Wither the Perimeter
Is perimeter security viable with Swiss cheese networks?
Traditionally, information security has been based on strict dividing lines. Companies wanted to allow only their employees access to important resources and keep everyone else away. Network perimeter security products, such as firewalls, became popular because they established a clear demilitarized zones between insiders and outsiders.
As business moved to the Internet, deciphering the sightlines as to whom should have access to corporate resources has become blurry, and in some case indecipherable. "The corporate network perimeter has had more holes punched in it than a slice of Swiss cheese," says Paul Simmonds, global information security director at ICI, a paints, adhesives and specialty products supplier in the U.K. Simmonds is also the founder of the Jericho Forum, a user-based group preaching de-perimeterization.
Despite this change, CISOs are still being charged with maintaining clear boundary lines between legitimate and illegitimate users to ensure the safety of data. While everyone seems to agree that network security needs revamping, there is no consensus about how much of a change is needed and what will be the best steps to safeguard corporate data going forward.
A number of factors are at play in the dissolution of the perimeter. First, the corporate workplace has taken on a new look, one where employees no longer are firmly planted inside the network perimeter. Rather than toil in central offices, workers now more than ever are stationed remotely. "Many companies allow, and even encourage, employees to work from home or [other] locations, such as hotspots," says Lloyd Hession, chief security officer at BT Radianz, a connectivity provider for financial services institutions.
To streamline business processes, corporations have exposed networks to customers, who are reaching deeper into enterprise systems. Clients are able to access technical support information and fix their own problems, for example. E-commerce systems enable potential customers to not only view different products but also to check on the products' availability and shipping times.
Such changes are even more dramatic in the B2B space, where supply chains are becoming more integrated and information flows freely from company to company. "Corporations are providing access not just to the front end of their systems; they are also opening up their back-office applications, such as their ERP systems," Hession says.
The growing support for outsourcing has also meant job titles that belonged solely to company employees are now going to outsiders. In many cases, the individuals designing, implementing and monitoring a corporation's security policies are hired hands, and in such cases, outsiders could have access to virtually all corporate data.
A sample partner trust assessment
The result: No longer are there clear demarcations between those who should and should not have access to company data. Compounding the problem is the fact an individual may be legitimately able to access one piece of data, say an order entry system, but needs to be prevented from working with other information, for instance customers' credit card information.
Faced with such a complex set of problems, CISOs need to start somewhere to establish a security beachhead.
The perimeter does erect, at least theoretically, a dividing line between a company's network and the Internet, and to many, remains a logical berth for security functions. "Companies now run a number of security applications (intrusion detection, virus protection) on their firewalls," says Rich Mogull, a vice president at market research firm Gartner. In fact, a growing number of perimeter security systems help enterprises ward off the voluminous amount of spam and spyware that constantly tries to overrun their networks. "Firewalls are a great place for delivering features, such as QoS (quality of service) functions, and ensuring that the use of enterprise bandwidth is maximized," notes ICI's Simmonds. In addition, perimeter products enable companies to examine their security needs. "At our perimeter, we collect information about how we are performing, and are able to identify any security gaps that we have," says Bruce Woods, program manager at Progress Energy.
Vendors have responded to this skewering of the network with enhancements to their products. Many firewalls have moved beyond network-level filtering of data to application-layer protection. A number can inspect HTTP-based traffic passing through port 80 and determine whether to block it based on its content.
In other cases, companies are rewriting their security policies. To shore them up, they are moving their perimeter defenses closer to transaction endpoints, such as desktops and data center servers. "A growing number of companies are providing their employees with personal firewalls and virus-checking programs," says Dan Blum, senior vice president at market research firm the Burton Group. In addition, more security checks are being put in place where data enters and exits the data center.
This new environment raises new challenges for CISOs. First, it requires a wider breadth of security products, but management may not want to make these additional investments because security software often can be very expensive. Managing the growing array of products becomes more difficult; a company may have to update software on thousands of endpoints on a regular basis.
Groups such as the Jericho Forum anticipate that such limitations will result in the perimeter becoming less important as a security boundary line. "There is no future in perimeter security; the industry is moving security functions to where they belong--the application," says ICI's Simmonds.
|Let me in
With perimeters eroding and extranets growing, security organizations need to counter new threats. Here's how:
Pre- and Post-Connect NAC
To counter problems posed by a contractor, for example, plugging a device into a corporate network, organizations have turned to network access controls (NAC). Pre-connect NAC is gaining mainstream presence, and is bought either as a standalone solution or packaged with an SSL VPN. Pre-connect NAC verifies a connecting device complies with access policies. Non-compliant devices are denied or quarantined.
Post-connect NAC, meanwhile, is not widely adopted, but is the next frontier. Post-connect NAC monitors traffic after a device is granted access. It is especially useful cordoning off malware to a particular network segment.
"Post-connect NAC gives you the ability to take IPS functionality and bring it into the LAN," says Gartner analyst Lawrence Orans. "IPS is priced too high for deployment in every wiring closet."
Security Acceptance Testing
Outsourcing application development offshore?
Many organizations are, but how many are including language in service-level agreements for security acceptance testing? Ed Adams, president of consultancy Security Innovations, says organizations should demand to know from developers and vendors how security is integrated into the development lifecycle. Are there security reviews at each phase of the build? How are apps security-tested? What security training is provided to development teams?
"You have to contractually include language for acceptance testing when the app comes back," Adams says. "Demand third-party security certification."
Safety in SSL
It's no secret SSL VPNs are nudging IPsec off their perch as the de facto VPN standard. The Menninger Clinic in Houston allows physicians, clinicians and executives to tunnel into the corporate network via SSL, safely accessing patient data and business documents, and maintaining HIPAA compliance. Vendors also remotely support systems via the same NeoAccel VPN.
"It's very easy to partition access to files or applications and assign permissions since we've tied it to Active Directory," explains security manager Kevin Monser.
Long term, there is a belief is that a distributed security model will emerge, one that is based more on secure application development and defenses around data, and less on securing the network perimeter. These trust-based security systems rely on a set of statements about a user, called a claim, to complete tasks such as verifying a person's identity, validating a payment, granting access to sensitive data, or delivering personalized services.
Whether or not trust is granted depends on three components: the relying party, typically an application that requests the claim in order to decide what it can do for the user; the identity provider, which provides the claim; and the user, who decides what information he or she wants to provide to the application.
Various specifications that support trust models have been emerging, such as those from the Liberty Alliance, which has developed specifications for federated identity management and secure Web services.
"In today's business, trust relationships work only if everyone (employees, customers and suppliers) all adhere to the same set of standards," cautions Burton Group's Blum. While the different approaches have gained acceptance, it has been in select, rather than widespread, niches.
As the perimeter continues to dissolve, it's not clear how security will evolve to handle the changing paradigm.
"Because security threats are changing, companies are using a wider variety of products to secure their transactions," says Gartner's Mogull. "Going forward, perimeter devices, such as firewalls, will be one of the items used to make sure transactions are secure, but their exact role is open to question."
Understand Insiders Treat outsourced business services (e.g., payroll, CRM) as you would an insider. Same goes for contractors, vendors and business partners. Apply stringent security controls to each relationship.
Liability Most organizations treat applications--especially outsourced apps--as assets. Think of them as liabilities, says Ed Adams of Security Innovations. "Think of security as life insurance. Use it to mitigate a risk," Adams says.
Old News Perimeters have been fading for a while. "This current notion raises awareness, but we've always had the issue of people bringing in laptops, bypassing millions in firewalls, IPS and other perimeter security building blocks," says Gartner's Lawrence Orans.
Get Help Smaller organizations with fewer resources will need to leverage a third party to assess the security of a potential partner.
Consider Post-Connect NAC "A machine can be "passed" initially but for various reasons, may fall out of compliance. So, a continual check is essential," says Al Wendt, network manager, Altarum Institute.
Move Over, Network Security
As business moves to the Web, security must move to protocols and data, and away from the network. by Paul Simmonds
Place Your Trust in the New Perimeter
Trusted systems fall in where today's firewalls fall short, keeping watch on a litany of new connections and devices. by Bob Blakley
Walking the Walk
Home Depot evaluates potential partners' security; those that don't pass muster, don't do business with the retailer. by Michael S. Mimoso