CHICAGO -- Enterprises are forced to open their virtual doors to more entities than were ever imagined in today's digital business climate. Internet portals freely welcome customers, business partners and suppliers, and as more services are extended, enterprise networks likewise are dissolving.
More and more, network administrators are focusing an increasing amount of their shrinking workday attention on the security of applications, in addition to their intrusion detection and firewall management duties.
Security professionals attending Security Decisions last week acknowledge the dissolution of the network perimeter and slowly are conceding that the application may indeed be the new network.
"Security no longer is just an issue of the network," said Stephen Moy, a technology specialist with Allegiance Healthcare of Dublin, Ohio. A large part of Moy's day-to-day duties include network security. "With e-commerce especially, it's no longer just about the network. Vulnerable applications are a major concern. The issue is now to get developers in sync with security issues. That's a challenge."
This vicious circle begins with the pressures and demands that crush software developers to rush products out the door without security being a primary concern. As vulnerabilities are discovered, patches must be developed, tested, and then implemented. Enterprises applying those patches often then pray the patch doesn't open more holes than the ones it closed.
Consultancy @Stake CEO Chris Darby introduced the concept of the application assuming the identity of the network during a session with Security Decisions attendees. He called it the dissolution of the perimeter.
"It's going away," Darby said. "It's getting harder to distinguish where your network stops and another party's begins."
Also, security threats are shifting slowly from virus and worm writers spreading malicious code, to blended threats that attack vulnerable software applications.
"Threats find the path of least resistance," Darby said. "If you're looking at these threats as how you're going to address it once it gets through the network, you're not looking at it the right way. What is the new perimeter? It's moving from the firewall to the application.
"The application is the network, and if you're thinking of security from that perspective, you're on the right road," Darby said.
Security professionals, however, have to adjust their thinking, said J.D. Hedgespeth, information security officer for Catholic Healthcare Partners of Cincinnati.
"It's finally being addressed. I just wonder why it has taken so long to be apparent," said Hedgespeth, who coordinates the security programs for a group of 30 hospitals, home health aid nurse associations, hospice groups and health plan providers and its 33,000 employees, most of whom have some sort of network access. "We find security on applications very weak. Applying extended solutions to that is not efficient. If we had security built into the application, it would solve our problems. Vendors, however, don't want to be liable."
Hedgespeth said the current focus on network security through IDS, firewalls and more is essential and cannot go away. But it is fostered by the uncertainty and fear propagated by being connected to the Internet.
"The Internet is a scary place, and most people don't understand it. You're host machine that is 20 years old and running critical applications doesn't scare you. You think it's OK," he said. "It's never been a problem before, why worry?"
It's those kinds of misconceptions that Darby addressed.
"Firewalls, etc., are not going to go away, but building an entire security model around networks won't work," Darby said. "Networks aren't just single pipes any more. You have to think about it as an application and manage it that way."