Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Securing Extranets

Is perimeter security viable with Swiss cheese networks?

Wither the Perimeter
Is perimeter security viable with Swiss cheese networks?

Traditionally, information security has been based on strict dividing lines. Companies wanted to allow only their employees access to important resources and keep everyone else away. Network perimeter security products, such as firewalls, became popular because they established a clear demilitarized zones between insiders and outsiders.

As business moved to the Internet, deciphering the sightlines as to whom should have access to corporate resources has become blurry, and in some case indecipherable. "The corporate network perimeter has had more holes punched in it than a slice of Swiss cheese," says Paul Simmonds, global information security director at ICI, a paints, adhesives and specialty products supplier in the U.K. Simmonds is also the founder of the Jericho Forum, a user-based group preaching de-perimeterization.

Despite this change, CISOs are still being charged with maintaining clear boundary lines between legitimate and illegitimate users to ensure the safety of data. While everyone seems to agree that network security needs revamping, there is no consensus about how much of a change is needed and what will be the best steps to safeguard corporate data going forward.

A number of factors are at play in the dissolution of the perimeter. First, the corporate workplace has taken on a new look, one where employees no longer are firmly planted inside the network perimeter. Rather than toil in central offices, workers now more than ever are stationed remotely. "Many companies allow, and even encourage, employees to work from home or [other] locations, such as hotspots," says Lloyd Hession, chief security officer at BT Radianz, a connectivity provider for financial services institutions.

To streamline business processes, corporations have exposed networks to customers, who are reaching deeper into enterprise systems. Clients are able to access technical support information and fix their own problems, for example. E-commerce systems enable potential customers to not only view different products but also to check on the products' availability and shipping times.

Such changes are even more dramatic in the B2B space, where supply chains are becoming more integrated and information flows freely from company to company. "Corporations are providing access not just to the front end of their systems; they are also opening up their back-office applications, such as their ERP systems," Hession says.

The growing support for outsourcing has also meant job titles that belonged solely to company employees are now going to outsiders. In many cases, the individuals designing, implementing and monitoring a corporation's security policies are hired hands, and in such cases, outsiders could have access to virtually all corporate data.

Model Behavior
A sample partner trust assessment

    Operational Security
  • Has a SAS 70 certification been completed? (Provide copy)
  • Are security operations, policies, procedures and standards in alignment with the ISO 17799 or ISO 27000 series standards?
  • Are security policies, procedures and standards documented? (Provide copies)
  • How are background checks on employees and contractors performed prior to hiring?
  • Describe security training and awareness programs
    Physical Security
  • Describe physical facility and floor area on which services for Sun will be performed
  • Describe controls to address physical security of hardware, software and data communications equipment
  • Describe how network servers and components are secured from unauthorized access, physically and logically
  • Can an agent room, dedicated server room and network be allocated exclusively to support Sun's project requirements?
    System Security
  • Describe patch management processes
  • Describe user identification, authentication and authorization processes
  • How is application and network authentication performed with their customer environment?
  • Describe server hardening methodologies and tools to maintain server security
  • What data exchange needs to happen between Sun and partner to support this project?
  • What data storage will be done at the partner location?
  • How is sensitive data secured during data exchange, at rest and in the backup process?
  • Is Sun's data separated from other customer data held by partner?
  • Describe your data backup and archive procedure
    Network Security
  • Describe network topology, including external connectivity, server locations and physical/logical network partitioning as it matters from the security perspective
  • Provide a topology diagram of the network architecture, including application and database servers infrastructure with network connectivity and data flow
  • Describe your incident response procedures
  • Describe your virus protection procedure
  • Describe your system administration procedure
  • Describe the encryption methodology being used within your network

The result: No longer are there clear demarcations between those who should and should not have access to company data. Compounding the problem is the fact an individual may be legitimately able to access one piece of data, say an order entry system, but needs to be prevented from working with other information, for instance customers' credit card information.

Faced with such a complex set of problems, CISOs need to start somewhere to establish a security beachhead.

The perimeter does erect, at least theoretically, a dividing line between a company's network and the Internet, and to many, remains a logical berth for security functions. "Companies now run a number of security applications (intrusion detection, virus protection) on their firewalls," says Rich Mogull, a vice president at market research firm Gartner. In fact, a growing number of perimeter security systems help enterprises ward off the voluminous amount of spam and spyware that constantly tries to overrun their networks. "Firewalls are a great place for delivering features, such as QoS (quality of service) functions, and ensuring that the use of enterprise bandwidth is maximized," notes ICI's Simmonds. In addition, perimeter products enable companies to examine their security needs. "At our perimeter, we collect information about how we are performing, and are able to identify any security gaps that we have," says Bruce Woods, program manager at Progress Energy.

Vendors have responded to this skewering of the network with enhancements to their products. Many firewalls have moved beyond network-level filtering of data to application-layer protection. A number can inspect HTTP-based traffic passing through port 80 and determine whether to block it based on its content.

In other cases, companies are rewriting their security policies. To shore them up, they are moving their perimeter defenses closer to transaction endpoints, such as desktops and data center servers. "A growing number of companies are providing their employees with personal firewalls and virus-checking programs," says Dan Blum, senior vice president at market research firm the Burton Group. In addition, more security checks are being put in place where data enters and exits the data center.

This new environment raises new challenges for CISOs. First, it requires a wider breadth of security products, but management may not want to make these additional investments because security software often can be very expensive. Managing the growing array of products becomes more difficult; a company may have to update software on thousands of endpoints on a regular basis.

Groups such as the Jericho Forum anticipate that such limitations will result in the perimeter becoming less important as a security boundary line. "There is no future in perimeter security; the industry is moving security functions to where they belong--the application," says ICI's Simmonds.

Let me in
With perimeters eroding and extranets growing, security organizations need to counter new threats. Here's how:

Pre- and Post-Connect NAC
To counter problems posed by a contractor, for example, plugging a device into a corporate network, organizations have turned to network access controls (NAC). Pre-connect NAC is gaining mainstream presence, and is bought either as a standalone solution or packaged with an SSL VPN. Pre-connect NAC verifies a connecting device complies with access policies. Non-compliant devices are denied or quarantined.

Post-connect NAC, meanwhile, is not widely adopted, but is the next frontier. Post-connect NAC monitors traffic after a device is granted access. It is especially useful cordoning off malware to a particular network segment.

"Post-connect NAC gives you the ability to take IPS functionality and bring it into the LAN," says Gartner analyst Lawrence Orans. "IPS is priced too high for deployment in every wiring closet."

Security Acceptance Testing
Outsourcing application development offshore?

Many organizations are, but how many are including language in service-level agreements for security acceptance testing? Ed Adams, president of consultancy Security Innovations, says organizations should demand to know from developers and vendors how security is integrated into the development lifecycle. Are there security reviews at each phase of the build? How are apps security-tested? What security training is provided to development teams?

"You have to contractually include language for acceptance testing when the app comes back," Adams says. "Demand third-party security certification."

Safety in SSL
It's no secret SSL VPNs are nudging IPsec off their perch as the de facto VPN standard. The Menninger Clinic in Houston allows physicians, clinicians and executives to tunnel into the corporate network via SSL, safely accessing patient data and business documents, and maintaining HIPAA compliance. Vendors also remotely support systems via the same NeoAccel VPN.

"It's very easy to partition access to files or applications and assign permissions since we've tied it to Active Directory," explains security manager Kevin Monser.

Long term, there is a belief is that a distributed security model will emerge, one that is based more on secure application development and defenses around data, and less on securing the network perimeter. These trust-based security systems rely on a set of statements about a user, called a claim, to complete tasks such as verifying a person's identity, validating a payment, granting access to sensitive data, or delivering personalized services.

Whether or not trust is granted depends on three components: the relying party, typically an application that requests the claim in order to decide what it can do for the user; the identity provider, which provides the claim; and the user, who decides what information he or she wants to provide to the application.

Various specifications that support trust models have been emerging, such as those from the Liberty Alliance, which has developed specifications for federated identity management and secure Web services.

"In today's business, trust relationships work only if everyone (employees, customers and suppliers) all adhere to the same set of standards," cautions Burton Group's Blum. While the different approaches have gained acceptance, it has been in select, rather than widespread, niches.

As the perimeter continues to dissolve, it's not clear how security will evolve to handle the changing paradigm.

"Because security threats are changing, companies are using a wider variety of products to secure their transactions," says Gartner's Mogull. "Going forward, perimeter devices, such as firewalls, will be one of the items used to make sure transactions are secure, but their exact role is open to question."

Take Away
Understand Insiders Treat outsourced business services (e.g., payroll, CRM) as you would an insider. Same goes for contractors, vendors and business partners. Apply stringent security controls to each relationship.

Liability Most organizations treat applications--especially outsourced apps--as assets. Think of them as liabilities, says Ed Adams of Security Innovations. "Think of security as life insurance. Use it to mitigate a risk," Adams says.

Old News Perimeters have been fading for a while. "This current notion raises awareness, but we've always had the issue of people bringing in laptops, bypassing millions in firewalls, IPS and other perimeter security building blocks," says Gartner's Lawrence Orans.

Get Help Smaller organizations with fewer resources will need to leverage a third party to assess the security of a potential partner.

Consider Post-Connect NAC "A machine can be "passed" initially but for various reasons, may fall out of compliance. So, a continual check is essential," says Al Wendt, network manager, Altarum Institute.

Move Over, Network Security

As business moves to the Web, security must move to protocols and data, and away from the network. by Paul Simmonds

Network security is dead; long live network QoS.

Let's look at why. Imagine a C-level executive came to you and wanted to know whether he or she could transmit a highly confidential raw text file using TFTP. Every security officer I know, however junior, would explain to them why this is a bad idea.

There are two solutions to the schoolboy problem: harden your border so it's leakproof, and upgrade your infrastructure with NAC, NAP, network sensors, IDS and IPS; or use SFTP or put it in a PGP wrapper.

While I know of a few three-letter agencies that may choose the first solution, in the real world there is no ROI case for it. And the reality is that when you are encrypting the data, or using secure protocols, all those expensive network monitoring solutions on your network have just been bypassed as they can no longer inspect traffic. This simple illustration demonstrates why traditional network security measures are no longer viable in today's extended enterprise.

When you have to manage a large multinational corporate network, you are unable to physically constrain the boxes and wires. Nor is there a practical way to control thousands of devices that need to connect daily--most being automatically allocated an IP address (using DHCP). Then add the fact that you are letting through port 80, for both the Web and applications, and your border has a slew of gaping holes for applications, connections to third parties, joint ventures, business partners and others.

So what can we do at the network layer? Well, the network is good at being resilient, and there are many additions to ensure traffic is protected against flood DoS attacks, not to mention traffic shaping. But all this is just ensuring that the network has the appropriate level of quality of service. Ultimately it is doing nothing to protect the data.

As our intranets continue the slide toward looking more and more like the Internet--we continue to move ever increasing numbers of devices to Internet/ public IP addresses--the security must move to the protocols and data.

Thus, the fundamental question you should ask is: "If I can design my device to work securely on the Internet (day-in, day-out), why would I want to operate with a reduced security posture on the intranet?" To which the answer is: "I wouldn't, but the insecure design of many current applications forces me to."

So we gradually move to applications that use secure protocols and design out any reliance on the network other than for transport of the raw packets.

The goal, therefore, is to be able to design your systems to run securely on the raw Internet, and then run most of them on an intranet that provides guarantees around throughput and latency.

Obviously, anyone with "network security" in their title will probably not relish the thought of being called a "network QoS something," to which my retort would be "get over it." Networks are about ensuring that data is smoothly delivered from one point to the other, so a network QoS specialist should be a very honorable profession. But don't confuse it with security.

Paul Simmonds is a board member of the Jericho Forum, and CISO of U.K. chemical company ICI. Send comments on this column to

Place Your Trust in the New Perimeter

Trusted systems fall in where today's firewalls fall short, keeping watch on a litany of new connections and devices. by Bob Blakley

The perimeter was always an illusion.

Our elders (Jim Anderson, Roger Schell, Paul Karger, and many others) told us from the beginning that we needed trusted systems to do important work. A trusted system, in their parlance, was one whose policy was not in the hands of the user or the system owner, but instead in the hands of a trusted module called a reference monitor.

The security community agreed that reference monitors were the right structure for secure systems, and started to build them. But a funny thing happened on the way to the reference monitor: A bunch of users got trapped inside. They had to be, because it was the only place they could get useful work done.

Trusted systems are difficult to build. You have to design and code very carefully. You need to understand the mission, threats and security requirements before you build. This makes trusted systems expensive. It also makes them inconvenient; you have to accept limitations on features in the name of security.

These limitations make it difficult to do work, which drives users to try to get around the limitations and get "inside" the trusted system's inner sanctum.

We told ourselves this was OK. We told ourselves that there was nobody in here but us chickens--the good guys--so we could wall ourselves in with a bunch of highly functional, usable and untrusted systems, and surround the whole thing with a few boring, expensive trusted machines: the perimeter. We said this was the equivalent of one big trusted system.

Our first mistake was assuming that good guys exist. The bad guys kept getting in by lying to us and claiming to be good guys (Pirate!).

Our second mistake was assuming that we could surround untrusted systems. It turned out that because the untrusted systems were highly functional, they kept sprouting new ways to connect. And because they were also highly usable, people kept wanting to connect them to lots of things to get work done. And the perimeter hadn't been designed to keep an eye on the new connections.

The perimeter, it turned out, wasn't in enough places, so it wasn't effective. But the perimeter isn't disappearing, it's metastasizing. It's moving from a few systems at the boundary of an IP subnet onto endpoints in the form of personal firewalls and host-based IPS. It's moving onto email servers in the form of malware scanners. It's moving onto appliances in the form of packet filters. It's moving onto app servers and even end-user clients in the form of TPMs and virtual machines.

Soon the perimeter will be everywhere. You won't recognize it as a perimeter, because its functions won't all look like what a firewall used to do. Instead, the new perimeter will look like a flock of special-purpose security appliances. This means that we will have to pay a lot more attention to topology; form will follow (security) function in our systems.

The new perimeter will not disconnect systems; it will connect them. Connections will be dictated and enabled by the existence of an effective special-purpose security device. In the end, we will arrive at the place from which we began: each functional component will be a little trusted system, with its own tiny perimeter--because, as we always knew, that's the right structure for secure systems.

Bob Blakley is principal analyst with Burton Group. Send comments on this column to

Case Study
Walking the Walk

Home Depot evaluates potential partners' security; those that don't pass muster, don't do business with the retailer. by Michael S. Mimoso

Not every Home Depot specialist on an outcall is on his way to a kitchen renovation or hardwood floor installation. If they work for information risk manager Tony Spurlin, they're on their way to one of the corners of this country to assess the security of a potential partner.

Home Depot is walking the walk many enterprises only talk about; it's proactive about only doing business with partners whose security posture is upright.

"We feel a lot better about having our data processed by our vendors," Spurlin says of the assessment process, which is based on his homegrown Information Security Framework. "Over the years, we've found a significant amount of vulnerabilities that would have been in place if we had not done onsite assessments."

The onsite assessments are required of application service providers, vendors, marketing analysis firms, outsourcing partners and other third parties that want access to Home Depot data or systems. Engineers spend up to two days at the partner's location conducting interviews and evaluating the partner's technology and how it is managed in accordance with the partner's policies.

"If there are issues, we recommend remediation, and they must remediate before anything goes into production," Spurlin says. "We literally connect to their internal networks and perform assessments using custom-built tools and tools bought off the shelf to verify they manage deployments as stated, and if they meet our standards."

Partners requesting access to private, sensitive data are re-evaluated annually; others are evaluated once.

Spurlin says some partners are initially uncomfortable with the prospect of Home Depot poking about their security in order to determine patch levels, the currency of antivirus and IDS signatures and the thoroughness of their vulnerability assessment processes. Some offer SAS 70 audits as an alternative, for example, but that's not enough to soothe Home Depot.

"When we talk to them about the value-add they're getting here--a free snapshot of their security environment--we have not had one say no," Spurlin says. "Most of the big auditing firms charge $25,000 a day. This is part of our due diligence."

Once onsite, engineers conduct interviews on the technology and management controls that maintain the partner's security. Next is the testing phase, where the systems and applications that will be used to conduct business with Home Depot are audited. The partner gets a report with remediation recommendations, and a timeline for fixes (usually 30-45 days).

"We're looking for policies that map to ours, and that the partner can maintain and sustain it during their relationship with Home Depot," Spurlin says.

He expects close to 100 onsite evaluations; the process has been in place for four years, Spurlin says, with the latest tweaks around application security.

"We've stepped up our application-layer testing and increased our questionnaire points around the area of integrating security in the development lifecycle," he says.

"The return for Home Depot is huge. We're an $83 billion company. The cost of sending staff on an assessment is less than one-tenth of a percent of that," Spurlin says. "At the end of the day, the Home Depot brand is the most important thing we protect."

Michael S. Mimoso is Editor of Information Security. Send comments on this article

Article 5 of 14
This was last published in July 2007

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All