Deperimeterised approach to security is not suitable for everyone, warn analysts

Infosecurity conference will highlight one of the biggest issues facing IT chiefs

Deperimeterisation, the security model advocated by the blue chip companies behind the Jericho Forum user group, is not in always in the best interest of your business, delegates at the Infosecurity conference will be told this week.

Security specialists from professional services company KPMG and analyst firm Burton Group will warn chief security officers that the trend towards removing perimeter defences in favour of protecting data does not necessarily bring better security.

Mark Waghorne, principal adviser at KPMG, said that, for many organisations, deperimeterisation may not be the best security solution, given the complexity of managing the approach.

"I do not think in IT security generally there is any one right answer. One size does not fit all. I think, paradoxically, deperimeterisation probably suits larger, more connected organisations better than smaller organisations. They need to be large and mature in order to make it work," he said.

Waghorne's argument presents a challenge to the CIOs behind the Jericho Forum, who believe that the move towards deperimeterisation is inevitable as organisations increasingly share their networks with business partners.

For deperimeterisation to work, Waghorne said most organisations would need a far more mature and consistent approach to identifying and classifying IT assets that need protection.

"Deperimeterisation requires effective administration to secure tens of thousands of assets, rather than deploying a small number of assets to protect the entire network," he said.

Smaller businesses rarely have the expertise or the resources to administer and configure security products on a myriad of assets, Waghorne added.

Even larger businesses, having invested heavily in securing their perimeters, may find it difficult to convince the board that they need to remove that protection and invest in securing data.

"People who do not understand security, such as the board, will be asking why we need to do it differently and what the benefits are. Articulating that is quite difficult," said Waghorne.

It is better to think of "reperimeterisation", which implies moving the security defences, rather than deperimeterisation, which implies removing security altogether, he said.

"The overarching debate is not about throwing away what we have in place. It is about gradually re-engineering what we have. To do that requires more investment in asset identification and classification than perhaps the deperimeterisation evangelists would like to admit."

Dan Blum, senior vice-president at Burton Group, said that, in the longer term, businesses would need to build more interoperability into their security control systems if they are to open up their networks to business partners.

"We are seeing more integration through large, relatively monolithic security suites than interoperability in security management at this point.

"In the longer term, more standards will be required to enable discrete security management services that support service oriented architecture, a choice of suppliers and better interoperability between suppliers," he said.

...but CSOs believe move to new security model is inevitable

Deperimeterisation of network security is inevitable, as companies continue to form closer links with their business partners and outsource their IT systems, the chief security officers of leading UK businesses will argue at the Infosecurity show this week.

Paul Simmonds, global information security director at ICI, and Nick Bleech, IT security director at Rolls-Royce, will tell delegates that deperimeterisation is a trend that businesses cannot afford to ignore.

"The idea that you have a tiny set of buildings and you ring-fence them is dead," said Bleech. "Many people say they will hang on to the network perimeters and the range of defences that have been well developed over the past 10 years. We say that is responding to the business situation as it has been."

Perimeter security increasingly makes less sense as businesses outsource their IT systems to third parties and give customers and business partners access to their networks, he said.

Bleech rejected claims that small businesses do not have the expertise or resources to go down the deperimeterisation route. Small businesses were already adopting the idea. "They do not have the resources to give themselves a nice tidy perimeter," he said.

Simmonds said businesses had little choice other than to embrace deperimeterisation.

"Deperimeterisation has happened to you, whether you like it or not. You need to wake up and start planning for it," he said. "If you are going to have a responsible security architecture, from a business point of view, you need to take deperimeterisation seriously."

He advised IT directors to start applying pressure to suppliers to address deperimeterisation by asking basic questions about the security of their products.

"Does it support a deperimeterised architecture? Can they list all the protocols used in communications? Are they inherently secure? It is as simple as that. Ask fundamental questions," he said.

Simmonds and Bleech are founder members of the Jericho Forum, a security-focused user group representing 40 of the UK's largest businesses. The group will today (25 April) release key security guidelines for IT departments and suppliers.

Jericho Forum's commandments for information security

The scope and level of protection must be specific and appropriate to the asset at risk

  • Security must enable business agility and be cost effective
  • Boundary firewalls may continue to provide basic network protection but individual systems and data will need to be able to protect themselves

Security mechanisms must be pervasive, simple, scalable and easy to manage

  • Unnecessary complexity is a threat to good security
  • Coherent security principles must span all tiers of the architecture
  • Security mechanisms must able to scale, handling small or large objects
  • To be both simple and scalable, interoperable security "building blocks" need to be capable of being combined to provide the required security mechanisms

Assume context at your peril

  • Security systems designed for one environment may not be transferable to work in another. Thus it is important to understand the limitations of any security system

Devices and applications must communicate using open, secure protocols

  • Security through obscurity is a flawed assumption - secure protocols demand open peer review to provide robust assessment and wide acceptance and use
  • The security requirements of confidentiality, integrity and availability should be assessed and built into protocols as appropriate, not added on

All people, processes and technology must have declared and transparent levels of trust for any transaction to take place

  • There must be clarity of expectation with all parties understanding the levels of trust
  • Trust models must encompass people/organisations and devices/infrastructure

All devices must be capable of maintaining their security policy on an untrusted network

  • A "security policy" defines the rules with regard to the protection of the asset
  • Rules must be complete with respect to an arbitrary context

Access to data should be controlled by security attributes of the data itself

  • Attributes can be held within the data (document rights management/meta data), or could be a separate system
  • Access/security could be implemented by encryption

Authentication, authorisation and accountability must interoperate outside your area of control

  • People/systems must be able to manage permissions of resources they do not control
  • There must be capability of trusting an organisation, which can authenticate individuals or groups, thus eliminating the need to create separate identities
  • Systems must be able to pass on security credentials/assertions

Mutual trust assurance levels must be determinable

  • Devices and users must be capable of appropriate levels of mutual authentication for accessing systems and data

Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges

  • Permissions, keys, privileges etc must ultimately fall under independent control, or there will always be a weakest link at the top of the chain of trust

By default, data must be appropriately secured when stored, in transit and in use

  • Removing the default must be a conscious act

Read: Security special report

Read more on Hackers and cybercrime prevention