Chemical giant says data leakage tools not up to snuff

Paul Simmonds, global information security director at ICI unveils his security wish list for 2008, noting data leakage products need improvement before he'll take a serious look.

Imperial Chemical Industries (ICI), one of the UK's largest organisations, employs over 35,000 people worldwide and sells 50,000 products including chemicals, paints, starch, scents, flavourings and many elements used in common food and beauty products. The company's global information security director, Paul Simmonds took some time out to chat with SearchSecurity UK on his security plans for 2008. You are a co-founder of the Jericho Forum, so how far have you implemented its principles of de-perimeterisation? Have you got rid of firewalls and intrusion detection systems altogether?

Paul Simmonds: No, but we're getting close. We will never get rid of firewalls, but we are placing less emphasis on border firewalls doing any kind of real security. We won't renew the big tin sitting at the border. We will maintain what we have to keep up the quality-of-service boundary that we have always talked about. We have been working on de-perimeterisation for four years – the time has come to finish the picture and leverage what we've already done.

ICI is a global company. How are you managing your international communications?

We are just starting the backbone offload of web traffic. Where possible, we will send web browsing out from where it originates straight on to the Internet. At any of our sites, instead of backhauling the traffic over very expensive WAN, we want to send it straight out to the Internet.

Does that not have security implications?

Of course! But we have signed an in-the-cloud service agreement with ScanSafe to clean up all the web traffic irrespective of where it is in the world. The cost of change is negligible, but we save WAN bandwidth. It means that traffic will be cleaned by a local tower from Scansafe. Users will get much better response, faster response times. We save WAN bandwidth, and we get better security because we get complete global visibility of the rules, who the users are, and what they are doing.

Why did you not do it before?

Services like Scansafe didn't exist in the global deployment that we needed. In 2008, we will start to extend it to individual PCs. If I'm in a hotel in New York, and I plug into my free Internet connection and go out to surf the web, I would be unprotected. But we will be extending the Scansafe architecture, so users are sent off via a secure connection from their PC to the local Scansafe tower where they have exactly the same corporate rules, and exactly the same protection, even the same heuristic detection of incoming return traffic from the web.

What does that give you?

In line with Jericho principles, it means I don't provide two different levels of protection for internal and external people. I don't differentiate between them.

What does it do for cost?

It doesn't save money because demand for WAN bandwidth is always growing. But it helps us avoid further costs. We are putting off the day when we will need more bandwidth on the WAN.

How do you see the threat landscape in 2008, and the products to tackle the threats?

The message has finally got through that security is all about protecting the data. We are seeing the rise of data leakage prevention (DLP), and the marketing machine behind it. DLP falls into the Jericho model of standalone devices protecting their own data, but I don't think much of the products yet.

You have to think holistically about data on a device, which can leak out in any number of ways – on a USB stick, as a mail attachment, burnt on to a DVD, uploaded to a website. It's all about thinking bigger than just preventing of a USB device. 2008 will be a year of looking at DLP, but the products will have to improve. For instance, none of them has a Vista product yet.

Does Network Access Control play any role in your plans?

NAC doesn't work. It is too hard to manage on a global basis. And it requires too much proprietary equipment. Realistically, for any corporate with a rolling legacy of equipment, it is not practical.

I keep asking NAC salesmen what triggers the NAC checking, and they say it's the VPN or network. But I'm just using a protocol, not a network connection. Once you apply Jericho principles fully, then NAC becomes totally irrelevant.

Our goal is to have PCs that just connect to the corporation, rather than having to fire up a VPN, get out your secure token etc. To do that, you need to be able to use a central management platform to lock down the machine's personal firewall to using secure protocols.

We are pushing forward with pervasive wireless, and have implemented it at 26 sites so far. It means I can just walk in there, lift the lid on my PC and work. I type in a screensaver password, but there is nothing else to do. My PC uses all the right secure protocols in the background, with WPA2 for message encryption, and the authentication channel is Active Directory. The system only allows a connection if it has valid user credentials and valid machine credentials. As soon as a machine or a user is turned off in Active Directory, then access is denied. Once you take an employee out of Active Directory, their accounts disappear and even the wireless connection disappears. We can use the same technique out in the outside world, using machine and user name credentials to provide the same level of security as we're providing for wireless, for instance, in a hotel.

Any other wishes for 2008?

I wish companies would stop touting products to me that don't work in a de-perimeterised environment. I still see new products being pushed that will not work in a world without boundaries. They rely on the fact that your network is secure. I'm amazed at the number of new products that still make that assumption.

Read more on Privacy and data protection