This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
Long term, there is a belief is that a distributed security model will emerge, one that is based more on secure application development and defenses around data, and less on securing the network perimeter. These trust-based security systems rely on a set of statements about a user, called a claim, to complete tasks such as verifying a person's identity, validating a payment, granting access to sensitive data, or delivering personalized services.
Whether or not trust is granted depends on three components: the relying party, typically an application that requests the claim in order to decide what it can do for the user; the identity provider, which provides the claim; and the user, who decides what information he or she wants to provide to the application.
Various specifications that support trust models have been emerging, such as those from the Liberty Alliance, which has developed specifications for federated identity management and secure Web services.
"In today's business, trust relationships work only if everyone (employees, customers and suppliers) all adhere to the same set of standards," cautions Burton Group's Blum. While the different approaches have gained acceptance, it has been in select, rather than widespread, niches.
As the perimeter continues to dissolve, it's not clear how security will evolve to handle the changing paradigm.
"Because security threats are changing, companies are using a wider variety of products to secure their
Understand Insiders Treat outsourced business services (e.g., payroll, CRM) as you would an insider. Same goes for contractors, vendors and business partners. Apply stringent security controls to each relationship.
Liability Most organizations treat applications--especially outsourced apps--as assets. Think of them as liabilities, says Ed Adams of Security Innovations. "Think of security as life insurance. Use it to mitigate a risk," Adams says.
Old News Perimeters have been fading for a while. "This current notion raises awareness, but we've always had the issue of people bringing in laptops, bypassing millions in firewalls, IPS and other perimeter security building blocks," says Gartner's Lawrence Orans.
Get Help Smaller organizations with fewer resources will need to leverage a third party to assess the security of a potential partner.
Consider Post-Connect NAC "A machine can be "passed" initially but for various reasons, may fall out of compliance. So, a continual check is essential," says Al Wendt, network manager, Altarum Institute.
This was first published in July 2007