The increasing value and vulnerability of IT assets -- coupled with a trend away from large, monolithic organisational structures toward virtual enterprises -- are challenging network security. Individuals and organisations are empowered with more and more computing devices and sophisticated content creation and collaboration tools. Yet there are strong risk and regulatory pressures on IT security to constrain connectivity, user functionality and control.
Another dilemma for network security is de-perimeterisation of the network. De-perimeterisation -- a phenomenon described by the Jericho Forum, Burton Group and others wherein centralised firewalls have become less effective -- is upon us. Additional firewall functionality is being added to endpoints as well as internal network access points. Computer devices are getting smaller and more numerous; device endpoints are splintering into virtual endpoints; and applications are decomposing into services. Business trends such as outsourcing, partnering and a mobile workforce create continuing pressure for organisations to share information electronically across distributed IT environments.
Even though coarse-grained network perimeter controls will continue to bring unique value to maintaining an overall level of protection and availability on organisation-owned networks, IT security is too dependent on network controls. Fine-grained controls are needed closer to information resources, and they will increasingly be built into both simple and complex systems, arriving with new systems and being retrofitted into old ones. These fine-grained controls will exist within a security overlay that works together with existing physical mechanisms on the network to create a total security solution.
Can the industry create a policy infrastructure to cover pervasive, finer-grained controls on endpoints, applications and data? That is no easy thing. Exponentially multiplying numbers of control points will have to operate in a contextually dynamic environment that represents the interests of multiple parties, including individuals, enterprises in a value chain, intermediaries or service providers and, often, auditors. With this, the complexity of policy management, monitoring and feedback rises.
Industry trends will drive organisations to shift much of their defensive emphasis from network controls to endpoint-, identity-, application- and data-level controls. Technologies such as trusted virtualisation and secure compartments; higher assurance identity (with privacy features) and application rating services (supported by rating services) could raise the bar. Ultimately, an information-centric approach that builds on converging XML-oriented database management systems and enterprise content management -- as well as service-oriented architecture (SOA) data services -- will provide lasting strategic benefits. Information risk management and information classification will also be of vital importance.
About the author:
Daniel Blum is the senior vice president and principal analyst for Burton Group Security and Risk Management Strategies.