Whither De-perimeterisation?

Just published on the Jericho Forum site are the presentations from last week’s conference in London. They include the results of an interesting survey of attendees (carried out with the help of Qualys) which has already attracted some media attention.

It seems like an opportune time to reflect on the progress of the Jericho Forum. To assess just where we are on the road towards true de-perimeterised working. Is it achievable now? Or is it all just a pipe dream? The short answer is that it can’t be the latter. We have to make it work. Otherwise we’ll be sleepwalking towards a future crisis. Corporate perimeters are already leaking confidential data and letting in malware. The situation will progressively get worse. It’s not good enough to shore up traditional defences. We need to be proactive and implement new solutions.

Examining the poll of around 100 top security practitioners is illuminating. Around 70% believed that insiders represent the greatest risk, with employees at the top of the list. Traditional “hard shell” security doesn’t address this risk. A majority of those polled also believe that their network already has a porous perimeter. But in five years time, they expect things to be different. By then, network perimeters will mainly exist for quality of service purposes. Most organizations are not yet where they want to be. They are still growing in maturity. And the main obstacles to progress are lack of budget, time and personnel.

From all of this one can conclude that de-perimeterisation remains a future goal rather than an achievable state. So what exactly do we need – other than time, budget and staff – to make it work? In my view the key enablers are strategy and architecture. To achieve true de-perimeterised working requires state-of-the-art components assembled in a beyond-the-state-of-the-art architecture. We need new ambitious infrastructure such as a modern federated identity management system that can work efficiently across an open network environment. Implementing such infrastructure is not a trivial task. It involves a complete rethink of authentication, provisioning and management processes. It demands an architecture and network topology that can deploy encryption, authentication and policy enforcement controls in the most effective positions. But most of all it requires a big vision, an up-front investment in technology and a realistic migration plan.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Perimeter based security has been the basis for securing possessions for centuries and has proven to be the most effective method of security. Perimeters date back to the building of the first walls where the builders wanted to ensure that whatever was inside the wall was safe from those outside the wall, where the major problem is where and how to build your wall to protect what you want to protect, yet still allow access for those who need access. The statement "Your security perimeters are disappearing: what are you going to do about it?" (slide 6 of the Jericho Forum fundamentals presentation) is just plain old scaremongering to try to drum up support for their cause. You may have to apply patches to fix problems discovered with particular pieces of software and hardware, but firewalls won't slowly crumble and all of your data protection measures won't slowly cease to exist allowing free access to your information. Everywhere you look there are examples of perimeterised security in action. If you go to a conference or event they don't open all the doors and then check everyone who sits in a seat, buys some food, or looks at an exhibit, they restrict access and check at the point of entry. Even public transport is switching to a perimeterised model by reducing the number of ticket inspectors and installing physical barriers. So I view with great scepticism anyone who wants to go from a tried, trusted, tested, and working system where the problems are known and are being worked on (such as perimeterised security) to a model that other disiplines are moving away from. The main problem we should be looking at is not how to de-perimeterise, it should be where we build our perimeters and how we build them.
Here we go again, I'm sure Al has got some nice picutes of European walled cities as well. The only problem is that none of these exist any more - the reason they inhibited trade. Speak to a military historian and they will tell you that the days of perimiter defences ended in WW1 with the invention on the tank (in todays technology "port 80") which simply drove right through the (trenches) perimiter. Tried, tested, bypassed and obsolete..... As for the "public transport" the barrier is for access control and charging - that barrier does nothing to provide security to the item in transit (the person) - witness the 7/7 tube bombing in London. It's all about protecting the data - try telling the secret service that you are going to provide increased protection to the president by increasing spending on the border patrols and watch them fall around laughing.
So if perimeter defences ended in WW1 why are banks still using physical vaults in secure buildings to hold the most valuable goods?, and why are military bases still built with perimeter fences?. Even in modern conflict zones such as Iraq and Afghanistan everything is arranged around perimeter based security with secured areas for military bases, and the green zone in Iraq. These are not perfect, but it shows that perimeter secure is most definitely a modern day best practice and not a relic of some 80 years ago. As for port 80 being the tank of network security, that's very much off the mark. We already have technologies which filter and analyse incoming web traffic, and at the end of the day we can just block port 80 or limit it to allowing access set of trusted servers because most companies employees just don't need access to the entire world wide web for their daily business. Some of the tools used are not ideal, but they will improve, and thus the perimeter becomes stronger. I didn't say that the public transport perimeter system was perfect, but it is what public transport is moving towards after careful consideration. With the 7/7 incident the perimeter defences proved invaluable at providing information which quickly identified the terrorists and potential conspirators. In the same way web filtering tools can be improved the public transport perimeters could be improved to include bomb and firearm detection equipment at the entry points. As I said previously, it's about where and how you build your perimeters. With the president there are cordons the secret service put in place at a street level and at a personal level with the president by roadblocks, traffic restrictions, and surrounding him with bodyguards. Suggesting the border patrols are the only perimeter based protection the president has is just a little naive. So I'm afraid your post has done little to convince me that perimeter based security is an outdated notion. If anything I believe it has shown that there are some in the IT world who are not open to all possible solutions and this, in the end, will do us all more harm than good.
Interesting solution below from a Canadian vendor (Trustifier). Sounds very Government-focused. (Mandatory access control.) Does anyone had any experience of their product? David Lacey Hi David, When you say that one can conclude that de-perimeterisation remains a future goal rather than an achievable state, I thought I would let you know that we are doing it now. While time and resources are always needed, we are doing it without state-of-the-art components assembled in a beyond-the-state-of-the-art architecture or new ambitious infrastructures. This technology works inside the network post-authentication governing access and audit control at the data file level on a per-authorised user basis. We are able to take existing IT infrastructures and convert them into trusted ones with mandatory access controls and full multilevel security. The controls are user centric at the data level, not the network level, and this allows intuitive management of data access privilege and data flows, controls endpoint security and insider threat, and treats remote access as an extension of your internal environment. It does require a complete rethink, but not exclusively in the ways that you mentioned. Our layered defense works from the core and works outward to the perimeter. But I think both Paul and Al are correct in their opinions. It is "all about protecting the data", but the role of the firewall may evolve into a trusted gateway in an information-centric model. The firewall acts as an extra layer of defense to enforce policies governing sensitive data leakage, as you move out from the core, while still carrying out some traditional perimeter defenses.
I thought it was time I chipped in with a few observations. I do have some experience of securing sensitive data stored across large geographic areas, and the philosophy was always to shrink perimeters down to the absolute minimum, for reasons of both cost and effectiveness. In hostile environments you cannot guarantee the identity and loyalty of everyone working inside a large perimeter. Nor can you prevent professional attempts to breach the perimeter. You need a layered approach if you have valuable assets to protect. And for many years the trend has been to replace armoured vehicles carrying valuable goods and high security ATMs with standard build products containing smaller high security containers. Physical vaults are not perimeters in my opinion. They are the equivalent of data-level security. The problem in corporate networks is that security has generally relied on hard-shell external perimeter protection, without adequate internal layers of control. This model is dangerous and needs to be abandoned. It's not scaremongering, it's facing up to the consequences of decades of proliferating connectivity. But physical security is not a good analogy, as it assumes static assets. Information is different because it can easily flow across boundaries, and - as Alvin Toffler pointed out a couple of decades ago - there is more value in safeguarding dynamic flows, rather than static stocks of information. One interesting point is where you position the new controls. They may operate at the application or data level but could be situated inside the network itself. There are advantages to this approach for many organisation. But I doubt that one solution will fit all.
Unfortunately, David, we have not hit your side of the pond yet. Don't assume, like the Open Group's Visionary White Paper does, that anything with mandatory access controls(MAC) is unsuitable for business and de-perimeterisation, (although governments do need us). That may be true of previous trusted/MAC solutions, but it is definitely not true of Trustifier. MAC came from the military sector that had a prime goal of confidentiality, but it was a non-starter for business because of cost and complexity. We have removed those barriers, just as business's need for greater confidentiality due to privacy concerns etc., is growing.
I note the comment above with interest..."So I view with great scepticism anyone who wants to go from a tried, trusted, tested, and working system where the problems are known and are being worked on (such as perimeterised security) to a model that other disciplines are moving away from." I have recently entered the world of IT Security, so I do not have the "baggage" of previous preferences, however I do have 24 years experience working for the top IT vendors / consultants and there is much that worries me. Anyone who believes existing "tried, trusted, tested" solutions are adequate is, in my view, sticking their heads in the sand. I am currently working with the research arm of a known IT Security Vendor and I had the pleasure of sitting with a leading expert who took us through the inadequacies of existing perimeter technologies, including their own. To keep on using military analogies is, in my mind, pretty futile, as is any in depth technical arguments about what are the best technical solutions. When I first read the Jericho Forum's De-Perimeterisation strategy I too was a bit sceptical, however having implemented numerous ERP, Supply Chain, Web channel systems across many industries it became clear that from a business point of view they have already "de-perimeterised" the business, therefore its not a case of if, but it has already happened. As such the IT and Network owners have to catch up and adopt new strategies. A lot of this is getting caught up in the presentation. I do not think anyone is suggesting you throw away your perimeter security. Instead businesses should look to making them "thin and efficient" to reduce overall cost and complexity, and spend more time understanding what really needs protecting, and how. The crown jewels are normally the data. At the Tower of London they continually built thicker walls, and more walls. Then someone had the bright idea of selling tickets so you could go and see them. So I can now buy a ticket with cash and get within feet of them, but can I touch them? We have to face fatcs. Business, not IT, will continually drive to exploit new channels. This will open up data access, and therefore new strategies are required, not new technology arguments.
Why not used a combined approach? Using layered access controls and "Defense-in-Depth" is more practical and flexible than selecting Perimeter vs. Asset security alone. Using a castle as example: Perimeter security began at the moat or to grant access via the draw bridge or gate: a.k.a. "keys to the kingdom" then layers of control, detection, response and protection where deployed (Network IDS/IPS). The sentries monitored access and during war identified those without proper access. In times of attack the access was denied by removing the bridge or closing the gates. All to protect the royals: a.k.a. "jewels of the kingdom". To protect against insider threats or traders/spies the "jewels of the kingdom" were further protected by personal guard (host based IDS/IPS). All had to work together in order to be completely effective. I would say that both perimeter and internal security has to be deployed in order for any defense to be effective! Not just one or the other!!! Just my opinion from experience...