It all seemed so simple. Your network team had implemented a deperimeterisation plan. They had protected what they thought were their most valuable assets: the credit card database, the Active Directory server, and the accounting system. So why had their customers' credit card details just been found on a Russian server?
The team did not secure the computer that maintained the network audit logs, and the credit card database box was programmed to trust the audit server. The hacker uploaded an attack script to get root on the audit log server, and then used that trusted relationship to launch another attack on the credit card database using the audit log machine's elevated privileges. You never saw it coming, and never knew how it was done, because he changed the logs to delete the evidence.
Deperimeterisation, a term invented by the Jericho Forum, assumes that in a business increasingly reliant on mobile workers, distributed computing and inter-company relationships, the old idea of a 'ring of iron' around a network no longer applies. People need more open, less restrictive access, which calls for companies to focus on securing the assets connected to the network, rather than the network itself.
In its purest form, it turns the network into the wild west, says Bruce Potter, founder of US-based security consulting firm Ponte Technologies and organiser of the Shmoocon security conference. The network is made transparent to attackers - assumed to be hostile - and defence focuses on the endpoints.
"Two years ago that was a pipe dream," Bruce Potter says, adding that things have evolved since then with endpoint protection suites from the likes of McAfee and Symantec. "I don't think endpoint protection really existed. If you look at suites like Symantec's, it's an attempt at a holistic solution for endpoint protection."
Few people are ready to open up their network and rely entirely on protecting the endpoint, says Alastair Broom, security director at network consulting firm Dimension Data. Instead, people layer extra protection onto the endpoints and valued nodes within the organisation without necessarily stripping the protection out of their network altogether.
"You need to plan for deperimeterisation, understand that the threat will no longer simply present itself at the internet gateway, and assume that the network will become more open," says Broom. "The perimeter is already blurred, and it just becomes more blurred. You need to take that into account and take a more data-centric approach."
"It's already happening," says David Hartley, security consultant at Activity Information Management, who is also an advocate of multi-layered approach to deperimeterisation. "They're calling it defence in depth. So it's more about many levels of protection."
Configuring networks for deperimeterisation is not easy. Even though the network perimeter has been eroding for years, we're only just beginning to understand what it means for the network.
When it comes to implementation, defence in depth is a muddy concept. What you protect, and with how many layers of protection, is a subjective issue that depends on the assets' value to the business. "That means it's important to start with a risk assessment, think through the policy and that way you can get to the correct platform," says James Rendell, senior technology specialist at IBM ISS. "Over the next few years we will see business risk management and IT risk management converge in organisations, and this is a reason why."
However, there are some constant best practices in a post-perimeter environment, including taking a data-centric view of your infrastructure. "You have to think about where your data is, rather than where the edge of the network is," says Michael Williams, lead consultant at Computacenter Services. The Jericho Forum advises people to put protective tools such as intrusion-prevention systems close to the assets that they're protecting. That might mean moving to host-based rather than network-based IPS.
Another challenge is asset and data management. Protecting data and the machines on which it resides means understanding where both of those things are. Putting endpoint protection software on your desktops and laptops only works properly if you get them all. And many companies may need to update and better maintain their asset and configuration management databases as a result.
The chances are that your network has already become deperimeterised. The moment someone puts a modem in an office and connects to to a dial-up line (as was happening 15 years ago), the perimeter begins to break down. With people now just as likely to access corporate applications via a Blackberry, and with cloud-based security and backup systems now becoming popular, the concept of the perimeter is very difficult to sustain. Hopefully, by following best practice, the security of the network will be easier to handle.
Best practice guidelines for a post-perimeter world
The Jericho Forum, which coined the term 'deperimeterisation', has a set of best practice guidelines for implementation:
Adjust the scope and level of protection to the level of risk.
Use security mechanisms that are simple and scalable.
Understand the context of the security mechanism you're applying (don't just apply a technology without understanding how its location and the data it is protecting affect its use).
Use open, secure protocols on the network.
Ensure that devices can remain secure on an untrusted network.
Establish and understand the trust relationships between people, and between devices.
Systems designed to manage identity and access control should be able to interoperate with others.
Access to data should be controlled by the data's own security attributes (such as embedded metadata).
Duties must be segregated so that there is no one weak link in the organisation.
Data must be appropriately secured at all times.
Read more about deperimeterisation:
This was first published in October 2008