It all seemed so simple. Your network team had
implemented a deperimeterisation plan. They had protected what
they thought were their most valuable assets: the credit card
database, the Active Directory server, and the accounting system.
So why had their customers' credit card details just been found on
a Russian server?
The team did not secure the computer that maintained the network
audit logs, and the credit card database box was programmed to
trust the audit server. The hacker uploaded an attack script to get
root on the audit log server, and then used that trusted
relationship to launch another attack on the credit card database
using the audit log machine's elevated privileges. You never saw it
coming, and never knew how it was done, because he changed the logs
to delete the evidence.
Deperimeterisation, a term
invented by the
Jericho Forum, assumes that in a business increasingly reliant
on mobile workers, distributed computing and inter-company
relationships, the old idea of a 'ring of iron' around a network no
longer applies. People need more open, less restrictive access,
which calls for companies to focus on securing the assets connected
to the network, rather than the network itself.
In its purest form, it turns the network into the wild west,
says Bruce Potter, founder of US-based security consulting firm
Ponte Technologies and organiser of the Shmoocon security
conference. The network is made transparent to attackers - assumed
to be hostile - and defence focuses on the endpoints.
"Two years ago that was a pipe dream," Bruce Potter says, adding
that things have evolved since then with endpoint protection suites
from the likes of McAfee and Symantec. "I don't think endpoint
protection really existed. If you look at suites like Symantec's,
it's an attempt at a holistic solution for endpoint
protection."
Few people are ready to open up their network and rely entirely
on protecting the endpoint, says Alastair Broom, security director
at network consulting firm Dimension Data. Instead, people layer
extra protection onto the endpoints and valued nodes within the
organisation without necessarily stripping the protection out of
their network altogether.
"You need to plan for deperimeterisation, understand that the
threat will no longer simply present itself at the internet
gateway, and assume that the network will become more open," says
Broom. "The perimeter is already blurred, and it just becomes more
blurred. You need to take that into account and take a more
data-centric approach."
"It's already happening," says David Hartley, security
consultant at Activity Information Management, who is also an
advocate of multi-layered approach to deperimeterisation. "They're
calling it defence in depth. So it's more about many levels of
protection."
Configuring networks for deperimeterisation is not easy. Even
though the network perimeter has been eroding for years, we're only
just beginning to understand what it means for the network.
When it comes to implementation, defence in depth is a muddy
concept. What you protect, and with how many layers of protection,
is a subjective issue that depends on the assets' value to the
business. "That means it's important to start with a risk
assessment, think through the policy and that way you can get to
the correct platform," says James Rendell, senior technology
specialist at IBM ISS. "Over the next few years we will see
business risk management and IT risk management converge in
organisations, and this is a reason why."
However, there are some constant best practices in a
post-perimeter environment, including taking a data-centric view of
your infrastructure. "You have to think about where your data is,
rather than where the edge of the network is," says Michael
Williams, lead consultant at Computacenter Services. The Jericho
Forum advises people to put protective tools such as
intrusion-prevention systems close to the assets that they're
protecting. That might mean moving to host-based rather than
network-based IPS.
Another challenge is asset and data management. Protecting data
and the machines on which it resides means understanding where both
of those things are. Putting endpoint protection software on your
desktops and laptops only works properly if you get them all. And
many companies may need to update and better maintain their asset
and configuration management databases as a result.
The chances are that your network has already become
deperimeterised. The moment someone puts a modem in an office and
connects to to a dial-up line (as was happening 15 years ago), the
perimeter begins to break down. With people now just as likely to
access corporate applications via a Blackberry, and with
cloud-based security and backup systems now becoming popular, the
concept of the perimeter is very difficult to sustain. Hopefully,
by following best practice, the security of the network will be
easier to handle.
Best practice guidelines for a post-perimeter world
The Jericho Forum, which coined the term 'deperimeterisation',
has a set of best practice guidelines for implementation:
Adjust the scope and level of protection to the level of
risk.
Use security mechanisms that are simple and scalable.
Understand the context of the security mechanism you're applying
(don't just apply a technology without understanding how its
location and the data it is protecting affect its use).
Use open, secure protocols on the network.
Ensure that devices can remain secure on an untrusted
network.
Establish and understand the trust relationships between people,
and between devices.
Systems designed to manage identity and access control should be
able to interoperate with others.
Access to data should be controlled by the data's own security
attributes (such as embedded metadata).
Duties must be segregated so that there is no one weak link in
the organisation.
Data must be appropriately secured at all times.
Read more about deperimeterisation:
European firms ahead of the US on network
deperimeterisation>>
Microsoft joins the Deperimeterisation Bandwagon>>
User trust is barrier to deperimeterisation>>