CISOs have spent the past few years perfecting digging moats around the corporate castle. Now, as they lift their heads out of the trenches, they find themselves living in the age of bomber planes and guided missiles.
The problems with perimeter-based security are neither new nor unclear. Corporate information systems increasingly rely on tools and processes that exist outside the protective embrace of the traditional firewall. Wireless, mobile, remote and ad hoc are the watchwords of today's business, with employees, partners and customers often using two or three different devices—ranging from laptops to cell phones to kiosks at the local Internet café—to connect to corporate data. And the demand for additional network-reachable resources can force companies to punch more holes in their once reasonably secure perimeters.
There's no indication that this trend is going to reverse itself. But what defensive model comes next for information security if the perimeter goes away? That question has been the subject of lots of creative speculation. Attend any conference keynote and you'll likely hear the castle-and-moat metaphor replaced by a litany of other images: cloth weaving, germs and cells, submarine warfare, peanut butter sandwiches, onions, oil and water, and even Snickers bars.
Those metaphors are useful, though they serve only as a starting point for discussion in what has become a very complex information security world. If CISOs are to keep up with the rising tide of threats—from zero-day code exploits to fraudulent insider hijinks—the conversation has to turn to specific, concrete ways to build abstract concepts such as flexibility, agility, responsiveness, redundancy and diversity in the infosec defense model. Think Before (Re)ActingThe fundamental first step in reworking information security is to clear your to-do list and make room for architectural and strategic rethinking. Experts say the rate of technological and regulatory change makes that rethinking tougher than it sounds, but today's disappearing perimeter makes a little think time crucial.
"So many of our security practices assume we have one static and controllable security architecture," says Richard Baskerville, chairman of the CIS Department at Georgia State University. "[But] your boundary is now logical; it's no longer a physical perimeter," he adds. "And that sucker can snake out all over the place"—particularly in a world where Web services will begin connecting networks autonomously, "CSOs will soon need agile practices to manage many interconnected and changing security architectures simultaneously," says Baskerville. "It's more like managing security threads woven together into a fabric. Each thread must be strong, and the fabric weave must also. The security manager is constantly reweaving new threads. [For instance,] a policy review might occur on the fly as part of a security response to a network reconfiguration. Similarly, a security architecture review may be rapidly required to certify a new [virtual private network] connection to a trading partner."
Those threads can become a management nightmare, however. With new technologies coming online every day, keeping security policies in line with technical reality can resemble swatting bees—while sitting in the middle of a swarm. Dial-in networks with highly secure dial-back boxes have been replaced by broadband connections all running through Port 80—a port necessarily left open on most firewalls. Coaxial cable connections have made way for wireless. And hackers refine their tools every day.
Tracking these developments is a must, yet it carries a subtle downside: It can so distract CISOs that they fail to develop an overarching, active approach to security that can cover all contingencies. Even security mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, which provide guidelines for a corporate security model, can contribute to the problem. CISOs can get bogged down in compliance with the regulation of the day rather than keeping an eye on the big picture.
"It is tempting to look at the strategic models [such as HIPAA] as recipes for security success when they are really best used either as a checklist to ensure that a company's strategic security plan isn't missing important elements, or as a benchmark for strategies and policies," says Amy Ray, trustee professor of computer information systems at Bentley College.
"The key is to get out of a reactionary security position [where you] focus on patching existing systems only, without looking at security as a competitive weapon, and into a proactive security position where security investments are prioritized based on a strategic understanding of the architecture and use of information systems," says Ray. But, she confesses, "such a change in thinking isn't easy, especially for companies facing compliance issues."
Making that strategic shift may not require a complete reorganization of existing security management and infrastructure, however. Instead, adding a few key pieces could make all the difference. "The traditional paradigm for information systems security has been centralized and hierarchical and based on control—as it should be," says Baskerville. "You have to be able to control these systems. But that paradigm is increasingly out of sync with decentralized information resources, many of which the organization has limited ownership or control over."
Given that situation, he suggests, information security organizations must consider creating two groups of security professionals: one that deals with traditional, centralized information resources, and another, a security skunk works that lives on the borders of the organization, where creativity and innovation are valued more than rigid structure. (See Sniffing Out a Skunk Works.) Metaphors R UsAnother part of the shift promoted by several experts involves a complete change in how security organizations view their efforts. "You cannot protect every house in the nation, so you create a border to the country," says Elad Baron, CEO at security provider Whale Communications. "The problem [with information security] is that you need lots of access, not just minimal access through those borders. There is still a perimeter, but you need to switch the paradigm from preventing everything to allowing secure access from anywhere."
Charles Palmer, head of security research at IBM, agrees that tipping today's model on its head makes sense. "Try to write down how many people have access to your house. You can do it because there are a limited number of people to whom you have given access rights," Palmer says. "If you walk into my house and you don't punch in the magic code [on my alarm system], you obviously shouldn't be there."
Today, however, many security systems attempt to keep a list of everybody who shouldn't be inside corporate walls—and that will never work, says Palmer. With new people being born every day and yesterday's good people sometimes going bad, "you are never going to have a complete list," he says.
Such a shift in approach will require some technological changes, of course. Whale Communications promotes secure sockets layer virtual private networks and related tools as steps along the path to universal secure remote access. And today's identity management systems certainly can solve part of the problem, but ultimately, security needs to be intrinsic in every system and every user in order to maintain control and keep the bad guys at bay. If everyone carried their security with them, any connection they made would be automatically more secure. And new technologies on the horizon could make that model a practical reality in just a few years.
"I think the model that you need to go to is security technology that's identity-enabled," says Bernie Cowens, vice president of security services for Rainbow eSecurity. "You may have something like a key that fits on a key ring; we're all used to that paradigm. We have this key; we can plug it into this PC or my PDA or my workstation at home," says Cowens. "When you're using hardware or a smart-card-based technology, we have a higher assurance already because we're not relying on a password." Better yet, Cowens adds, people have much experience protecting physical keys. "That's the beauty and value of hardware—you know when it's gone," he says. "And people are used to protecting their car keys or their house keys." And while many people tape their passwords to their monitors on a regular basis, very few would consider taping their house keys on the front door.
IBM's Palmer touts an even more encompassing approach proposed by Trusted Computing Group (TCG), an industry organization consisting of IBM, Microsoft, Intel, Sun and many others. Under TCG's plan, most computing hardware would contain a chip that would allow for simple, secure authentication. "The idea is to come up with this chip, this little island of trust that will make you feel better," says Palmer. "It's not just a place to store your passwords; it can use cryptography to do mathematical proofs about who you are. So you put some secrets in this little chip and do the mathematics to say, 'This is Charles's laptop.'" The chip could also perform even more functions, such as securely identifying what machine produced a given word-processing document or e-mail message. (These same features, of course, have caused some observers to decry TCG's potential to limit privacy and free-speech rights.)
Tools such as these, however, lead to a different security metaphor, in which the model begins to look less like a brick wall surrounding a city, and more like oil and water on a sheet of glass, where the oil drops represent untrusted connections. When water drops touch, they instantly merge, each drop intrinsically containing the properties necessary to have it combine seamlessly with other trusted resources. Oil drops, meanwhile, can't make the connection, leaving them on the outside looking in. The model also makes sense when you consider internal threats: The technology that allows for secure outside access could do the same for internal employees.Back to TechMeanwhile, Palmer says, other technologies will enhance security on a more granular level. One possibility includes having applications come complete with descriptions about what normal behavior looks like, allowing monitoring systems to easily identify potential attacks.
This approach to perimeter security will become critical as Web services get more pervasive. John Dias, senior security analyst at the Department of Energy's Computer Incident Advisory Capability, says Web services has the potential to allow very complex applications to inhabit systems simply by coming through Port 80. That means more risk—risk that Dias would like to see mitigated by tools that check the validity of Web services applications at the perimeter.
Dias is part of the Organization for the Advancement of Structured Information Standards' working group developing the Application Vulnerability Development Language (AVDL), which would allow applications to tell AVDL-compatible firewalls what kinds of behavior to allow—and what to stop in its tracks. "That approach is going to be more effective for what's going on today," he says.
Mike Rider, professor of electrical and computer engineering and computer science at Carnegie Mellon University, envisions a time when security looks less like a wall of bricks and more like a wall of organic cells, full of diversity and redundancy, and naturally designed to fight off attackers. A similar concept underlies the (controversial) paper recently advanced by security luminaries such as Dan Geer and Bruce Schneier.
"How do biological systems survive? With lots of cells, all diverse," says Rider. "They don't all share common vulnerabilities. [You could] apply these techniques within computer systems." Rider says Carnegie Mellon is doing research on systems that redundantly check each other for the results of possible attacks, similar to what happens in modern fault-tolerant computing.
Diversity, however, gets more complicated. Instead of shipping millions of copies of identical applications, software providers could make minor, random changes in each, modifying their profile (but not their function) just enough that exploits would affect only a small percentage of the total.
It's an intriguing idea, but one that Rider confesses needs more investigation. Patching, for instance, becomes a much more complicated issue if every executable on the planet is slightly different. Reality Check, PleaseAll these technologies and ideas sound intriguing in theory, of course, but James Christiansen, CISO at credit and financial service provider Experian, says it is critical that researchers and vendors not miss the point. Such esoteric solutions may solve only 1 percent of the problem, when the real issues aren't disguising application signatures but instead are when a contractor downloads data to a laptop, only to have the whole thing stolen (as happened to Wells Fargo).