to business
integration, he said, but digital certificates have fallen flat
because certification authorities either have not been trusted (as
when VeriSign inadvertently gave someone a Microsoft certificate in
January 2001) or are not universally accepted. Federated identity
has failed to materialise because plans are too ambitious.
Vast networks of companies spanning different business sectors
managing relationships with one another to authenticate one
another's customers are not viable, Pescatore said.
Lacey calls for common business security standards that will help
companies to manage security policies themselves. He proposed an
industry-independent standard which would enable companies to
classify end-users from a security perspective.
Pescatore argued that such classifications would only work in small
groups of businesses with a common interest, and that the same goes
for federated identity systems. But although he eschewed a
one-size-fits-all app-roach to security in favour of tailored,
localised tools, his world view and Lacey's are not a million miles
apart.