Home » Data Protection » Network Security

In Depth

The World Is Your Perimeter

The castle-and-moat era of information security is over: Now it's described as woven cloth, submarines, onions and Snickers bars. How will CISOs translate nutty metaphors into secure worldwide systems?

By Christopher Lindquist

Page 2

Those threads can become a management nightmare, however. With new technologies coming online every day, keeping security policies in line with technical reality can resemble swatting bees—while sitting in the middle of a swarm. Dial-in networks with highly secure dial-back boxes have been replaced by broadband connections all running through Port 80—a port necessarily left open on most firewalls. Coaxial cable connections have made way for wireless. And hackers refine their tools every day.

Tracking these developments is a must, yet it carries a subtle downside: It can so distract CISOs that they fail to develop an overarching, active approach to security that can cover all contingencies. Even security mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, which provide guidelines for a corporate security model, can contribute to the problem. CISOs can get bogged down in compliance with the regulation of the day rather than keeping an eye on the big picture.

"It is tempting to look at the strategic models [such as HIPAA] as recipes for security success when they are really best used either as a checklist to ensure that a company's strategic security plan isn't missing important elements, or as a benchmark for strategies and policies," says Amy Ray, trustee professor of computer information systems at Bentley College.

"The key is to get out of a reactionary security position [where you] focus on patching existing systems only, without looking at security as a competitive weapon, and into a proactive security position where security investments are prioritized based on a strategic understanding of the architecture and use of information systems," says Ray. But, she confesses, "such a change in thinking isn't easy, especially for companies facing compliance issues."

Making that strategic shift may not require a complete reorganization of existing security management and infrastructure, however. Instead, adding a few key pieces could make all the difference. "The traditional paradigm for information systems security has been centralized and hierarchical and based on control—as it should be," says Baskerville. "You have to be able to control these systems. But that paradigm is increasingly out of sync with decentralized information resources, many of which the organization has limited ownership or control over."

Given that situation, he suggests, information security organizations must consider creating two groups of security professionals: one that deals with traditional, centralized information resources, and another, a security skunk works that lives on the borders of the organization, where creativity and innovation are valued more than rigid structure. (See Sniffing Out a Skunk Works.) Metaphors R UsAnother part of the shift promoted by several experts involves a complete change in how security organizations view their efforts. "You cannot protect every house in the nation, so you create a border to the country," says Elad Baron, CEO at security provider Whale Communications. "The problem [with information security] is that you need lots of access, not just minimal access through those borders. There is still a perimeter, but you need to switch the paradigm from preventing everything to allowing secure access from anywhere."