LAS VEGAS -- Most people acknowledge that the speed of business in an increasingly interconnected, global online...
community can be the hobgoblin of an organization's security posture.
"Everything we do -- business, security, anything -- is now business-driven," explained Paul Simmonds, global information security director for British conglomerate ICI Plc. "Your projects have to have a return on investment. Cost savings is the management mantra. And speed to market is quite often the enemy of good security."
Then he told a packed audience at the opening of Wednesday's Black Hat Briefings: "If you haven't noticed it yet, we've lost the war on good security."
But Simmonds and a CISO-involved group he recently founded called The Jericho Group believe there's a way to return to a more secure business world by redefining which assets need corporate protections and which can move outside the perimeter and let business function with fewer impediments.
It's a concept called "de-perimeterization," a term coined by the non-profit Jericho Group to explain a worldwide push toward a more porous corporate shell yet more secure collaborations in our increasingly interconnected online world.
"Your border is actually a sieve, keeping out the lumps -- keeping out the script-kiddies," Simmonds explained. But traditional security approaches such as firewalls and intrusion detection at the network's edge are not sustainable, he continued, especially as more enterprises expand their Web services and allow every type of device to connect to their networks.
More corporations now offer non-essential external services to operate with minimal security outside their corporate networks, thereby freeing up more resources to protect other assets while letting more projects proceed at a quick pace. This, Simmonds said, is the first step toward removing a hardened perimeter.
Soon, he argued, the network border will dissolve as outside connections through partnerships, remote workers and e-commerce increase. Encryption will become paramount to protecting data in use, transit and storage.
More pie-in-the-sky is de-perimeterization's ultimate goal: worldwide use of system-, data- and connection-level authentication. Such approaches restrict access to server and data files through rights management and secure protocols. Though Simmonds admited such cross-company global authentication is beyond current capabilities, expanded use of federated identity and strides by organizations like the Liberty Alliance will make it possible.
But security still remains an individual, yet communal, responsibility.
"Ultimately, it's up to all of us … to stop designing insecure systems. It is as simple as that," he concluded. "We have to design-in security from the ground up. We can't keep papering up the cracks.
"We have to demand secure and authenticated protocols and refuse insecure protocols. You also need to understand your data flow. It is basic, but we don't do it."