Deperimeterisation, the security model advocated by the
blue chip companies behind the Jericho Forum user group, is not in
always in the best interest of your business, delegates at the
Infosecurity conference will be told this week.
Security specialists from professional services company KPMG and
analyst firm Burton Group will warn chief security officers that
the trend towards removing perimeter defences in favour of
protecting data does not necessarily bring better security.
Mark Waghorne, principal adviser at KPMG, said that, for many
organisations, deperimeterisation may not be the best security
solution, given the complexity of managing the approach.
"I do not think in IT security generally there is any one right
answer. One size does not fit all. I think, paradoxically,
deperimeterisation probably suits larger, more connected
organisations better than smaller organisations. They need to be
large and mature in order to make it work," he said.
Waghorne's argument presents a challenge to the CIOs behind the
Jericho Forum, who believe that the move towards deperimeterisation
is inevitable as organisations increasingly share their networks
with business partners.
For deperimeterisation to work, Waghorne said most organisations
would need a far more mature and consistent approach to identifying
and classifying IT assets that need protection.
"Deperimeterisation requires effective administration to secure
tens of thousands of assets, rather than deploying a small number
of assets to protect the entire network," he said.
Smaller businesses rarely have the expertise or the resources to
administer and configure security products on a myriad of assets,
Waghorne added.
Even larger businesses, having invested heavily in securing
their perimeters, may find it difficult to convince the board that
they need to remove that protection and invest in securing
data.
"People who do not understand security, such as the board, will
be asking why we need to do it differently and what the benefits
are. Articulating that is quite difficult," said Waghorne.
It is better to think of "reperimeterisation", which implies
moving the security defences, rather than deperimeterisation, which
implies removing security altogether, he said.
"The overarching debate is not about throwing away what we have
in place. It is about gradually re-engineering what we have. To do
that requires more investment in asset identification and
classification than perhaps the deperimeterisation evangelists
would like to admit."
Dan Blum, senior vice-president at Burton Group, said that, in
the longer term, businesses would need to build more
interoperability into their security control systems if they are to
open up their networks to business partners.
"We are seeing more integration through large, relatively
monolithic security suites than interoperability in security
management at this point.
"In the longer term, more standards will be required to enable
discrete security management services that support service oriented
architecture, a choice of suppliers and better interoperability
between suppliers," he said.
...but CSOs believe move to new security model is
inevitable
Deperimeterisation of network security is inevitable, as
companies continue to form closer links with their business
partners and outsource their IT systems, the chief security
officers of leading UK businesses will argue at the Infosecurity
show this week.
Paul Simmonds, global information security director at ICI, and
Nick Bleech, IT security director at Rolls-Royce, will tell
delegates that deperimeterisation is a trend that businesses cannot
afford to ignore.
"The idea that you have a tiny set of buildings and you
ring-fence them is dead," said Bleech. "Many people say they will
hang on to the network perimeters and the range of defences that
have been well developed over the past 10 years. We say that is
responding to the business situation as it has been."
Perimeter security increasingly makes less sense as businesses
outsource their IT systems to third parties and give customers and
business partners access to their networks, he said.
Bleech rejected claims that small businesses do not have the
expertise or resources to go down the deperimeterisation route.
Small businesses were already adopting the idea. "They do not have
the resources to give themselves a nice tidy perimeter," he
said.
Simmonds said businesses had little choice other than to embrace
deperimeterisation.
"Deperimeterisation has happened to you, whether you like it or
not. You need to wake up and start planning for it," he said. "If
you are going to have a responsible security architecture, from a
business point of view, you need to take deperimeterisation
seriously."
He advised IT directors to start applying pressure to suppliers
to address deperimeterisation by asking basic questions about the
security of their products.
"Does it support a deperimeterised architecture? Can they list
all the protocols used in communications? Are they inherently
secure? It is as simple as that. Ask fundamental questions," he
said.
Simmonds and Bleech are founder members of the Jericho Forum, a
security-focused user group representing 40 of the UK's largest
businesses. The group will today (25 April) release key security
guidelines for IT departments and suppliers.
Jericho Forum's commandments for information
security
The scope and level of protection must be specific and
appropriate to the asset at risk
- Security must enable business agility and be cost
effective
- Boundary firewalls may continue to provide basic network
protection but individual systems and data will need to be able to
protect themselves
Security mechanisms must be pervasive, simple, scalable and easy
to manage
- Unnecessary complexity is a threat to good security
- Coherent security principles must span all tiers of the
architecture
- Security mechanisms must able to scale, handling small or large
objects
- To be both simple and scalable, interoperable security
"building blocks" need to be capable of being combined to provide
the required security mechanisms
Assume context at your peril
- Security systems designed for one environment may not be
transferable to work in another. Thus it is important to understand
the limitations of any security system
Devices and applications must communicate using open, secure
protocols
- Security through obscurity is a flawed assumption - secure
protocols demand open peer review to provide robust assessment and
wide acceptance and use
- The security requirements of confidentiality, integrity and
availability should be assessed and built into protocols as
appropriate, not added on
All people, processes and technology must have declared and
transparent levels of trust for any transaction to take place
- There must be clarity of expectation with all parties
understanding the levels of trust
- Trust models must encompass people/organisations and
devices/infrastructure
All devices must be capable of maintaining their security policy
on an untrusted network
- A "security policy" defines the rules with regard to the
protection of the asset
- Rules must be complete with respect to an arbitrary
context
Access to data should be controlled by security attributes of
the data itself
- Attributes can be held within the data (document rights
management/meta data), or could be a separate system
- Access/security could be implemented by encryption
Authentication, authorisation and accountability must
interoperate outside your area of control
- People/systems must be able to manage permissions of resources
they do not control
- There must be capability of trusting an organisation, which can
authenticate individuals or groups, thus eliminating the need to
create separate identities
- Systems must be able to pass on security
credentials/assertions
Mutual trust assurance levels must be determinable
- Devices and users must be capable of appropriate levels of
mutual authentication for accessing systems and data
Data privacy (and security of any asset of sufficiently high
value) requires a segregation of duties/privileges
- Permissions, keys, privileges etc must ultimately fall under
independent control, or there will always be a weakest link at the
top of the chain of trust
By default, data must be appropriately secured when stored, in
transit and in use
- Removing the default must be a conscious act
www.jerichoforum.org
Read:
Security special report