Delegates at security conferences such as RSA Europe in Amsterdam earlier this month were presented with a glimpse of how users want IT security to evolve via a technique known as "deperimeterisation". This involves opening networks to customers and business partners to support the changing dynamics of modern business.
David Lacey, director of security and risk management technology, services and innovation at Royal Mail, said, "Because the network perimeter does not provide adequate protection, organisations are building barriers around groups of users."
Royal Mail's architecture for deperimeterisation aims to simplify the IT security required to support business partnerships, essentially by including business partners within the same network.
An alternative approach, from chemicals firm ICI, relies on web services and secure web access to give end-users within an organisation and business partners access to specific applications.
Paul Simmonds, global information security director at ICI, said, "Any application that does not need to be on [a corporate network] should be accessed via a secure web browser connection."
The next step in ICI's approach is to treat the security perimeter on the corporate network as an electronic sieve. Existing network security is constructed to keep hackers out but, in contrast, Simmonds said the sieve acts as a quality of service boundary, filtering out any activity that degrades network performance.
The third step in ICI's model is to secure the data so that it can be moved between different IT systems yet still retain security information, such as which users are authorised to access the data.
Other FTSE 100 businesses, together with the Office of the E-Envoy, are collaborating on the blueprints for deperimeterisation because they believe IT suppliers have not come up with a coherent security strategy that supports their future business models.
Tom Scholtz, vice-president of security and risk strategies at analyst firm Meta Group, said IT security was inherently restrictive. "While current IT security technology does a reasonable job of providing adequate security control at the data, application and infrastructure levels, it is not particularly good at facilitating dynamic business process interoperation."