People often ask me what De-perimeterisation really means for organisations. Is there, for example, a recommended architecture, methodology or action plan? That’s not easy to answer. I can articulate the problem space very clearly. But defining the solution is harder. There are still many emerging issues to address. Some are technical, some political and many are operational. And the most appropriate short-term response will be unique to each organisation.
For all of us, it’s a slow but steady journey from the traditional security practices of the past to the new business realities of the future. That’s a difficult perspective for organisations who like to see clearly-bounded projects based on well-defined business cases. It’s easier to talk about specific consequences of De-perimeterisation, such as the impact of dissolving network perimeters and the need for intrinsically secure protocols and good endpoint security. There many excellent position papers on these subjects to be found on the Jericho Forum Web site. But the underpinning paradigm shift is the need to view security from a different standpoint, to adopt a new mindset and a fresh approach to strategy. That’s why some people get it and others don’t.
Security was simpler in the past. A security manager would be tasked with safeguarding the security of a fixed set of users, data and systems operating within clearly-defined geographic or logical boundaries. In the future, the challenge will be quite different. The security manager of the future will need to devise solutions to safeguard the business operations and intellectual property of an assorted, frequently-changing set of users, operating independently using an assortment of consumer equipment, and sharing diverse systems across public networks. It’s an entirely different proposition, made infinitely more difficult by the economics and constraints of numerous legacy systems and practices.
What should a security manager do? The answer depends on your starting point, your timescale for results and your level of ambition. It can’t happen overnight. And it’s not a case of simply applying existing solutions with greater effort and budget. Or of attempting to hold back the introduction of new-style business practices. It requires a new architecture and a portfolio of initiatives to enhance user education, application security, endpoint security and enable federated identity management. And all of this needs to done against a shifting technology landscape of progressive virtualisation of infrastructure and consumerisation of client devices.
The primary purpose of such an action plan is to prepare the organisation for the future, not to address immediate problems. That’s a leap of faith – which is the hardest type of investment to justify. It’s certainly not easy. But De-perimeterisation is inevitable, imminent and inescapable. So start working now on your survival strategy.