Defending a clear network perimeter is becoming increasingly difficult. John Kavanagh examines new approaches to the problems of shifting boundaries
Trying to defend the network boundary is becoming impossible because no one knows where the boundary is any more. This view from the head of security at Rolls-Royce, Nick Bleech, is fast becoming accepted wisdom among IT user and supplier companies - which are increasingly getting together to do something about it.
Bleech himself is among the leaders in this: he wrote the vision document of the Jericho Forum, formed two years ago largely by big UK user companies to work towards a world without network boundaries, yet with far tighter security.
"Since we published the paper in February people have been telling us very firmly that the nature of business is changing and that we've got to think about network security in a different way," said Bleech.
Traditional approaches based on a hard perimeter are unable to cope with contemporary business drivers. These include online collaboration and commerce, use of open networks such as the public internet and shared network services, and trends towards outsourcing. "Existing security approaches are a barrier to change because they assume an organisation owns and controls its IT infrastructure and that everyone sits in the organisation," he said.
The Jericho Forum has coined the term deperimeterisation, which might not slip off the tongue, but is on everyone's lips in the security business. It is an acknowledgement that the traditional fixed network perimeter is disappearing for organisations which have trading partners accessing their files, travelling executives using internet cafes to access company information, contractors bringing in their own laptops, and staff at home connecting from their own PCs. As Bleech put it, "You've now got to treat every device as suspect."
Others increasingly agree with this last point. Even in the best run organisations 20% of network end points are unmanaged, according to research group Gartner. And it says that even in these companies many of the other 80% are mismanaged, leading to an even greater vulnerability.
While there is general agreement, in larger organisations especially, that today's distributed IT and ways of working and doing business are forcing deperimeterisation on companies, there are different views on what this means in practice.
The Jericho Forum's approach, for example, is to move in stages to the ultimate goal of authenticating users and data and encrypting all communication. Its approach has been seen as meaning an end to firewalls and other traditional network protection, but it denies that this is necessarily so. Traditional measures might be used in other ways, for example firewalls and intrusion detection could be introduced at application and user levels rather than at the network perimeter.
Others argue that defence is needed at the perimeter, even if that perimeter is ill-defined. "You can focus on user and data authentication, but if you have a big denial-of-service attack and do not have detection in place it does not matter if the data is authenticated and encrypted, it will take hours to get across the network," said Mark Hanvey, chief security officer at network services company Cable & Wireless.
There are concerns that the ideal of total deperimeterisation is too complex, too ambitious and too hard to manage in terms of keeping fully patched and up to date for every firewall and other protection product at computer, application and even data level on every PC, handheld device, router and server.
Greg Young, research vice-president at analyst firm Gartner said, "Do not buy into the hype that the perimeter is no longer important. Companies have hundreds if not thousands of servers that require perimeter protection. A small number of perimeter security devices can protect a large number of end points, so you can update perimeter security more rapidly in the face of changing threats. In-depth defence is required - but it can't exist without a strong perimeter."
There are also issues around how to achieve deperimeterisation. Suppliers maintain that most, if not all, the components are already available in their products, but user bodies say proprietary products are restrictive, and that online collaboration and commerce demand open standards between business partners and the systems they run.
"We don't want to check what goes on behind the scenes in products, but we do want open interfaces so they work together," said Bleech. "Many suppliers are innovative, and we want to encourage this, but we do have that simple rule."
Open standards for various parts of deperimeterisation are being worked on by various groups. Some of these standards are starting to emerge and suppliers are making a commitment to build them into their products.
The mainly US Organisation for the Advancement of Structured Information Standards (Oasis) is working on XML and web services standards. One contribution to the deperimeterisation vision is the Security Assertion Markup Language (SamL), used to send authentication information about a web user. In August, products from eight suppliers including Novell, Oracle and Sun Microsystems were certified as conforming to SamL.
The Liberty Alliance, also in the US, has worked with Oasis, and is developing a standard for federated identity for groups of users. This has recently been adopted by AOL, France Telecom, General Motors, Nokia and others. One of its board members, IBM is also in a separate suppliers group with Microsoft, which is in effect developing a rival set of standards, Web Services Federation (WS-Federation).
The risk of a further fragmenting of effort is raised by the Liberty Alliance's global operations director, Brett McDowell, who said, "We have had no formal contact from the Jericho Forum and our work is very relevant to them. If we don't communicate, there is the possibility of fragmentation. Since IBM joined our board we have at least indirect harmonisation with the WS-Federation work."
These and other efforts are leading to open standards for some elements of deperimeterisation, but experts say the full vision is some way from being fulfilled.
"Although there are isolated initiatives under way, they'll need to overcome significant barriers to make true deperimeterisation a reality," said Paul Stamp, an analyst at Forrester Research. "True deperimeterisation requires a universal trust infrastructure, and implementing that is a monumental task. In the encryption world, public key infrastructure buffs have repeatedly tried and failed to put a global trust infrastructure in place.
"In addition, countries including Russia, China and Israel have strict requirements on the use of strong encryption. It will be extremely difficult to develop data-level encryption that provides appropriate protection while complying with global regulations."
Meanwhile, IT security teams have to get on with providing network security right now amid all the discussions over what that might mean in the future, and the inevitably slow progress in standards.
Quarantine zones are seen as one immediate way forward, and indeed a possible long-term part of deperimeterisation.
"There used to be just two zones - inside and the outside world," said Miles Clement, technical architect at the Information Security Forum, a largely UK user body. "Now there are things even inside our fence that we do not trust, so let's have zones where we can or can't trust things. Put servers on a different network to the desktops with a firewall in between. Then validate every device before allowing connection.
"You do not want to simply deny access, because people need to work, so direct rejected users to a quarantine zone on the network which checks what they are missing for connection, such as the latest anti-virus update, and allows them to install it and then get validated for full connection.
"If people are connecting from an internet cafe you have a different approach, perhaps allowing them to work as if at a dumb terminal, downloading e-mails but not sending files. If they are working at home you might have other security levels. It is all about achieving a level of trust for a device."
Clement, Bleech and others see online collaboration and trading between business partners following the path of Electronic Data Interchange (EDI) in its early days, with companies in one industry forming a closed trading exchange, or a big customer imposing security products or de facto standards on its smaller suppliers.
Bleech pointed to the Exostar portal used by the aerospace and defence industry. "This sets up a set of standards for a particular industry to use," Bleech said. "At Rolls-Royce we have 15,000 suppliers, so it is important to foster something that can be implemented economically.
Exostar is being developed to a full-blown public key infrastructure. The Jericho Forum accepts that in an industry structure like that the big companies will inevitably try to solve problems like security in this way.
"An alternative approach to federated identity management in the future might be to provide backward compatibility of SamL, for example, into the Kerberos authentication technology and other legacy approaches."
Product suppliers and some users say the pragmatic approach, for now at least, is to look at what is already on the market, even if current products do not meet emerging open standards for working with each other.
"Big distributed organisations are saying they want deperimeterisation and a common security architecture," said Stuart Okin, a partner at consultancy Accenture and former chief security adviser at Microsoft UK. "They are looking at securing the key IT assets, because they cannot necessarily secure their boundaries any more. They're looking at things like the number of access methods to devise a common architecture, and then they are developing programmes to support that architecture.
Cisco's Network Admission Control and Microsoft's emerging Network Access Protection are held up as possible future de facto standards for checking that end-user devices can be allowed to connect to a network. From that point onwards there are all the existing desktop, local area network, virtual private network and server protection products.
"The whole idea of deperimeterisation is already very realistic," said Ian McMullen, technical director at network security services company Boxing Orange. "The key is to get companies and individuals to face up to reality and their own responsibilities and stop sweeping security under the carpet. Ignorance is no longer an option."
Hanvey supports this to an extent. "We are finding more and more chief information officers saying security is an issue for their network service providers and not for them. I have been quite staggered by this. We now have a modular service approach, and with all the modules put together we can provide end-to-end security right down to the end point in an IT device."
So perhaps the radically changing nature and increasing demands of network security are proving too much for some user companies - especially as observers see the need emerging to rebuild networks and even applications.
A final word here came from Bleech - and that word, inevitably, is deperimeterisation. "Some say the Jericho Forum's biggest contribution has been to get people thinking. In fact the main feedback we have had is requests to get rid of that ruddy word deperimeterisation. We have debated that issue and decided that if we got rid of it we wouldn't get under people's skin, as we clearly are. We have got the debate going - and that debate is certainly needed."
Information Security Forum