Inside out security

If you’re into IT security, it’s pretty hard to avoid discussions about deperimiterisation: the loosening of controls at boundary level in favour of pervasive security throughout the network, systems and applications. The idea’s not new, but it’s certainly a hot topic right now.

Everybody seems to be talking about it – and while there are senior IT managers and security experts who are fully and publicly embracing the idea, there are also those who are feeling more than a little apprehensive about this talk of breaking down the barriers at the edge of the network. After all, it’s just not safe out there – and we’ve all seen the statistics to prove it.

But opening up the networks provide us with opportunities as well as threats. It’s time to stop looking at security from the outside, and focus instead on looking at security from the inside out.

Manning the battlements

The fact that deperimiterisation is causing some worried muttering within the security community is not that surprising. For years we have been working towards attaining the goal of a network boundary that is 100 percent secure. Security managers have tended to adopt a siege mentality, and softer boundaries appear to be contrary to everything that we are working for.

But we need to stop thinking of our network as a medieval citadel under attack. After all, those fortresses, with their thick, high stone walls, were excellent at deflecting an enemy for a fixed period of time. But once that enemy got inside the walls, the fight was over within a matter of hours. The same is true of most IT networks. Once the hard outer shell has been penetrated, it is fairly straightforward to run rampage through IT systems and cause untold amounts of havoc.

And of course, barricading yourself behind high walls doesn’t let the good guys in, doesn’t stop internal attacks from rebellious subjects, and isn’t exactly flexible. But flexibility is what the modern business is all about.

Firms need to expand. They want their salespeople to remain connected through their mobile devices and remote access. They want to collaborate easily with partners and integrate business processes with customers and suppliers. Unlike fixed stone walls, the boundaries of the modern business are shifting all the time.

Seizing opportunities

This is not the time for security experts to revert to their negative, jackbooted stereotype. The ‘trespassers will be prosecuted’ signs – along with the negative expressions and shaking heads – need to be abandoned. Although we all like to think of ourselves as knights in shining armour, rescuing our organisations from marauding outsiders, it’s time to update this self-image. The fact is we need to be modern, twenty-first century intelligence agents, not twelfth century warriors.

Instead we should see these new developments as an opportunity. Let’s face it, 100 percent security of the network boundary has always been an almost impossible task. As Gene Spafford, Director, Computer Operations, Audit, and Security Technology at Purdue University put it: “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…” Nor would you be able to use it.

Added to that of course, is the fact that boundaries keep moving: new devices, new locations, additional business partners, illicit downloads and the latest applications, all add to the ever-expanding perimeter, making it increasingly difficult to define, never mind secure. And then there’s the weakest link of all: the people. Employees, being human, insist on making basic mistakes and leaving their passwords lying around or opening dubious attachments.

Deperimiterisation can, therefore, be seen as a chance to stop going after the impossible, and to focus effort on achieving acceptable levels of risk. No more tilting at windmills. No more running to stand still.

More than that, this is a real opportunity to align security with overall organisational strategy, and to prove the value that it adds to the organisation. To do that, we need to understand where the call for opening up the networks is coming from.

Harnessing the drivers

Deperimiterisation is driven by several business needs. Firstly, the desire for the ‘Martini principle’ - anytime, anyplace, anywhere computing.

Mobile and flexible working have become a normal part of the corporate environment. This is happening by default in many organisations, who now wish to take control and effectively manage the multitude of vendors, applications, devices and documents that are springing up throughout the company.

The second driver is cost. Accessing applications through a broadband enabled device, using XML or web services, reduces the costs associated with connectivity and maintenance of leased lines, private exchanges and even VPNs. At the same time it increases availability, through the ‘always on’ connection, and so flexibility.

Finally, there is a need for approved third parties to gain access. In the digital networked economy, collaborative working models with partners, joint ventures, outsourcers or suppliers require secure access to data in real time – which cannot be achieved with a tough impenetrable network boundary.

If we look at the oil and gas industries, which have been early adopters of deperimiterisation – or ‘radical externalisation’ as it is known in BP – we can see clear examples of all of these drivers. Significant numbers of workers are on the road or in remote locations at any given time.

Companies tend to make a great deal of use of outsourcers and contractors, and undertake joint ventures with other firms who are partners in one region but competitors in another. As a result they have long recognised the need to let partners have access to one part of the system, while keeping the doors firmly barred on others.

In fact around ten percent of BP’s staff now access the company’s business applications through the public internet, rather than through a secure VPN. This is the first step in a move towards simplification of the network and enabling access for up to 90,000 of the oil company’s third party businesses.

This picture of a flexible, cost effective, and adaptable business is, not surprisingly, very attractive. And not just to those in hydrocarbons. But efforts to achieve it can be hampered by current security thinking. As experts, we need to reverse this, and be seen as an enabler once more.

Our responsibility is to make sure that everyone is aware of the risks and can make informed decisions. After that, it’s about putting adequate controls in place. This shift in thinking offers us a real possibility that security, indeed IT as a whole, can be brought in from the cold and get a much-needed voice at board level.

Back to basics

But before we tear down the firewalls and abandon ourselves to every virus infestation out there, let’s take a look at what ‘inside out’ security really involves. Deperimiterisation is actually something of a misnomer. It’s not about getting rid of boundaries altogether. Rather it’s a question of re-aligning and refocusing them.

So instead of a single hard shell round a soft centre, an organisation has a more granular approach with internal partitions and boundaries protecting core functions and processes – hence the inside out approach. Typically the hard controls around the DMZ (demilitarised zone) will move to sit between the red and amber areas, rather than the amber and green.

Which takes us back to some basic principals of security management: deciding what bits of your systems and accompanying business processes are key and focusing on their security. Rather than taking a ‘one size fits all’ approach, inside out security requires us to look at protecting our information assets from the perspective of what needs to be secured and at what level.

The decision should be based upon another fundamental tenet of good security practice: thorough assessment of risk. That customer database from three years ago may be of limited value now, but if the contents are leaked, the consequences could be disastrous.

Although policy control and management has always been a fundamental factor in any security measures, it will take a far more central role than it has enjoyed so far. Federated security, granulated access and rotating users all demand close control. Updates to policy that reflect both changes within the organisation and to its immediate environment, will be required on a more regular basis than ever before.

We also need to make sure that we still get the basics right. For example, viruses are not going to go away: there will always be new variants and new vulnerabilities. The 2004 edition of the DTI information breaches survey shows that a massive 74 percent of all companies suffered a security incident in the previous year, and 63 percent had a serious incident. Viruses still counted for 70 percent of these, which seems to indicate that despite their prevalence, there is still a lack of maturity in incident management procedures.

Firewall vendors don’t need to panic just yet – there is still going to be a need for their products in a deperimiterised system. The difference is these will no longer sit at the very edge of the network, but will be strategically placed inside it, at device, data or even application level.

Identity management

While firewalls may sort the ‘good’ HTTP traffic from the bad, they cannot discern the difference between authorised and unauthorised traffic. You also need to identify what and who you trust from both internal and external sources: which of your own people should have access to what systems and processes, and where you are going to allow partners, customers and the public to go. That means that user authentication and identity management is going to play an increasingly important role – with two factor authentication being the bare minimum.

Access policies will become more precise, based on a ‘least privilege’ model, to ensure that only the parts of the system required for the job will be available. Like all policies this will need to be monitored and updated to match employees moving through the organisation, and to keep up with changing relationships with partners.

Identity management will ensure that no unauthorised personnel have access to any part of the system, and will be a major factor in maintaining compliance. With a more open network, organisations will still have to prove that confidential data on personnel or financial management has not been subject to unauthorised access.

With the Data Protection Act, human rights legislation, Sarbanes-Oxley, European accounting standards and a dozen other rules and regulations to navigate, providing accurate audit trails of who has accessed, or attempted to access, critical data will remain a basic legal requirement.

You can never be too thin

It almost goes without saying that identity management is much easier when the identities belong to an organisation’s own employees. Enforcing policy at a partner organisation is that much harder.

And, given that it is hard enough to ensure that your own users have configured their devices properly, it seems unlikely that any of us will be able to guarantee that partners have done so. But this is crucial, since ill-configured laptops and PDAs represent a significant security risk at both the outer edge and in the core of the network.

It seems that inside out security will act as an impetus towards a more thin-client based architecture. Centralised systems are easier to secure than documents, applications, data and network connection spread over different gadgets and different locations. It eliminates the problems associated with accessing the network with inappropriate devices.

In one company that has already adopted deperimiterisation, employees are responsible for their own laptops including the latest patches and anti-virus protection. But the laptops are thin clients, which means that IT staff can focus on the security of the central server and information on it, rather than trying to secure an undefined group of peripheral appliances.

Whether there will be a mass migration to thin client models – or even on-demand, utility computing, which seems to be the next logical step – is impossible to predict. What we do know is that the move to inside out security, radical externalisation, deperimiterisation or whatever other names it acquires, will depend on architecting the environment correctly – and maintaining the right levels of control. A flexible working model for information security management systems that can match the flexibility of the business as a whole is also going to be vital.

The debates about deperimiterisation will doubtless continue. There is still a lot of work to be done on standards and interoperability of systems. But what we can be pretty sure of is that security experts should prepare themselves for a fundamental change in approach.

Ray Stanton, Global Head of BT Security Practice, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.