Internet Security via De-Perimeterisation–Adapting to Changing Markets, Technology, Behavior: Outdated Castle-and-Moat…

Security: Most challenging aspects of enterprise security are the changing types of threats and the shifting business environments being protected, e.g.; mobility, cloud… and, other trends are altering the way we work.

security3 imagesCAHTHF9B

Business security networks appear completely unprepared to deal with threats from– new technologies of communication, risk behavior of users, interoperability with third-party systems, outsourcing… The perimeter-based traditional security approach (i.e., castle-and-moat model) hinders development of enterprise systems and creates the delusion of protection.

To overcome these threats; de-perimeterisation, a data-safety oriented paradigm, was conceived: De-perimeterisation is a term coined by the ‘Jericho Forum’ to describe the erosion of the traditional ‘secure’ perimeters or ‘network boundaries’ as mediators of trust and security. Today’s successful enterprises must be structured to be adaptable to market changes with regard to– people, process and technology. If information systems and processes that support the enterprise cannot adapt easily, in order to enable the enterprise to adapt, then the enterprise loses competitive position in the marketplace…

Although most organisations already have some form of perimeter security mechanisms (e.g. firewalls, encryption, authentication…), many have not bothered very much with the question of– what happens if and when information-data leaves the business premise on USB memory sticks, CDRs… methods frequently used by employees. However, change is beginning to occur as traditional enterprise security vendors are looking to include– additional levels of control in their offerings…

According to the ‘Jericho Forum’; de-perimeterisation is simply the concept of architecting security for extended business boundary and not an arbitrary IT boundary. De-perimeterisation, on business level, can be simply described as– the changes that stem from natural desire of organisations to interact with the world outside their organisation: It’s a concept-strategy for protecting organization’s information-data on multiple levels with a mixture of encryption, inherently secure computer protocols, inherently secure computer systems, data-level authentication… In contrast, an organization’s reliance, typically, is only on its (network) boundary-perimeter-security…

According to Mark Waghorne, KPMG; for many organisations, de-perimeterisation may not be the best security solution, given the  complexity of managing the approach… de-perimeterisation probably suits larger, more connected organisations better than smaller organisations. According to Paul Simmonds; de-perimeterisation of network security is inevitable as companies continue to form closer links with business partners– de-perimeterisation is a trend that business cannot afford to ignore…

In the article Business Security–Beyond the Firewall by Richard Anstey writes: Today’s disruptive technology is changing both how we do business and how businesses are structured. Enhanced connectivity and cloud computing, together with trends, such as; bring your own device’ (BYOD) and flexible working practices are blurring the line between internal-external business processes and calling established security strategies into question.

The protective security barrier around physical networks provided by firewalls is increasingly anachronistic as a primary defence mechanism. Whether business sanction it or not, employees are collaborating freely, and increasingly conducting their work outside the perceived ‘protection’ of the firewall, leaving corporate data more vulnerable than ever before.

Business security should no longer be dependant on re-enforcing perimeters, but rather on protecting data while enabling secure and free flow collaboration. To accomplish this, CIOs need to evaluate security strategy based on their flexibility rather than their rigidity, and enabling secure and effective communications regardless of access point. This disintegration of established protective parameters and the evolution of an open architecture are termed de-perimeterisation.

As systems become more interconnected, they offer ripe pickings for the technologically advanced attacker. Now, more than ever, business users are operating across and around organisational perimeters, and the resultant blurring of barriers has widened the opportunity for attack… Security needs to be revisited; trying to maintain one universal line of network security defence is a losing battle.

The focus should be on securing the data itself rather than the networks. A de-perimeterised security structure shifts the reliance on an outer boundary to a blend of powerful encryption, secure protocols and effective authentication. Such an approach addresses changing security needs raised by BYOD, cloud services and an increasingly mobile workforce, and employees are able to securely access the information-data that they require from the device and location of their choice.

Collaboration with partners and colleagues can also then occur in the cloud in a managed and secure way, enhancing business processes and productivity… There can be no doubt that this is a time of significant change for business. Progressive business and CIOs are recognising that traditional tried-tested security models do not suit the new connected shape of business today; however, technologies, such as; 4G… are acting as catalyst for implementing new security approaches to meet needs of a more connected workforce; as well as; enhancing  business productivity– securely.

In the article Rethinking De-Perimeterisation by Cleeff van André writes: For business, the traditional security approach is the hard-shell model: An organisation secures all its assets using a fixed security border; trusting the ‘inside’ and distrusting ‘outside’. But as technologies and business processes change, this model looses its attractiveness. In a networked world, ‘inside’ and ‘outside’ can no longer be clearly distinguished.

We don’t question the reality of de-perimeterisation; however, we believe that the analysis of the security problem, as well as, the usefulness of the proposed solutions have fallen short: The notion that there is no linear process for blurring security boundaries, in which security mechanisms are placed at lower and lower levels, until they only surround data– is debatable.

To the contrary, typically there is a cyclic process of systems connection-disconnection; and as conditions change, the basic trade-off between accountability and business opportunities is being appropriately made every time… Apart from that, data level security has inherent limitations and there is great potential for solving security problems differently–rearranging responsibilities between business and individuals…

In the article IT Security by David Lacey writes: Corporate perimeters are already leaking confidential data and letting in malware. The situation will progressively get worse. It’s not good enough to shore up traditional security defences– we must be more proactive and implement new solutions.

A survey of 100 top security practitioners was illuminating: Around 70% believed that ‘insiders’ represent the greatest risk with employees was at the top of the list. Traditional ‘hard shell’ security doesn’t address this risk. A majority of those polled also believe that their security network already has a porous perimeter. So what exactly do we need to make it work? In many views, the key enablers are– strategy and architecture. To achieve true de-perimeterisation will require state-of-the-art components assembled in state-of-the-art architecture.

We need new ambitious infrastructure, such as; a ‘modern federated identity management system’ that can work efficiently across ‘open network’ security environment. However, implementing such infrastructure is not a trivial task. It involves a complete rethinking of authentication, provisioning, management process… It demands an architecture and network topology that can deploy encryption, authentication and policy enforcement controls in the most effective positions. But most of all, it requires a big vision, an up-front investment in technology and a realistic migration plan.

The single biggest change in business security-threat landscape is the evolving transition from– a mass-produced scattergun-style spam, phishing and defacement campaigns to highly customised and sophisticated attacks… The biggest challenge is the increase in mobile devices being used in work environment and breakdown between their owners (i.e., workers) and corporate IT…

According to Anthony Caruana; there are two things that are a big concern; the erosion of the effectiveness of ‘two-factor’ authentication and the rising popularity of social engineering among a class of attackers who previously haven’t presented much of a threat…

According to some experts; authentication is a growing issue, and if viable solutions are not forthcoming, then it may necessitate less desirable alternatives, such as; move to single-use transaction devices, for example; a tablet computer issued by a bank that can only connect to the bank and nowhere else... However, according to most experts; security done well– can best be described as security built into the very DNA of an organization: Every business process, every job function, every requirements specification must have information-data security built-in as a key consideration.

Security becomes part of the culture of an organization… there needs to be a pragmatic approach, which is negotiated with workers; where benefits for workers and business are highlighted… For example, consideration, such as: Can you hook your own iPad up to the company network? Yes. Do you get to make all your own decisions on configuring the iPad? No. Can you install all apps? No. Can you get rid of the passcode because it’s irritating? No… In return, of course, the workers personal stuff on the device will be safer, too… It’s a win-win for business and workers..

The Jericho Forum’s commandments for information security are: The scope and level of protection must be specific and appropriate to the asset at risk. Security must enable business agility and be cost-effective. Boundary firewalls may continue to provide basic network protection, but individual systems and data will need to be able to protect themselves. Security mechanisms must be pervasive, simple, scalable and easy to manage.

Security systems designed for one environment may not be transferable to work in another. Thus it’s important to understand the limitations of any security system. Devices and applications must communicate using open, secure protocols. Security through obscurity is a flawed assumption – secure protocols demand open peer review to provide robust assessment and wide acceptance and use. The security requirements of confidentiality, integrity and availability should be assessed and built into protocols as appropriate, not added on…

The trouble with most companies is that they grow from a security system that works to a system that no longer fits the changing requirements. Proper change controls and regular reviews are necessary for improving enterprise security and mitigating potential business internet-communication risks…